January 30, 2018

ATMs spew piles of cash in hackers' 'jackpotting' scheme

Two cash machine makers are warning that the risky cybercrime has spread to the United States, according to a report

Hackers ATMs
01302018_Diebold_Opteva_562_wiki Martin Iturbide/via Wikimedia

This photo of a Diebold Opteva 562 ATM was taken in October 2006 in Quito, Ecuador.

Imagine passing an ATM and watching as it suddenly spit out reams of cash.

Into the hands of cyber criminals.

Now such a scheme employed internationally by hackers for 15 years reportedly has spread to the United States for the first time. 

In a technique known as "jackpotting," hackers are rigging ATM machines so that they continously disburse money until the dough runs dry. But the scheme carries more risk than other schemes because hackers must gain physical access to the machine to pull it off.

Yet, two prominent automated teller machine manufacturers – Diebold Nixdorf Inc. and NCR Corp. – have alerted clients that cyber criminals are now using the sophisticated attack on machines in the United States, according to KrebsonSecurity, a cybersecurity blog.

The U.S. Secret Service is warning that organized criminal groups have been attacking standalone ATMs using an advanced strain of malware first seen five years ago, according to the KrebsonSecurity report, which cited an anonymous source.

The criminal groups reportedly have targeted frontloading machines manufactured by Diebold Nixdorf that are often found in pharmacies, big box retailers and drive-thru ATMs. 

"The Secret Service recently obtained credible information about planned jackpotting attacks in the U.S. through partners of our Electronic Crimes Task Force," the Secret Service announced in a press release. "Subsequently, we alerted other law enforcement partners and financial institutions who could potentially be impacted by this crime."

It is unclear where the attacks have played out or how much money has been lost. 

But Avinash Srinivasan, a Temple University professor who served as a fellow for the National Cybersecurity Institute, said "jackpotting" schemes pose a considerable threat to the ATM industry.

"Because there are so many ATMs in the country, it is a significant problem, particularly for the machines (in locations) that are kind of isolated," Srinivasan said. "Breaking in and getting physical access to the ATM is a lot easier. There is no fear of being noticed easily."

To carry out a jackpotting scheme, hackers must access the internal workings of the cash machines. They replace the hard drive with one that includes an unauthorized image of the machine's platform software. Using an industrial endoscope, they pair the new hard drive with the machine's cash dispenser.

They also can use the endoscope to synch an existing hard drive with a laptop or mobile device.

The hackers can then remotely control the ATM and force it to dispense cash. Within minutes, they can run off with thousands and thousands of dollars.

"It will give you both access to the system and ask for you to specify the money," Srinivasan said. "It is smart enough to go back and check the available denominations on the machine. It is slick."

RISKY BUSINESS

But Srinivasan said the scheme often is not worth the risk. He suspects those carrying it out in the United States are not the most sophisticated hackers. 

For one, he said, the hackers are likely to leave a significant amount of evidence tracing them to the crime. And ATMs hold a significant, but not exorbitant, amount of cash, making it a more dicey proposition.

"It involves being physically there and it involves a very high risk compared to the reward," Srinivasan said. "This is likely to succeed more if there is a coordinated effort."

With news of the schemes hitting the United States, ATM manufacturers are seeking to amp up their security.

In a letter sent to clients by Diebold Nixdorf, and obtained and published by KrebsonSecurity, the ATM manufacturer warned of potential jackpotting attacks moving from Mexico to the United States. The company advised clients to limit the physical access to the ATM and use the most secure firmware and encrypted communications configuration.

Hackers reportedly have targeted a series of Diebold Nixdorf machines that are no longer in production. By contrast, NCR told KrebsonSecurity that its machines have not been affected, though it found the schemes worrisome.

Once hackers obtain the operating system for an ATM – as it appears they have on Diebold Nixdorf's discontinued Opteva 500 and 700 series machines – it becomes much harder to protect, Srinivasan said.

"Once you get hold of the operating system copy, then it's a big problem," Srinivasan said. "The operating systems should not be available. That is what their security depends on."