One night in January in suburban Denver, Colorado, two men pried open an ATM at a small credit union, took out the hard drive, and then reconfigured the machine to spit out $24,000. Since then, at least six more attacks totaling more than $1 million have taken place.
It’s called “jackpotting,” and it’s hitting some U.S. ATMs. It works through a combination of physical and cybersecurity vulnerabilities. First, the hackers, often dressed as technicians, gain physical access to an ATM. They break into the locked door that guards the cash machine’s motherboard, and once they have access, they use physical hacking tools to sync a laptop with the ATM network and remove it from service. From there, they install malware through a USB port that forces the machine to dispense cash.
In mid-February, the U.S. Secret Service began warning financial institutions about the threat, which was previously seen in Asia and Europe, yet has been around since 2009.
The stakes are high. About half a million ATMs operate in the U.S., almost a quarter of the total in use worldwide, according to the ATM Industry Association. The machines can hold around $100 billion at peak times, while typically carrying less cash during off-hours when attempted thefts are more likely.
Will hackers hit all the ATMs, or is it a simple matter to prevent further attacks? Given the exploding number and variety of devices that connect to corporate networks today, is the vulnerability of ATMs be a wakeup call, as many such endpoints have weaker security than the machines that dispense cash? Even more, what does the jackpotting trend mean for cybersecurity in general?
I spoke with Dr. David Dampier, the Interim Chair and Professor of Information Systems and Cyber Security at the University of Texas San Antonio, College of Business. He has done extensive research in the fields of digital forensics, software engineering and cybersecurity.
Why ATMs, and Why Now?
Dr. Dampier: That’s how hackers think. Simply put, there are many people out there that are doing bad things, just so that they can say that they did it. Every time we find a fix, the criminals find another vulnerability. It’s interesting: many hackers are not actually interested in making a profit. Many hackers just want to be able to publish their exploit on the dark web, where someone else picks up the idea and makes some money. If someone wants to hack into a machine, and they have the will, they will find the way.
Why Has This Issue Prominently Been Outside of the U.S.?
Dr. Dampier: It’s primarily limited to older ATM machines, and U.S. banks just don’t have as many of those available. The first part of the hack is through physical access to the ATM – literally ripping off the top panels of the machine to access the motherboard. That means you need to have access to where it’s stored. A standalone ATM, not one that’s housed in a bank wall, is at most risk. Then, the hacker installs the malware and waits until no one is looking to steal all of the cash. It’s called jackpotting, like a slot machine that can spit out money. They signal the machine to activate the bill release, and the bills come out. They have to understand the operating system of an ATM, but anyone can see those plans on the dark web.
What’s the Solution?
Dr. Dampier: It’s tricky. It’s like putting on a suit of armor, then going into combat and getting hurt because the enemy found a small hole in your suit. So you patch up the armor and go back into combat, only to realize that your enemy has found another small hole in your suit.
We keep patching up holes in our networks and our cyber strategies, and it’s not enough. The problem is that new systems that we are creating have new vulnerabilities. How do you secure a smartphone when a new model is put out every six months? That’s hard to keep up with.
Yes, we do have to keep people smarter through cybersecurity education, but the bad guys will get smarter, too. We will never be 100 percent secure. Instead, we need to make it so painful for the bad guys to get in that they give up and move on to something else. We need to create multiple levels of protection and to frustrate them so they move on to something easier.