Two of the world’s largest ATM makers have warned that cybercriminals in the US are using a technique called “jackpotting” to force cash machines to spit out large amounts of money.
Diebold Nixdorf and NCR both confirmed to Reuters over the weekend that messages had been sent to clients of the ATMs, alerting them to the hacking threat. No details have been given about any specific victims, or about how much money may have been lost due to the attacks.
The hacks were reported on Saturday by the security blog Krebs on Security, which claimed the US secret service had been quietly warning financial institutions that “jackpotting” losses have been spotted in the United States. While the technique itself is not new, this looks to be the first time the attacks have been carried out on US ATMs.
Jackpotting involves hacking the ATM and forcing it to give out cash. According to Reuters, the alert Diebold Nixdorf sent to its clients described a number of steps that criminals may use to compromise ATMs. These include gaining physical access, replacing the hard drive and “using an industrial endoscope to depress an internal button required to reset the device”.
In his blogpost, Brian Krebs claims jackpotting has “long been a threat for banks in Europe and Asia”, so the idea of this happening in the UK isn’t unprecedented. It’s worth noting that the attack is on the bank’s store of money, not a specific customer’s account.
Diebold Nixdorf said that it had been warned by US authorities that hackers were targeting its Opteva ATMs in standalone locations such as shopping centres. NCR said that while its equipment had not been targeted in recent attacks, it was still a concern for the industry.
“This should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack,” the company’s alert said.
While the spate of alerts suggests there has been a sudden increase in jackpotting hacks, the attacks are far from simple to pull off. “What is interesting about these attacks is that they require considerable physical access to the ATM itself,” says Leigh-Anne Galloway, cybersecurity resilience lead at Positive.com.
“There is a high risk of getting caught, and there are far less complex attack vectors that could have been chosen. In other words, it’s very surprising the method that these criminals have come up with. […] The attack can mostly be mitigated by limiting physical access to the ATM [and] the service area, and requiring physical authentication by maintainers.”
Security expert Darien Graham-Smith notes there may be a reason for cash-machine operators not to publicise hacks on their systems: “In an age when everything from lightbulbs to cars is getting hacked, it’s hardly a shock that cash machines are in the crosshairs. In light of the hugely ingenious ways that hackers have found to compromise computers and networks in the past, I’m frankly surprised we haven’t seen more successful attacks.
“Then again, if such crimes were widespread, we might not know about it: I doubt cash-machine operators would want to publicise any technical vulnerabilities, for fear of inviting copycat attacks.”
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
