Needles and PINs: From jackpotting to skimming, why ATMs are more vulnerable than ever
Five decades after they were first unveiled in Swinging London as marvels of secure, cash-dispensing convenience, automatic teller machines are more vulnerable than ever—thanks to a wide array of attacks that include skimming devices, malware, intercepted communications, outright theft of the machines—and a new technique known as “jackpotting.”
To thieves who pull this latest type heist, the chock-full-of-cash ATM might as well have a slot machine handle on it. The U.S. Secret Service reported on Jan. 29 that jackpotting, previously seen in Europe and Mexico, is now hitting the U.S. in a coordinated way.
True to its name, jackpotting compromises an ATM to spit out cash at the breakneck speed of up to 40 bills every 30 seconds. In an insidious combination of James Bond villainy and cyberspace ubiquity, fraudsters pose as ATM technicians, right down to disguising themselves in service uniforms.
They then crack the ATM using a generic key the Secret Service says is relatively easy to buy on the internet. Once inside, the bogus tech hooks up a laptop or palm-sized external drive known as a “black box,” and uses a cellphone to crack the machine.
But do they scoop up the cash? Not always. A second conspirator often swoops in to do the mop-up work. (Kaspersky Lab posted this video simulating a jackpotting attack in September.)
Meanwhile, other serious ATM problems continue to dog banks. The placement of so-called skimmers—devices that can surreptitiously capture and steal individual account and password information—remains the biggest threat and continues to grow globally, according to FICO.com.
Debit-card compromises at ATMs located on bank property in U.S. jumped 174 percent from January-April 2014 to January-April 2015, while successful attacks at non-bank machines increased 317 percent, as reported in the Wall Street Journal. Last year, FICO reported a six-fold increase in U.S. ATM fraud from 2014 to 2015.
The loss to skimming fraud alone is about $2 billion, according to Mike Jacobsen, a spokesman for ATM-maker Diebold Nixdorf. Since October, banks from New York City to Pakistan have been hit by skimmers.
So after all this time, why are these crimes on the uptick?
“ATMs are definitely subject to various forms of attack and have probably not been upgraded as much as needed over the past few decades, particularly in light of the cyber threats,” says Shirley W. Inscoe, senior analyst for the Aite Group.
Skimming attacks at ATMs continue to be a big threat, especially in the U.S., because the use of chips instead of magnetic strips in credit/debit cards has lagged behind other nations, Inscoe says.
“As long as cards still contain magnetic stripes, counterfeit cards will continue to be created for certain fraud uses,” she says.
Terry Pierce, senior product manager for CO-OP Financial Services, a California company that manages a network of 30,000 ATMs, agrees.
“Card skimming remains the top ATM attack in the U.S. because the market has not fully converted/deployed ATMs to be chip-enabled,” Pierce points out. “As long as ATMs support magnetic stripe card processing, ATMs will continue to be vulnerable to card skimming attacks.”
But even as financial institutions struggle to cope with the skimmer threat, other attacks loom across the globe as fraudsters find new ways of attacking ATMs that have converted to EMV chips.
The irony here is that EMV chips were introduced to cut fraud and theft stemming from the use magnetic stripe cards.
In August 2016, fraudsters in Thailand used the Ripper malware to steal nearly $400,000 from ATMs. Ripper worked by using specially manufactured ATM cards with EMV chips acting as an authentication mechanism.
A month earlier, fraudsters in Taiwan made off with more than $2 million through the use of three still unidentified malware strains injected into the ATM network. As a result, criminals gained control of ATMs via a “connected device,” possibly a smartphone, to drain cash from machines.
In a November, 2016 , Aite’s Inscoe conducted a study, “ATM Fraud: Increasingly Organized.” And sadly, it is. Inscoe pointed to a number of emerging threats that will one day become even bigger problems for U.S.-based ATMs.
“With skimming the number one problem,” she wrote in the study,” the largest U.S. banks are gearing up to fight global problems—knowing that malware and hackers will eventually target this market.”
Fraudsters have been able to stay ahead of the banks because they have increased the sophistication of their skimming devices.
“When skimming devices were first used on ATMs, they were often easy to spot,” according to Inscoe. “This is no longer the case since fraudsters have invested in matching the exact color of the device to the ATM. The skimming device fits smoothly against the exterior and can actually be quite difficult to detect unless you are very familiar with the machine.”
Fraudsters often use a very small camera in conjunction with the skimming device, mounted so that it is not easily noticed; the camera is positioned so that the customer’s PIN can be captured as it is keyed,” according to Inscoe. “In very sophisticated attacks, all the captured data is transmitted to a remote server; in simpler schemes, the fraudster must return to the ATM to remove the skimming device and camera with the captured card and PIN data. In either case, the devices will eventually be deployed again to capture additional data.”
There are other threats as well, according to Inscoe.
Hackers have conducted cybercrimes in other countries against financial institutions’ ATMs by overriding network controls and stealing millions of dollars in coordinated attacks. In many cases, malware was introduced to ATMs or the network itself to facilitate the fraud scheme.
Then there are “cash-and-card traps”: physical items inserted in ATM openings that block withdrawn cash from being delivered to the customer or block a card from being returned to the customer. The fraudster then retrieves the cash or cards after customer departs.
And because so many ATMs are stand-alone devices, Inscoe reports that good, old-fashioned physical theft of the machine itself remains popular: heisting by hoisting, if you will.
“Some cities are seeing an upsurge in theft of entire machines; some law enforcement agencies have located warehouses full of stolen machines,” according to Inscoe.” Fraud primarily targets machines in large metropolitan areas.”
Still, there are numerous ways of combatting these emerging threats. CO-OP Financial’s Pierce highlights six:
- Physical barriers against jackpotters will only allow authorized personnel to access the ATM.
- A break-in to override ATM communication systems can be prevented “by ensuring that the ATM deployer has a layered security approach on their ATMs.”
- Banks can also protect their network by establishing firewalls and encrypting the hard drive. “Access to the ATM application should be password-protected and running on a locked-down account.”
- Credit unions and ATM deployers should comply with PCI PTS ATM Security Guidelines. “We, of course, highly recommend that credit unions be educated on current ATM fraud.”
- CO-OP Financial Services hosts a monthly webinar series, FraudBuzz, that discusses topics around security, innovation and fraud.
- Consult with ATM manufacturers, such as NCR and Diebold, to ensure you are fully informed of all available technologies and solutions options to protect ATMs from attackers.
Properly employed, such smart measures will help make sure skimmers hid the skids–and that jackpotters don’t get jack.
Want more Banking Strategies? Sign up for our free newsletter!
Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.
If you enjoyed this article, check out: Why North Korea’s cyber army threatens banks worldwide and Blanket security: How AI is remaking risk management.