Have you ever walked up to an ATM and wished it would spew out thousands of dollars instead of you panicking if a $20 withdrawal will be rejected? It turns out that with some malware and custom hardware, it’s possible to turn an ATM into a poker machine that pays out every time. These attacks are widespread in Asia and Europe but they have hit the US, with the technology now becoming increasingly accessible.
Automated teller machines made by NCR and Diebold Nixdorf are the main targets. In many cases, the vulnerability is a result of the devices running Windows XP with an update to Windows 7 enough to thwart many of the attackers for now.
The attacks aren’t simple to execute. Krebs on Security said the attackers initially need physical access to the ATMs. They accomplish this by posing as ATM technicians. They install a compromised version of the ATM operating system which they can exploit. When this happens, the ATM looks to be out of order but can be remotely controlled to dispense cash.
According to the Secret Service in US – the law enforcement agency investigating this – the ATMs can dispense over 100 bills per minute until the machine is empty, thus netting the criminals thousands of dollars.
Although there’s no news of the same crime being perpetrated here, it’s reasonable to expect our banks and other ATM operators to be on the lookout.
As always, it is critical to protect the physical security of important assets. Jackpotting works because crooks are able to fool staff into giving them physical access to the ATMs. Without the installation of the customised software, the crime is not possible. It’s an object lesson for all of us. While logical security gets a lot of attention, physical security remains critically important.