In July 2016, ATM hackers in Taiwan raked in more than $2 million using a new type of malware attack that manipulated machines into spitting out tons of cash. The method, dubbed "jackpotting," quickly spread across parts of Asia, Europe, and Central America, resulting in tens of millions of dollars of stolen cash. By November 2016, the FBI issued a warning that "well-resourced and organized malicious cyber actors have intentions to target the US financial sector” using this approach. But it took a year for the attack to arrive stateside.
This week, the Secret Service began warning financial institutions about a rash of jackpotting attacks across the US, and the threat that more could be coming. In a jackpotting attack, hackers—often dressed as technicians to deflect suspicion—penetrate an ATM's physical and digital security, install malware, establish remote access, and set it up to display an out-of-order screen. With those hardware and software modifications in place, another attacker can approach the compromised ATM and stand with a bag while co-conspirators remotely instruct it to dispense cash. In past incidents, law enforcement observed a cashflow rate of 40 bills every 23 seconds.
So far, jackpotting attacks in the US have largely targeted standalone ATMs—like the ones you might see at pharmacies or big box stores—and have already cropped up in numerous regions including the Pacific Northwest, New England, and the Gulf. ATM manufacturers, financial institutions, and law enforcement agencies are now scrambling to defend the 400,000 ATMs in the US against further jackpotting attempts—and to figure out what took it so long to get here.
"While there is no way to give a definitive answer, there are two predominant schools of thought," says Secret Service special agent Matthew Quinn. "First, financial fraud is cyclical. Attack one region, locally or globally, and move on before apprehension or after law enforcement exposure. The second often revolves around ease of entry. Organized transnational criminal groups may first target a region with less law enforcement presence and less restrictive means of entry."
The US has extensive law enforcement capabilities, making other countries, particularly developing nations, safer training grounds for perfecting malicious techniques. But recently jackpotting has been slowly easing into the US. Krebs on Security, which first reported on the Secret Service advisory earlier this week, also notes that there were some preliminary jackpotting attacks in Wyoming in November.
The physical access component is crucial to why there haven't been more jackpotting attacks in the US, according to Daniel Regalado, principal security researcher at the Internet of Things defense firm ZingBox. "In the context of developing countries, it's easy to open up the box. No one is going to spot you or it's easy to bribe the cops. Physical access is not a problem," says Regalado, who has tracked jackpotting malware for years. "When you come to the US things are different. In five minutes the cops are going to arrive, or they are already tracking you from a previous jackpot."
ATM security is also stronger in the US than in some countries, because banks can afford to regularly upgrade their devices with new hardware and software protections. The ATMs attackers have hit in the US so far all appear to be old models made by Diebold Nixdorf. And Regalado notes that when companies replace ATMs in moneyed countries, they often sell the old models to developing nations—another reason jackpotting is easier outside the US.
The malware attackers have been using in these recent attacks, known as "Ploutus.D," originated in Latin America and does have other variants that can target more recent models of ATMs from vendors beyond Diebold. But Regalado is skeptical that jackpotting will truly take off in the US. "I don’t understand to be honest why they’re coming to the US when it’s so much harder to do the attacks than what they’ve been doing in other countries," he says. "A jackpot in the US is definitely better than one in an ATM in Mexico or another Latin American country, because the currency is worth more. But there's a big risk of getting caught."
Nonethless, US ATM security isn't stellar, even if it is above average. "Jackpotting is nothing new. The manufacturers play cat and mouse, but still haven't been able to fix it," says David Kennedy, the former chief security officer of Diebold, who now runs the corporate security consulting firm TrustedSec. "ATM manufacturers should be protecting the product they sell, but also most of the security enhancements to ATMs are removed by banks or they won't pay for additional security on the devices. Most banks treat ATMs as standalone devices with few security controls."
Diebold said in a client advisory on Thursday that customers should implement "the same countermeasures" the company has recommended during past jackpotting waves, like installing the latest firmware updates, using robust physical ATM locks, and adding two-factor authentication to ATM access controls. Diebold hinted, though, that many financial institutions may not have heeded this advice, noting that the recommendations "should be deployed if not already implemented."
While there are important software protections that manufacturers and financial institutions can implement on ATMs, like strict limits on a device's ability to run foreign code, ZingBox's Regalado argues that ultimately ATM protections need to be physical, since hackers are already relying on physical access to carry out their attacks. "You can have the latest and greatest software solution, but with physical access they figure out ways to remove the protections," he says. "This is not a software problem, it’s a hardware problem."
In comparison to some other countries, communication about these types of threats, law enforcement action, and regulations all move relatively quickly in the US, thanks to specialized groups like the Federal Financial Institutions Examination Council. As a result, TrustedSec's Kennedy agrees that jackpotting isn't likely to be as widespread in the US as the law enforcement warnings might make it seem.
But the threat certainly merits precautions from financial institutions, and can also serve as a vital reminder about the ongoing need to invest in strong ATM security. If you get a sketchy vibe off of someone loitering around an ATM for too long, tell someone. Especially if you see them collecting a waterfall of cash.
Before jackpotting, all it took to bust an ATM was a drill and $15 worth of gear
And before that, there were 3-D printed ATM skimmers
But honestly, it's not like online banking hasn't been hit just as hard
