Jackpotting: Asian ATM Hacking Reaches the US — CyberHoot
Automatic Teller Machines (ATM) have long been a target of enterprising criminals. In the 1980’s when they first came out, criminals would chain them to their truck and drive away with the ATM machine to crack open in the safety of their garage. Banks responded by bolting ATM’s to the earth with seemingly immovable steal rods and more than a few truck bumpers were left at the scene of a thwarted attack.
Recently, hackers have been able to break into ATM machines with a Drill and malicious software they can inject into the machine through the hole drilled which causes the machine to spit out all the cash in its storage trays. This form of physical and malware attack is known as Jackpotting. Taiwan ATM’s lost $2 million dollars back in 2016 to ATM Jackpotting attacks. Jackpotting has now made its way to the US with multiple cases being reporting in recent years. Given that most ATM machines run antiquated versions of Windows (Windows Embedded, or Window XP), implanting malware or escalating credentials is a relatively trivial matter once inside the machine.
A recent spate of bombings in Philadelphia (50+ in 2020) using homemade explosives equivalent to a quarter stick of dynamite have been used to break into ATMs. Physical security issues will never go away. However, in one recent case, an individual attempting to blow up a safe in Philadelphia, blew himself to death leading some to speculate, that Jackpotting may be the safer alternative for would be thieves.
These jackpotting attacks have affected every major ATM manufacturer’s terminals, as well as Interbank payment and card processors. ATM attacks can oftentimes be hard to detect, sometimes coordinated across many ATMs in multiple countries by gangs of hackers, resulting in millions of dollars in losses before a problem is identified.
Cybercriminals are using software from leading ATM manufacturer Diebold in a series of hacks against cash terminals across Europe, forcing the machines to dispense cash to hackers. According to an Active Security Alert released by Diebold Nixdorf in July 2020, hackers using a black-box device common with these type of attacks have increased their activity across Europe by targeting Diebold’s “ProCash 2050xe” USB terminals. In the alert, the Diebold mentioned that the device used in the attacks “contains parts of the software stack of the attacked ATM”. It’s currently unclear how attackers gained access to the internal software of the machines, however, two methods have been confirmed in separate news articles. In the first method, hackers drill into ATM machines with a $15 drill bit and insert their software by patching into the ATM machine directly. In a second method, an online hack into the Bank’s networks enabled remote access to ATM machines allowing for jackpotting malware to be implanted remotely.
The Details on How?
Hackers “jackpot” ATMs by unplugging the USB cable that connects the CMD-V4 dispenser of the terminals and their electronic systems, connecting them to the black box so they can send fraudulent dispense commands. There are several other ways that cybercriminals can jackpot ATMs, including another black-box technique that plugs into network cables on the exterior of an ATM to record cardholder information. In this way, attackers can change authorized withdrawal amounts from the host, or masquerading as the host system to discharge large amounts of cash. Fortunately, at this time, it does not appear that hackers in the current wave of Diebold attacks are accessing cardholder information, according to the company.
Another type of attack on cash machines is through phishing emails sent to network administrators at the financial institution that owns the machine. The emails attempt to install malware that can later use administrative software providing remote access to ATMs to install malware on terminals that cybercriminals use to jackpot them, according to Diebold.
What Can Be Done?
ATMs should be examined by professionals to determine if the machine is physically and logically secured. It’s always a good idea to assess risk whenever you can to try and identify vulnerabilities to your business’s security. Given the spike in ATM hacks recently (both physical and logical), there are some necessary steps that should be taken with your ATM supplier:
- Limit physical access to the ATM:
- Physically secure ATMs with extra locks and video surveillance measures to discourage criminals from accessing the internal components often used to compromise the system.
- Implement protection mechanisms for cash modules:
- Use the most secure, encrypted communication protocols available, as well as software stacks with the latest security mechanisms to prevent execution of unauthorized commands and installation of unauthorized media.
- Set up additional countermeasures:
- Set up alarms that detect top hat access, interrupted connections to the dispenser and other suspicious activity; employ real-time monitoring; and put in place a frequent update cycle
Aside from ATM specific actions that can be taken, it’s important to always practice proper cybersecurity hygiene. The best way to defend against hackers in your business is through cybersecurity awareness training; educating your staff to identify when they see a threat and how to stay away from these threats is vital to your business. Too many times businesses lose significant amounts of money and damage their reputation due to phishing, ransomware, or other social engineering attacks. Follow our best practices to reduce the likelihood of your business falling victim to cyber attacks:
- Two-Factor Authentication on everything.
- Address poor Password Hygiene in your organization (adopt 14+ character password and purchase a Password Manager).
- Train your employees on common social engineering methods, phishing attacks, and protective technologies like Password Managers and 2FA.
- Govern employees with a solid set of cybersecurity policies to guide their behaviors when they need to make independent technology choices.
- Secure your own backups with offline, revision-controlled backups and then do likewise with your clients.
- Build strong Incident Response processes.
- Establish a Risk Management Framework and have an external 3rd party risk assessment performed on your business.
CyberHoot works well with businesses to Train, Govern, and Assess their Cybersecurity maturity. The only way to protect yourself is to proactively engage on Cybersecurity. Begin preparing today by taking the critical steps to avoid a breach. All too often a breach puts the compromised company out of business.