Jackpotting ATMs

The feds are beginning to see thieves jackpotting ATMs in the United States.  Until now, reports of ATM jackpotting were limited to other countries.

Jackpotting an ATM is exactly what it sounds like.  The hackers compromise an ATM so that it spits out large amounts of cash.  An ATM in Rhode Island, for example, was emptied of $50,000 this way.

Jackpotting has to be customized to a particular brand and models of ATM since it works by modifying the ATM’s software and needs to be able to figure out how to get the compromised software loaded into the ATM.  In at least one attack, the attackers figure out how to snake a cable into the ATM and change the firmware.  Sometimes the attackers are dressed as ATM technicians to reduce suspicion.  ATMs that are remote and not under video surveillance would be the smartest attack targets, but it seems like at least some thieves do not think that they will be caught.

In one case in Connecticut, two attackers approached an ATM and compromised its software.  Another team them caused the ATM to cough up thousands of dollars.  Unfortunately for the hackers and fortunately for the bank that owned the ATM, the ATM was under video surveillance and the bank called police who apprehended two men.  These guys don’t qualify as very bright as the used the same car, caught on video, that was used to pull the same attack on an ATM of the same bank in a nearby state.  Stupid crooks are always easier to catch.

This appears to be a widespread problem with multiple people executing multiple attacks in multiple countries.  These people, almost certainly, do not know about each other.  Now that this has become somewhat popular, other hackers will try to figure out how to pull off this attack on different models of ATMs.

If you consider that an ATM is basically a PC, usually running an old version of Windows (Windows XP), in a safe, that dispenses money, it is not that surprising that it can be compromised.  Part of the problem is that ATM software does need to be upgraded periodically and is almost always done remotely.  If the hackers are able to exploit whatever mechanism that upgrade capability uses, they can tell the ATM to do whatever they want it to do.

I am sure that every ATM manufacturer is looking at the security of their devices to see if a hacker could compromise it.  But ATMs are in service for years as they are very expensive – some high end devices cost more than a quarter million dollars.  The manufacturers are probably only worried about devices that they currently manufacture and not ones that they built a few years ago.  For those machines, it is up to the machine owner to deal with the risk.

ATMs owned by banks are covered by the bank’s insurance, but privately owned ATMs may not be owned by the owner’s policy.  ATMs located inside a store that is always staffed by clerks, such as a 7-11, are much less attractive for attackers.

It does appear that this attack is not interested in compromising YOUR ATM card;  it works at a much lower level by modifying the ATM’s software.  If the compromise works, the amount of the theft is only limited by the amount of money in the ATM and how much time the thief is will to spend at risk of being captured.  In some attacks, multiple teams visit the ATM over a relatively short period of time so that things look a lot less suspicious.  sometimes it is done over a weekend thinking that the theft is less likely to be noticed until Monday.

Information for this post came from Ars Technica.

by