When people think of ATM robbery, they probably imagine ski-masked people carrying burlap sacks and waving weapons at ATM technicians. Or maybe they envision a group of criminals breaking into ATMs using brute force, like crashing a car into it or wrapping it up in chains to drag it away. But in many areas, physical destruction is taking a back seat to a more hands-off method called “jackpotting”, a type of cybercrime that employs sophisticated malware to reprogram an ATM to dispense large amounts of money on command. In 2013, a large group of hackers in Mexico executed the first large-scale ATM jackpotting. This cyber heist involved infecting more than 450 ATMs with Ploutus ATM malware, which caused the machines to spit out enormous piles of cash. Later that year, the Carbanak crime gang remotely forced a large ATM network to dispense cash to money mules and rewired bank systems to transfer money into accounts they controlled, sometimes artificially increasing the amount of money they pilfered. In the course of five years, this gang stole $1.07B from more than 100 financial institutions in at least 40 countries.Though its origins are eleven years old, the jackpotting technique has become more frequent since 2020, a year when the number of attempted and successful ATM robberies jumped sharply. There’s no simple, foolproof solution to the problem, but there are many things a CFI can do to lessen the vulnerability of their cash machines.Two Kinds of JackpottingThere are two main jackpotting techniques, malware-based and black box. Both types involve using an ATM-specific key to get into the machine’s internal computer. Criminals might dress like ATM technicians so they look the part while breaking in. In malware-based jackpotting, the thief inserts a USB device containing malware and either physically uses the ATM’s keyboard to activate the malware or remotely triggers actions by sending text messages from a mobile device. At this point, the criminals can command the ATM to dispense cash to money mules, who collect and transport the money.In the second kind of jackpotting, called a black-box attack, robbers again access the ATM computer’s dashboard and then switch the ATM to supervisor mode. They connect a device known as a black box, which takes the place of the ATM’s computer, and take over its cash dispenser. A smartphone can control the black box, commanding it to dispense money. In a black-box attack, the thieves may return to disconnect and retrieve their technology.How CFIs Can Protect Their ATMsAs with many types of crime, jackpotting is just another item on a seemingly endless conveyor of financial crime methods. Financial institutions figure out how to outwit one type of malware, so criminals come up with a new one. Even so, there are things that CFIs can do to protect themselves from jackpotting:
- Upgrade your cybersecurity. Select ATM security software that’s specifically designed to withstand malware attacks. Keep that security software and recommended antivirus programs updated.
- Improve the physical security of machines. Invest in the security of your ATM and networks. Use CCTV cameras and alarms to record images of anyone who tries to break into the ATM or access its hard drive.
- Investigate unusual customer behavior. Pay attention to what’s usual in ATM use so you can spot what’s unusual. Customers withdrawing $100 or $200 on a Friday afternoon is likely normal for most ATMs. A couple of login attempts might be standard, because mistakes happen. But many failed login attempts or requests for extremely large amounts of cash may be unusual for your ATMs, and potentially indicate a jackpotting attempt.
- Carefully guard sensitive information. Treat bank login passwords and administration credentials like gold that’s stored in Fort Knox. Only the people who need it should have access, and these employees should get regular training on phishing techniques and other potential attempts to steal this valuable information.
Like most cybercrime, jackpotting techniques are caught in a race between financial institutions that work to prevent theft and criminals who come up with new methods. There are still multiple things CFIs can do to protect their ATMs, including upgrading physical security and cybersecurity, protecting sensitive login information, and training employees on customer behavior and the latest theft methods.
