Q&A: ATM Jackpotting and what it means for your financial institution
Earlier this year, cybercriminal investigator Brian Krebs reported on the emerging threat of “ATM Jackpotting” in the U.S. In this type of criminal activity, thieves target ATMs, installing malicious software and/or hardware that prompt the machines to dispense huge sums of cash on demand. According to the U.S. Secret Service, hackers have stolen over $1 million in a recent series of such attacks on ATMs across the country.
While cardholder carelessness can sometimes lead to fraud at the ATM, the burden for securing the machines ultimately lies with the financial institution. To find out more about this sophisticated crime and the steps being taken to mitigate its effects, we spoke with Rob Casterline, Director for FI Product Integration at Vantiv, Now Worldpay. Following are his thoughts on the topic.
How does ATM Jackpotting work?
Jackpotting ATM attacks are also known as “logical attacks” because they impact the logical security of the ATM. Fraudsters attack the hard drive and XFS layer. There are several ways this can be accomplished. However, in all instances, it is an issue that must be addressed with the ATM hardware provider.
Are the Diebold Nixdorf ATM machines particularly vulnerable, as some media have reported?
Yes. All ATMs can be hit with Jackpotting, but the Diebold Nixdorf machines have been hit particularly hard because of how the hardware is configured. On certain Diebold models, the hard drive, which contains the XFS application, is exposed and easily removed. During a Jackpotting attack, the fraudster pops out the hard drive, installs the malware, and reinstalls the hard drive. Through some simple key strokes on a remote laptop, they can then “jackpot” the ATM.
Because this is happening at the XFS layer, payment processors aren’t even aware that the cash totals at the terminal are being reduced. We won’t even know there’s an issue outside of the ATM being “down,” until the next cash withdrawal is attempted.
Who covers the financial institution’s losses resulting from an ATM Jackpotting attack?
Similar to losses incurred by skimming attacks, the financial institution is responsible for any losses and liability due to Jackpotting.
Are these losses passed down to the cardholders?
Not that I’m aware of. Since this is a new type of attack happening in the U.S., there really isn’t a precedent for how U.S. financial institutions should handle the threat.
How pervasive do you think the threat of ATM Jackpotting is for most financial institutions?
At this point, not very since there have only been a handful of attacks, mostly focused on the Northeast region of the U.S. and to date only on Diebold ATMs. According to KrebsonSecurity, the targets have been stand-alone machines located in pharmacies, big box retailers, and drive through ATMs.
What are some of the protective measures Diebold Nixdorf recommends for their machines?
After the first reports of ATM Jackpotting in the U.S., the company released a security alert with these recommendations:
- Limit physical access to the ATM by securing the head compartment, controlling access by service technicians, and requiring two-factor authentication for all access
- Implement protections for the cash modules by using the latest firmware and secure configuration of encrypted communication
- Monitor unexpected openings of the top hat
- Ensure real-time monitoring of security relevant hardware and software including encryption of the hard disk(s)
- Investigate suspicious activities like deviating or non-consistent transaction or event patterns
- Maintain updates for the operating system, software stack and configuration
Does Vantiv, now Worldpay offer any solutions that address ATM Jackpotting?
While we are exploring several solutions, unfortunately these attacks happen at the level of the ATM, which like most U.S. payment processors, we do not have exposure to. Because of the level of ATM access payment processors have, there isn’t much we can do at this point.
However, it’s something we are keeping a close eye on so we can take an active role in helping address. We encourage our financial institution partners to be vigilant about ATM security and work directly with their ATM providers to ensure they are following best practices and applying security controls to help secure their machines against this type of attack.