Hackers able to make ATMs spit cash like winning slot machines are now operating inside the United States, marking the arrival of “jackpotting” attacks after widespread heists in Europe and Asia, according to security news website Krebs on Security.
Thieves have used skimming devices on ATM machines to steal debit card information, but “jackpotting” augurs more sophisticated technological challenges that American financial firms will face in coming years.
“This is the first instance of jackpotting in the United States,” said digital security reporter Brian Krebs, a former Washington Post reporter. “It’s safe to assume that these are here to stay at this point.”
On his website, Krebs reported Saturday that the Secret Service has warned financial institutions about “jackpotting” attacks in the past few days, though specifics have not been revealed.
He cites an alert sent by ATM maker NCR Corp. to its customers:
“This represents the first confirmed cases of losses due to logical attacks in the U.S.,” the alert read. “This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”
Krebs reported that criminal gangs are targeting Diebold Nixdorfmachines – the stand-alone kind you might see in a drive-through or pharmacy. He shared the ATM giant’s security notice. It described similar attacks in Mexico, in which criminals used a modified medical endoscope to access a port inside the machines and install malware.
Diebold Nixdorf spokesman Mike Jacobsen declined to provide the number of banks targeted in Mexico and the United States or comment on losses, according to Reuters.
Hackers have also been reported to remotely infect ATMs or completely swap out their hard drives. The Secret Service could not be immediately reached for comment about the nature of the reported U.S. attacks.
Whichever method is used, the results are about the same. At a hacker conference in 2010, Wired reported, a researcher brought two infected ATMs to the stage and gave a demonstration.
In the first example, a volunteer from the audience swiped a card through the ATM, and the researcher instantly brought up his credit card number and personal information on a computer spreadsheet.
In the second, the researcher gave the machine a command. “Jackpot!!” flashed on the ATM’s screen, and it began spitting bills onto the floor as the crowd cheered.
Small-scale jackpotting attacks were reported sporadically in many countries over the next few years, according to Reuters. They finally went big time in 2016.
A gang stole $13 million from Japanese ATMs in three hours that spring, Fortune wrote. In the summer, loose cash was spotted fluttering around dozens of First Commercial Bank ATMs in Taipei, Taiwan.
First Commercial subsequently froze withdrawals at more than 1,000 ATMs, according to the BBC. A police investigation revealed masked thieves had been waiting in front of the hacked machines and carried cash away by the bag load – more than $2 million across the country.
The Government Savings Bank in Thailand was hit with a similar attack the next month, the Wall Street Journal reported. As it warned of the potential for attacks in the U.S., the FBI said the jackpotters impersonated ATM vendor employees in phishing emails to gain security access.
A security alert from Visa on the Asian attacks outlined an even more elaborate scheme. The hackers had dialed in to an unsecured telephone system, Visa wrote, to gain network access to the bank. From there, they explored and mapped the bank’s secure networks and uploaded a malware program disguised as a routine software update for the ATMs.
When the update was sent out, the hackers had remote access to every infected machine, Visa wrote. “There was no action required at the ATM except the collection of the money.”
At least three suspects were arrested in the Taiwan attacks. They were believed to be a small part of Eastern European or Russian criminal gangs who orchestrated the attacks in the Asia-Pacific region, the BCC wrote.
“Most likely the culprits are not the same,” Diebold wrote on its website after the Taiwan and Thailand attacks, “which makes one particular similarity between the two incidents even more striking – and a harbinger of things to come.”
By the end of 2016, jackpotters had struck more than a dozen countries across Europe, too, Reuters reported.
The FBI warned American banks at the time that they could be the next victims.
If Krebs is correct, at least one U.S. bank now is.
(c) 2018, The Washington Post · Avi Selk