By Joe Henrich

When it comes hitting a jackpot, we often think of someone winning a LOT of money, either while standing at a slot machine at a casino, or because they’ve won the lottery.

But now, unfortunately, “jackpotting” is a term that’s being used to describe the means by which an attacker can get an ATM machine to dispense cash outside of its normal legitimate transaction-based processing.

The first of these attacks began occurring in the U.S. back in 2018 and there are three methods that have been used to carry out this type of heist, including:

• Malware based – This is when malware is introduced into the operating system of the ATM.  This is done by gaining access to a USB port on the ATM being physically accessed.  The malware then sends the dispense commands to the dispenser causing it to distribute the cash.
• Black Box Attacks – is achieved by disconnecting the cash dispenser from the ATM’s motherboard and connecting it to an attacker’s device to interact directly with the cash dispenser.
• Man-in-The-Middle – involves the attacker placing their own device between the ATM and the host service provider.  The attacker then responds to transaction authorization requests from the ATM without actually reaching out to the core networks.

While these attacks have been common in Central and South America for many years, within the past year, they have begun to become more prevalent, with reports of attempts coming from Utah, Minnesota, Texas, Colorado, Idaho, Maryland, Georgia, North Carolina, South Carolina, Tennessee, California, Pennsylvania, Oregon, Washington and New York.

In one such case, in Indiana, the attackers were able to locate the alarm and disable it, so as to prevent it from being activated. In response, the bank used a different method for installing some of the equipment to make it more secure.

Of course, as with a lot of things involved with cybersecurity, there is no one “silver bullet” to protecting an ATM, whether it is operated by a bank, credit union, or other type of financial institution, or it is privately owned, it takes a layered approach. But there are steps you can take that includes:

• Ensuring attackers can’t physically access the computer inside the ATM.  The whole ATM should be alarmed, not just the vault. Opening the upper enclosure (also known as the “top hat”) should trigger an alarm.
• Next, the computer inside the ATM should be treated just like any other computer that could end up in a hostile environment.  Its USB ports should be disabled, if not in use.
• The computer also needs to be running advanced anti-malware to block any unwanted applications.  Software whitelisting should also be employed.
• To defeat Man-in-The-Middle attacks, your machines should be using the highest available version of safe communications (TLS encryption) when talking to the host network.
• To defeat Black Box attacks, your dispensers should require secure handshakes with the operating system in order to become active (e.g., unique image bonding, high level dispenser settings).  And to protect against many other types of attacks, the hard drives of your ATMs should use full disk encryption and employ their TPM defenses and/or BIOS password management. An attacker should not be able to swap their own hard drive in and boot the hardware.

What’s more, it’s a good idea to work with whoever manages your ATM fleet to ask about the protections available for your machines, as well as which ones you actually have to set up.  As a Financial Industry, we should be demanding these types of security as the default from the manufacturers, not just as an add-on for an additional price.

For more information, be sure to check out information from ATM USA that includes some additional safety recommendations related to not only physical attacks, but also tips to keep in mind when it comes time to refilling an ATM with cash, along with a few other methods for keeping your staff and your equipment safe and secure.