In 1951, after a string of bank robberies, Willie Sutton was caught, and then interviewed. He was asked why he keeps robbing banks. His response: “Because that’s where they keep the money.”
Banks and credit unions spend a tremendous amount of resources fortifying their vaults and the interior of their physical branch locations to protect the cash inside. Over the course of time, and as technology has progressed, those interested in trying to steal that cash have come to several realizations. Amongst them is that instead of trying to steal the cash inside the vault that sits behind several inches of steel, why not take a different route and go after cash inside the mini-vault that’s more exposed: the Automated Teller Machine (ATM)!
The ATM serves several client-service purposes for banks and credit unions. It also allows clients and members access to cash on a 24/7 basis. It offers account holders with an alternative deposit capture method, instead of going to a teller window. And the ATM provides information to clients should they have inquiries about their account.
As it pertains to the cash sitting inside the ATM, we are now learning from the United States Secret Service that ATMs are being attacked for their cash. Criminals have identified a vulnerability that allows them to force the ATM to dispense cash without a debit card or Personal Identification Number (PIN). Known as “Jackpotting”, the attacker utilizes weaknesses in both the physical and logical security of the ATM to allow an activation code to be sent to the ATM that allows the attacker to empty all of the cash in the dispenser. Jackpotting attacks have been occurring in Asia and Europe since late 2016 but this latest activity represents the first time that criminals have utilized this attack method on U.S. ATMs. Banks and credit unions need to be on high alert!
Currently, only Diebold Nixdorf “Optiva” front loading ATMs with the Advanced Function Dispenser (AFD), appear to be targeted by these types of attacks. However, experts warn that the malware utilized is easily adaptable to other manufacturers' software when physical access to the internal ATM infrastructure can be archived (1). Due to the nature of these attacks, it is likely that criminals are utilizing manufacturers’ ATMs that have either been purchased or stolen to conduct research into the best methods to defeat physical and logical security controls. As physical access to the ATM is required for a successful jackpotting attack, standalone ATMs located in pharmacies, retailers, and drive thru ATMs remain the most vulnerable.
General security precautions that should be utilized to help mitigate such attacks include the following:
• Limit physical access to the ATM by utilizing appropriate locking mechanism, controlling access to areas used by personnel to service the ATM, and (if possible) implementing multifactor authentication access control for technicians servicing ATMs.
• Ensure that ATM hardware and Operating System (OS) software are updated with the latest firmware and software updates. The Secret Service has advised to specifically update Windows XP to a supported operating system, as XP is particularly vulnerable to these types of attacks.
• Investigate suspicious activities and out of service ATMs as soon as possible.
As it pertains to the other potential vulnerabilities of ATMs, specifically around criminals trying to utilize the check deposit process to obtain cash, CheckAlt provides its financial institution clients with multiple layers of fraud protection, to severely limit the potential of cash being stolen via fraud through the check deposit process at an ATM. An earlier blog post of ours, written by Tamir Shafer, talks specifically to these protections and can be found here:
We urge our financial institutions to heed these warnings and take the necessary precautions available to protect their assets.
1. See https://krebsonsecurity.com/wp-content/uploads/2018/01/20180126-GLOBAL-SECURITY-ALERT-018-04-0005-Potential-Jackpotting-US-Update-on-017-34-0002-smaller.pdf and https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html for further information.