ATM “Jackpotting” on the Rise in U.S.

The US Secret Service is warning financial institutions that jackpotting attacks – where ATMs fraudulently dispense cash – are now a risk in the U.S.

Jackpotting, or Logical Attacks, are not new to ATMs in the U.S.  In May 2016 NCR, whose systems enable 700 million financial transactions a day, issued a Security Update notifying its customers of credible Logical Attack threats in the U.S. and Canada.  Recently, however, Krebs on Security, a leading security news and investigation site, has reported that an NCR Security Alert released to its customers on January 26, 2018, reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”  

Obviously, the threat from “Jackpotting Attacks” is greatest for banks and other institutions or commercial entities that deploy ATMs rather than the general public.  But before you take a sigh of relief, remember that skimming is the closely related cousin to these attacks that cause a machine to erroneously dispense cash and the target for skimming is the information on your ATM or credit card, not necessarily the cash stored in that machine at that time.

John Gunn, CMO, VASCO Data Security comments: “The security that protects ATM transactions has improved significantly over the past several years, including using EMV chip cards and enhanced authentication using consumers’ mobile phones, so criminal are being forced to revert to more brazen physical attacks on ATM machines.”  VASCO’s Head of Global Product Marketing, David Vergara adds: “With banks’ focus on digital channels, like ATM and mobile, to drive down costs and better serve customers, it’s no surprise that cybercrime is following. The relatively low-tech skimming attacks still represent the vast majority of ATM losses, but more coordinated attacks using physical access to the machine (i.e. master key and keyboard) along with more sophisticated malware are enabling much bigger paydays for hackers. This trend will continue until banks have addressed key vulnerabilities. And to beat the bigger issue of skimming, banks should consider cardless security technologies like mobile authentication via visual cryptogram. Also, this is a good time to consider some of the myths around ATM safety and security:

  • Myth 1: It’s easy to see and avoid devices implanted in ATMs for theft
    Fact: Criminals use ATM interface components for theft that are custom designed to fit seamlessly into the card readers of specific manufacturers. Some of these appliances can be tough for even a trained specialist to spot quickly and casually.
  • Myth 2: Chip Cards Fully Stop Hacking
    Fact: The launch of chip card technology (EMV) began a decade ago in Europe and has been spreading throughout the world, and has helped cut card fraud, but even EMV can’t always prevent fraud. EMV protections can be circumvented through ultrathin metal or plastic devices installed in the readers, for example.
  • Myth 3: It takes a sophisticated hacker to steal from an ATM
    Fact: It doesn’t take a sophisticated hacker to defraud an ATM. In California, five teens were arrested for putting card data theft devices at three ATMs located in banks. Today, any interested party can become a professional thief in this segment with a modest investment in cash.
  • Myth 4: ATM security must depend on the customer
    Fact: Although some IT and security professionals cite customer carelessness in ATM fraud, the fact is that there is a growing risk vector that has nothing to do with customer mistakes. Researchers have found that IoT devices such as personal smart clocks or pulse physical activity controllers can be used to steal an ATM access code. By collecting hand movement information, researchers could accurately guess passwords and access codes with up to 80% success on the first try.
  • Myth 5: Thin copy devices or hidden cameras are the only ATM attack strategies
    Fact: Bank security professionals need to look at and beyond reader devices and hidden cameras – there’s a new array of ATM fraud technology, such as Bluetooth-enabled devices that install on circuit boards. When fraudulent components are integrated into ATM circuits, thefts can potentially continue for years undetected.