What Recent Jackpotting Attacks Can Teach Us

It has been a challenging year for jackpotting attacks on ATMs, with new attack variants appearing and new regions—including the Americas—being affected. If the financial services industry is going to effectively counteract this threat, a better understanding of jackpotting and the importance of holistic, up-to-date defenses are required.

Jackpotting attacks refer to attacks in which ATMs are manipulated to expel their supply of cash much like a slot machine after a “jackpot” has been achieved in a casino. While these attacks typically don’t feature brute force, they combine aspects of physical and logical manipulation of ATMs to bypass built-in security measures. Jackpotting attacks come in a variety of forms, but the outcome of a successful attack is always the same: an empty ATM and substantial cash losses.

To gain a better appreciation of what jackpotting attacks look like, how their format varies and what can be done to prevent them, let’s take a look at four attacks that were covered in Diebold Nixdorf Global Security Alerts this year. As you will see, these attacks evolve quickly and primarily target older ATMs on which security measures have not been proactively updated. While there have been mutliple alerts on Jackpotting over the last years, for this session lets focus on the latest alerts sent out since January.

Timely Lessons from Four Examples of Jackpotting

January 25 Alert 018-04/0005

The first attack we reported on this year featured manipulation of the ATM’s hard drive—a common tactic in jackpotting attempts. The hard drive was removed and replaced with a different hard drive that had been configured to enable unauthorized dispense commands to the cash dispenser unit. In addition, sensors were manipulated and an endoscope was used to fool the authentication system. This way, encrypted communication protocols which were also in place were bypassed in the attack. Read more about the attack.

Key Takeaway: Standard protections, such as physical hardware pairing systems, can be overcome with time. Updates to authentication protocols and software stacks are necessary, along with a securely locked-down and monitored top hat. In addition, disks should be encrypted completely to stop infection of the hard drive while the machine is switched off.

May 07 Alert 018-19/0003

This attack featured a “black box attack” in which the ATM PC was disconnected, disabling logical security measures, and a foreign device (a laptop computer, in this case) was attached directly to the cash dispenser. Once again, we saw that with an endoscope, criminal intelligence and patience, much can unfortunately be accomplished. Physical authentication sensors were manipulated to allow the attacker’s laptop to be used as if it were the ATM’s PC. Dispense commands were issued, and the ATM was emptied. Read more about the attack.

Key Takeaway: A patch has been released to prevent this attack type, but you need proper physical/logical security measures and monitoring processes (prevention and detection), as well as regular updates, to stay proactively defended. No matter how many security measures you put in place, a lack of timely updates will always leave you vulnerable.

July 4 Alert 018-19/0004

This attack was similar to the black box attack listed above, this time against ProCash terminals instead of Opteva® units. In this attack, we saw that an expert attacker was remotely connected to the “black box” and carried out the attack via a laptop brought to the ATM by an on-site “money mule,” who served as the remote attacker’s partner. We have released firmware updates that can prevent this sort of attack, but longer-term protection requires a physically locked-down/monitored ATM, software-based intrusion prevention measures and timely updates. Read more about the attack.

Key Takeaway: This attack shows that not every jackpotting attack requires on-site criminals with rich understandings of how ATMs and their security measures work. Similar attacks were orchestrated in different regions using this method, demonstrating that one person can carry out attacks across the globe through anonymous hiring of local help.

July 9 Alert 018-21/0005

Like the January attack, this attack featured hard drive removal. This time, however, the ATM’s hard drive was removed, infected with malware and reinserted instead of being replaced with an attacker-supplied hard drive. It was a new variant of a known attack vector that proper countermeasures could have prevented—a Microsoft patch from 2016 eliminated the OS vulnerability that was exploited in the attack. Hard drive encryption or software-based security measures that detect anomalous behavior could have also stopped the attack. Read more about the attack.

Key Takeaway: Not every “new” attack requires a new hotfix to prevent. In some cases, the countermeasures are available, and simply keeping the OS, the middleware and the application up-to-date could make the difference. This is a good reminder that Windows® 7 support from Microsoft ends in January 2020, and you will soon need Windows® 10 installed on ATMs to receive crucial security updates that keep your fleet safe. Learn more about that important software migration deadline here.

What It All Means

These four examples are unfortunately not all-inclusive of the ways in which jackpotting attacks can take place, but they do showcase the importance of being proactive with your updates and upgrades. While ATMs may be controlled by PCs that run on Windows, they’re not your average desktop PC that receives nightly updates. ATMs are designed for 24/7 usage, and they are often situated in vulnerable locations with infrequent maintenance and oversight. They need special security solutions designed for self-service terminals, and they need those solutions to be kept up-to-date through a smart ATM security management program.

We build ATMs to last, and that is why there are many thousands of older ATMs still in service across the world. The average age of an ATM is around seven years, and we sometimes see units that have not been updated in nearly two decades. But attacks evolve quickly, and you can’t rely on aging defenses to protect you—criminals have proven time and again that they will exploit any vulnerability they can find.

Wondering where to start to make sure your fleet is protected? Here is what we recommend:

  • Sign up for Diebold Nixdorf Global Security Alerts, as this is the best way to know what attack types are taking place, where they are happening and what you can do to protect your fleet.
  • Prioritize updates and upgrades to your most vulnerable units first—those located in remote locations or those that are particularly old and have not been upgraded for a long time—then move methodically to assess and address needs across your fleet.
  • Start by ensuring your firmware is completely up-to-date, your ATM can communicate with you if it is being attacked, and then start bolstering your physical and software-based defenses to be truly resistant to jackpotting.
  • If you need help, reach out. We work with financial institutions of all sizes across the globe to keep the self-service channel as secure as possible against all threats. We will help you come up with a plan to secure your fleet that makes sense for you.

Are you ready for more information on ATM security? Listen to a recent podcast where our experts discuss ATM security best practices. Or contact us for additional information on this topic at security@dieboldnixdorf.com.