In reviewing my previous posts on ATM fraud, I realized I haven't written about ATM jackpotting since cybersecurity journalist Brian Krebs detailed the first jackpotting attacks
against ATMs in the United States in early 2018. ATM jackpotting occurs when a criminal gains physical access to an ATM and instructs the ATM to dispense cash until the ATM is empty. This type of fraud is different from ATM cash-out schemes I wrote about in February 2018 and December 2019, whereby the criminal gains access to an issuer's card management system and overrides card or account withdrawal limits by manipulating the authorization messages to the ATM. More details on the jackpotting process below.
The European Association for Secure Transactions (EAST), which tracks ATM fraud attacks for financial institutions in the EU, reported 202 successful jackpotting (ATM Malware & Logical Attacks) in 2020, resulting in losses of €1.24 million (approximately US$1.4 million or about US$7,000 per attack). While other types of ATM fraud reported such as card skimming and physical attacks were down, jackpotting attacks represented a 44 percent increase in number of attacks and a 14 percent increase in losses from 2019. Statistics of attacks in the United States are more difficult to obtain because most ATM owners avoid the negative publicity associated with a compromise of their terminal.
I recently attended a panel discussion at an ATMIA conference on this topic. The participants discussed several attacks, including one involving multiple ATMs resulting in a loss of $1.5 million in the span of a couple of hours. The amount of money in a machine varies from a couple thousand dollars to as much as $50,000, depending on the ATM type (full-service ATM versus simple cash dispenser), its location, and the expected activity level. It's a balancing act of trying to minimize service calls to replenish the cash versus risking losing the cash to an attack.
So what does it take for a jackpotting attempt to succeed? Unlike the highly secured vault-like compartment for cash storage, an ATM's top compartment, which contains the software-driven components, is more easily accessed, either by jimmying the lock or purchasing a key off the internet (many terminals use a common key). In that compartment, the criminal installs software with jackpotting malware or a black box that intercepts transaction messages. Most often, criminals target ATMS in retail locations, where they can pose as a service technician and not attract the attention of store employees. After the criminal has installed the malware, money mules collect the money. In some cases, a mule presses numbers on the keypad that instruct the terminal to dispense a large quantity of bills or to empty the currency cassette completely. In others, the mule seems to be withdrawing, say, $60 but the malware tells the terminal to dispense $600. In most cases, the ATM owner doesn't discover the attack until the terminal unexpectedly transmits an "out-of-cash" message.
Such attacks can be financially devastating to an independent ATM owner because, unless they have some level of insurance coverage, they bear the full brunt of the loss. In a follow-up to this post, I will examine some of the countermeasures ATM owners can use to prevent such attacks from being successful.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed