Jackpotting! Are ATMs at the end of every rainbow?

ATMs were designed to protect their cash vaults, not their computer components, which leaves them vulnerable to “jackpotting” cyber attacks.

Earlier this month, the American Bankers Association announced changes to its Bank Capture incident tracking system, which logs data on ATM attacks, as well as robberies, burglaries, and larcenies. BankInfo Security reports:

[T]he ABA has changed how ATM attacks are reported to collect more specific details, including plotting incidents on a map. It also now enables ABA subscribers to get real-time email alerts of incidents, [ABA Vice President for Payments and Cybersecurity Policy Heather Wyson-Constantine] says.

The system potentially could give banks more timely warnings that trouble may be on the way, because criminal gangs often hit a region and move to another one close by soon afterwards.

The improvements were driven by a lack of information. There’s no central repository for incident reports for attacks on ATMs, with bits of data coming from the U.S. Secret Service, ATM manufacturers and vendors, Wyson-Constantine says.

The ABA’s announcement comes on the heels of European and Asian law enforcement authorities reporting the arrests of five members of an international ATM “jackpotting” gang, code-named “Cobalt” for the security-testing software they hacked to launch their jackpotting attacks. Cobalt was responsible for about $3.24 million in thefts from ATMs in Europe and Asia in 2016.

“Jackpotting,” which was first demonstrated by the late white-hat hacker Barnaby Jack at a Black Hat Conference in 2010, refers to hackers installing malware on an ATM, either remotely or by physically accessing the machine, that allows them to command it to spit out large sums of cash. Commonly, hackers committing a jackpotting attack take control of the ATM’s diagnostic utilities to either (1) prompt the machine to open its safe or (2) alter the denomination codes so that the ATM “thinks” that it is dispensing the smallest possible bank notes ($5.00 or $10.00) when it is actually dispensing the highest possible denomination ($20.00, $50.00, or $100.00).

The Cobalt jackpotting group planted malware on ATMs remotely, via a spear phishing campaign that allowed them to access the targeted banks’ networks, then snake their way to the ATMs. They then recruited teams of “money mules” to travel to the machines and physically collect the cash, allowing the hackers to hit many machines in numerous areas very quickly.

ATMs Highly Vulnerable to Jackpotting

The invention of the ATM transformed the banking industry as profoundly as the cotton gin did agriculture. Even with mobile banking rapidly growing in popularity, the ATM endures; there are over 400,000 ATMs in the U.S. alone, and three-quarters of Americans use ATMs as part of their daily banking activities.

ATMs have something in common with electronic voting machines: Despite the sensitivity of what they do, they are incredibly easy to hack. The typical ATM design has barely changed since they were first introduced decades ago. Because cyber security was not a concern at that time, ATMs were built to protect their cash vaults, not their computer components. Attempting to break into an ATM’s vault using brute force is nearly impossible, but breaking the flimsy locks on the cabinets that contain the computer components requires only a screwdriver – if you have to break into the machine at all. At some standalone ATMs, the computer components are completely exposed, allowing anyone to walk up and insert a malware-infected USB.

Also similar to electronic voting machines, many ATMs run operating systems that are so wildly outdated, the manufacturers no longer support them, such as Windows XP and OS/2 Warp. Additionally, some banks install unnecessary software packages onto their ATMs, such as Adobe Acrobat, which opens up more possible vulnerabilities for hackers to exploit.

Protecting ATM Machines from Hackers

The most disturbing part of the Cobalt jackpotting attacks was their international aspect. The hackers never physically accessed the ATMs; they remotely infected and controlled them from hundreds or even thousands of miles away and sought out money mules to collect the cash. Many of the mules, who were recruited online, held citizenship in multiple countries, allowing them to travel freely throughout Europe and Asia. It is not difficult to envision a scenario where a hacker in another country infects ATMs in multiple U.S. states, then recruits several teams of money mules for the cash collection.

First, ATMs must be physically redesigned with cyber security in mind. A modern ATM’s computer components are at least as valuable as its safe, perhaps even more. Easily breakable plastic cabinets, flimsy locks, and external ports must be eliminated. However, a redesign will take some time to implement. In the meantime, banks must take immediate proactive steps to secure their current machines against jackpotting, including:

• Updating all outdated operating systems and software, and removing all software packages that are not necessary for the ATM to function.
• Installing endpoint security software on all ATMs and hardware firewalls on remotely located, standalone, and “island” ATMs.
• Securing the connection between ATMs and processing centers using methods such as a hardware or software VPN, SSL/TLS encryption, a firewall, or MAC-authentication.
• Securing the entire bank network against intrusions to ensure that malware cannot be installed remotely, as in the Cobalt jackpotting attacks.
• Performing regular penetration testing on the entire network as well as the ATMs themselves, so that vulnerabilities can be identified before a jackpotting attack occurs.

Banks would also greatly benefit from employing a RegTech solution such as Continuum GRC’s IT Audit Machine (ITAM IT audit software) to assess their specific risks and vulnerabilities, then design and implement a comprehensive cyber security plan to defend against them. Because cyber security is a dynamic field, with new threats emerging every day, these assessments should be performed on a regular basis.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

[bpscheduler_booking_form]