Walking by an ATM spitting out cash might sound like a dream. But the Secret Service isn’t so amused. It’s issued a warning to financial institutions about cyberattacks that cause ATMs to issue cash like lottery prize money.
In a release shared with CNN Tech, the Secret Service said at least six attacks, known as “jackpotting” schemes, have been reported across the U.S. in the past week. The hackers, who target stand-alone ATMs at pharmacies and large retailers, as well as drive-through cash machines, have stolen more than $1 million so far.
Independent digital security reporter Brian Krebs first reported the warning on his website, Krebs on Security, and said officials have notified ATM makers, including Diebold Nixdorf and NCR Corp., of the threat.
“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” said an NCR alert cited by Krebs. (The industry appears to prefer the more staid “logical attacks” to the cha-ching of “jackpotting.”) “This represents the first confirmed cases of losses due to logical attacks in the U.S. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”
Hackers have previously used other tricks to steal cash, like card skimming, but jackpotting represents a more lucrative maneuver—and a bigger problem for the banking industry.
Here’s how it works. First, the hackers, often operating in teams, must gain physical access to an ATM. (In some attacks, according to Krebs, jackpotters have used phishing techniques to steal access codes and then dressed up like ATM technicians to break into the locked door that guards the cash machine’s motherboard.) Once they have access, they use physical hacking tools to sync a laptop with the ATM network and remove it from service. From there, they install malware through a USB port that forces the machine to dispense cash.
To prevent further attacks, a Diebold Nixdorf advisory suggests that clients implement physical authentication access controls for technicians and improve investigations into unusual transactions.
Jackpotters have operated for years in other parts of the world, particularly in Europe and Asia.
For instance, Reuters reported in 2016, “Cyber criminals have remotely attacked cash machines in more than a dozen countries across Europe this year, using malicious software that forces machines to spit out cash, according to Russian cyber security firm Group IB.”