Jackpotting isn't anything new – but it can teach us valuable lessons about endpoint security. Jackpotting is a method of financial fraud that involves tampering with an ATM so that it spits out money as if the perpetrator has won a slot machine jackpot. This kind of attack has been going on in Russia, Europe and Asia for several years and is just now making its way to America. In the last week of January alone, thieves stole more than $1 million from ATMs in the Pacific Northwest, the Gulf region and New England. The Secret Service, warning U.S. banks about this new threat, said criminals associated with this activity can be individuals or organized crime groups.
It's a serious matter, with millions of dollars at stake. The reputation of financial institutions is also at stake, and nowhere is trust more critical to customer retention than in the financial realm. Banks need to establish security as quickly as possible to keep from being victimized by jackpot attacks.
Anatomy of a Jackpot
Jackpot criminals in the U.S. are attacking right at the ATM sites. They open the ATM and either replace the hard drive or put software on the hard drive to change the way it behaves. One would think that opening an ATM would be quite difficult, given what it holds, but the opposite is true. Most ATMs have a master key that opens the front of the ATM where the screen and motherboard are and, for those who don't have a master key, it is surprisingly easy to break that part or pick the lock.
The difficult part is getting to the area where the cash is stored; it rests in a magnetic box that requires a separate key. So, jackpotters bypass that issue by attacking the ATM's computer components. The motherboard in some ATM models has a hard drive, USB ports and an operating system. Many them are running Windows XP and are very difficult to update, because updates cannot be performed remotely and there are so many ATMs in the world.
Until now, ATM manufacturers weren't too concerned about the physical security of the machine itself but instead focused on the physical security of the cash box within the ATM. In this age of increasingly innovative cybercriminals, all aspects of security must be accounted for.
To jackpot an ATM, the attacker loads code into the ATM's computer. Malware can be purchased on the dark web, which the criminal then puts onto a USB drive and plugs into the ATM's hard drive. Then the operating system runs the malware, allowing the hacker to instruct the ATM to spit out as much money as they want.
Another jackpotting option involves using a simple $35 Raspberry Pi mini-computer to execute a sort of “man in the middle attack” on an ATM's computer. Once bolted on, the Raspberry Pi starts pulling information from the ATM just like a card skimmer would, including PINs and credit card numbers.
This approach is even more dangerous than a simple card skimmer, however. Instead of just collecting information that people enter, hackers can actually direct the computer to send the credit card processing traffic not to the clearing house in the bank but instead to an illicit processing house that they have set up themselves. That way, the hackers can both collect all the money in the ATM and re-route and pocket wire transfers or other types of financial transactions.
Physical Security Failure
It might seem that with all the security cameras set up around an ATM, it has to be fairly obvious when someone is trying to break into an ATM. However, the entire process is remarkably quick, and an efficient actor could be done in fewer than five minutes. Add to that the fact that some of the malware will even let them control the security cameras, and it's clear that physical security isn't sufficient to protect ATMs.
For financial services companies, the ATM is an endpoint. Protecting an ATM might fall under the physical security purview of banks' security strategy, but to protect against more sophisticated attacks like jackpotting requires that banks include them in their endpoint security posture as well.
Banks need to protect against jackpotting malware. Security that protects access to an ATM network would detect this kind of malware, but the problem is that they also have to worry about onboard or endpoint security. If banks don't have control over physical access to the ATM, a malicious actor can bypass that network security layer simply by putting a USB key into the ATM's computer. At that point, banks have to worry about endpoint security.
Best practices for ATM security include making sure your systems are updated. ATM manufacturers spend so much time securing the cash dispensing system that it's easy to forget about mundane things like ensuring the computer software in the ATM is up to date and patched. ATMs are still computer devices and need to be updated like every other device. Treat them like any other endpoint and update their software and OS frequently and lock down the endpoints as well. Banks need to take advantage of available threat intelligence to ascertain where their vulnerabilities are. They need to pay attention to what exploit kits are being used and making patching a priority.
Another best practice is to make sure you have holistic network visibility and you understand what endpoints are connected to your networks at all times. You must understand that the entire attack surface is critical in order to make appropriate security decisions. This is especially true as financial institutions begin to handle Bitcoin and crypto wallets. Ultimately, financial services companies need to know what's connected to their networks at all times and to not forget about endpoint security as a critical component of protecting ATMs.