Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

March 21, 2022

ATM Jackpotting Attacks Getting Clever

In reviewing my previous posts on ATM fraud, I realized I haven't written about ATM jackpotting since cybersecurity journalist Brian Krebs detailed the first jackpotting attacksOff-site link against ATMs in the United States in early 2018. ATM jackpotting occurs when a criminal gains physical access to an ATM and instructs the ATM to dispense cash until the ATM is empty. This type of fraud is different from ATM cash-out schemes I wrote about in February 2018 and December 2019, whereby the criminal gains access to an issuer's card management system and overrides card or account withdrawal limits by manipulating the authorization messages to the ATM. More details on the jackpotting process below.

The European Association for Secure Transactions (EAST), which tracks ATM fraud attacksOff-site link for financial institutions in the EU, reported 202 successful jackpotting (ATM Malware & Logical Attacks) in 2020, resulting in losses of €1.24 million (approximately US$1.4 million or about US$7,000 per attack). While other types of ATM fraud reported such as card skimming and physical attacks were down, jackpotting attacks represented a 44 percent increase in number of attacks and a 14 percent increase in losses from 2019. Statistics of attacks in the United States are more difficult to obtain because most ATM owners avoid the negative publicity associated with a compromise of their terminal.

I recently attended a panel discussion at an ATMIAOff-site link conference on this topic. The participants discussed several attacks, including one involving multiple ATMs resulting in a loss of $1.5 million in the span of a couple of hours. The amount of money in a machine varies from a couple thousand dollars to as much as $50,000, depending on the ATM type (full-service ATM versus simple cash dispenser), its location, and the expected activity level. It's a balancing act of trying to minimize service calls to replenish the cash versus risking losing the cash to an attack.

So what does it take for a jackpotting attempt to succeed? Unlike the highly secured vault-like compartment for cash storage, an ATM's top compartment, which contains the software-driven components, is more easily accessed, either by jimmying the lock or purchasing a key off the internet (many terminals use a common key). In that compartment, the criminal installs software with jackpotting malware or a black box that intercepts transaction messages. Most often, criminals target ATMS in retail locations, where they can pose as a service technician and not attract the attention of store employees. After the criminal has installed the malware, money mules collect the money. In some cases, a mule presses numbers on the keypad that instruct the terminal to dispense a large quantity of bills or to empty the currency cassette completely. In others, the mule seems to be withdrawing, say, $60 but the malware tells the terminal to dispense $600. In most cases, the ATM owner doesn't discover the attack until the terminal unexpectedly transmits an "out-of-cash" message.

Such attacks can be financially devastating to an independent ATM owner because, unless they have some level of insurance coverage, they bear the full brunt of the loss. In a follow-up to this post, I will examine some of the countermeasures ATM owners can use to prevent such attacks from being successful.