Secret Service Warns of Jackpotting Attacks on ATMs
January 31, 2018 / Source: Bank News
January 30 — “Spit out cash like slot machines.” That’s the description of jackpotting used by The Washington Post. According to reporting by digital security reporter Brian Krebs, the ATM hack that was once only a problem in Europe and Asia has now reached the U.S.
Krebs reported that the Secret Service has warned financial institutions about jackpotting attacks, although specific are lacking. However ATM makers NCR Corp. and Diebold Nixdorf (the latter a large manufacturer of stand-alone ATMs) have alerted customers against possible thefts. Diebold Nixdorf cited similar attacks in Mexico, in which criminals used a modified medical endoscope to access a port inside the machines and install malware.
Other methods have included remotely infecting ATMs or completely removing and replacing their hard drives.
Although small-scale jackpotting attacks had been reported since 2010 (after two different methods of “infecting” ATMs were demonstrated at a hacker convention, Wired reported), large-scale attacks were not reported until 2016 when $13 million was stolen from Japanese ATMs in a three hour period. Attacks in the millions of dollars range were reported in Taiwan and Thailand shortly after.
Krebs is now confident jackpotting technology is being used in the U.S.
David Vergara, head of Global Product Marketing for VASCO Data Security says, “The relatively low-tech skimming attacks still represent the vast majority of ATM losses, but more coordinated attacks using physical access to the machine (i.e., master key and keyboard) along with more sophisticated malware are enabling much bigger paydays for hackers.” Vergara continues, “…to beat the bigger issue of skimming, banks should consider cardless security technologies like mobile authentication via visual cryptogram.”
VASCO reminds ATM operators that there are several myths around ATM security that hackers can exploit to gain access to a vulnerable machine:
It’s easy to see and avoid devices implanted in ATMs.
Chip cards fully stop hacking.
Only sophisticated hackers can steal from an ATM.
ATM security depends on the customer.
Thin copy devices or hidden cameras are usually the only attack methods available to hackers.
In reality, many implant devices are custom pieces, designed to fit seamlessly in to the card readers of specific manufacturers. Some are even difficult for trained specialists to spot. Furthermore, chip technology has been around for more than a decade, and while it has decreased fraud levels, a decade is a long time for hackers to figure out how to catch up. Chips can be circumvented using ultrathin metal or plastic devices installed in readers. And fraud no longer stops at thin copy or hidden cameras. Hackers are now installing Bluetooth tech on circuit boards, which can enable thefts for years if the integration goes undetected.
As for hackers themselves, breaking into an ATM doesn’t necessarily mean they’re at the top of their field. In California, for example, five teenagers for installing card data theft devices in three bank-located ATMs. If teenagers can hack an ATM, fraud probably can’t be solely blamed on customers either. Research has found that the “Internet of Things” (think Fitbits, smart watches, etc.) can be leveraged to record hand movement data, allowing thieves to accurately guess passwords and access codes with a success rate of up to 80% on the first try.
The next generation of hackers is here, and they’re not only more adept at accessing customer data, they’re bringing the fight directly to the ATMs. Banks (and other ATM operators) would do well to review their security protocols and make updates as necessary.