A Thing
The Green SheetGreen Sheet

Friday, February 2, 2018

Jackpotting attacks target bank ATMs

Recent reports indicate jackpotting attacks against U.S. ATMs are on the rise. Popularized in Europe, Asia and Mexico, the attacks involve ATM technician impostors who use a variety of forged or generic keys, jackpotting malware and advanced endoscopic devices, to open ATMs.

Once inside, the fraudsters program the equipment to rapidly dispense cash, paving the way for massive withdrawals by criminals posing as consumers. Attacks have taken place in the mid-Atlantic, Southeast and North Pacific regions and predominantly target pharmacy, bank and large retailer locations, according to law enforcement authorities.

Bruce Renard, Executive Director of the National ATM Council Inc., said attackers are exploiting known vulnerabilities in bank ATMs. Unlike independent ATMs that run on Windows CE, many bank ATMs use outdated Windows operating systems, he noted. "While the Jackpotting attacks to date have focused on bank machines and have not yet impacted the independent retail segment of the U.S. market, NAC is carefully monitoring this situation with respect to any actual or potential migration into the independent retail sector," Renard stated.

George Sarantopoulos, Chief Executive Officer at Access One ATM Inc. and National ATM Council Inc. Chair, urged NAC members and independent ATM deployers to maximize visibility of existing and new terminal placements, and restrict access to all points of entry into the devices. "Any terminals utilizing a Windows XP operating system should be upgraded to a Windows 7 or later version," he said. "ATM operators should remain vigilant to any suspicious activity and new technicians."

Security first

In a Jan. 21, 2018, blog post, security analyst Brian Krebs, of KrebsOnSecurity reported the U.S. Secret Service had warned financial institutions about jackpotting attacks. The story rapidly spread to other news outlets. Reuters journalist Dustin Volz reported Jan. 29, 2018, that criminals had netted more than $1 million in jackpots from U.S. ATMs.

"A confidential U.S. Secret Service alert seen by Reuters and sent to banks on Friday said machines running XP were more vulnerable and encouraged ATM operators to update to Windows 7 to protect against the attack, which appeared to be targeting ATMs typically located in pharmacies, big box retailers and [drive-throughs]," Volz wrote.

John Gunn, Chief Marketing Officer at Vasco Data Security, said improved ATM security has pushed criminals to more brazen physical attacks against ATMs. David Vergara, Head of Global Product Marketing at Vasco, expects these physical attacks to continue until banks address key vulnerabilities. "And to beat the bigger issue of skimming, banks should consider cardless security technologies like mobile authentication via visual cryptogram," he added.

Five common ATM security myths

Gunn dispelled the following five myths about ATM safety and security:

Myth 1: It's easy to see and avoid devices implanted in ATMs for theft.

Fact: Criminals use ATM interface components for theft that are custom designed to fit seamlessly into the card readers of specific manufacturers. Some of these appliances can be tough for even a trained specialist to spot quickly and casually.

Myth 2: Chip Cards fully stop hacking.

Fact: The launch of chip card technology (EMV), which began a decade ago in Europe and has been spreading throughout the world, and has helped cut card fraud, but even EMV can't always prevent fraud. EMV protections can be circumvented through ultra-thin metal or plastic devices installed in the readers, for example.

Myth 3: It takes a sophisticated hacker to steal from an ATM.

Fact: It doesn't take a sophisticated hacker to defraud an ATM. In California, five teens were arrested for putting card data theft devices at three ATMs located in banks. Today, any interested party can become a professional thief in this segment with a modest cash investment.

Myth 4: ATM security must depend on the customer.

Fact: Although some IT and security professionals cite customer carelessness in ATM fraud, the fact is there is a growing risk vector that has nothing to do with customer mistakes. Researchers have found that IoT devices such as personal smart clocks or pulse physical activity controllers can be used to steal an ATM access code. By collecting hand movement information, researchers could accurately guess passwords and access codes with up to 80 percent success on the first try.

Myth 5: Thin copy devices or hidden cameras are the only ATM attack strategies.

Fact: Bank security professionals need to look at and beyond reader devices and hidden cameras ‒ there's a new array of ATM fraud technology, such as Bluetooth-enabled devices that install on circuit boards. When fraudulent components are integrated into ATM circuits, thefts can potentially continue for years undetected, Gunn noted. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing