Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security United States

First 'Jackpotting' Attacks Hit US ATMs (krebsonsecurity.com) 101

Brian Krebs, reporting for Krebs on Security: ATM "jackpotting" -- a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand -- has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics -- often a combination of both -- to control the operations of the ATM. On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as "logical attacks," hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they'd heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.

This discussion has been archived. No new comments can be posted.

First 'Jackpotting' Attacks Hit US ATMs

Comments Filter:
  • chase bank has ADT/tyco key pads inside them so you need to disarm that when you open them.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      chase bank has ADT/tyco key pads inside them so you need to disarm that when you open them.

      The sketchy looking ATMs in stores are the primary target. The criminals can get their hands on them and fuzz them all day to develop the attack.

  • by Joe_Dragon ( 2206452 ) on Monday January 29, 2018 @09:08AM (#56026051)

    slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

    • by Chrisq ( 894406 )

      slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

      They don't. I suspect that a lot of these attacks are inside jobs

    • by jittles ( 1613415 ) on Monday January 29, 2018 @09:53AM (#56026341)

      slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

      The story I read earlier said that they're somehow able to replace the hard drive on some NCR ATMs without opening the device. However, the system doesn't just boot back up with the new HDD after that. They actually use an industrial endoscope to find a button inside of the device that lets it reset without opening it up. So it sounds like the device will alarm if you open it, but is poorly designed and you can replace key components and reset it without having to actually open it.

      • by CodeHog ( 666724 )
        Link? Replacing an HD is as simple a process as pushing a reset button. The latter might be possible without opening but disconnecting and reconnecting an HD without getting your hands dirty sounds near impossible.
      • slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

        The story I read earlier said that they're somehow able to replace the hard drive on some NCR ATMs without opening the device. However, the system doesn't just boot back up with the new HDD after that. They actually use an industrial endoscope to find a button inside of the device that lets it reset without opening it up. So it sounds like the device will alarm if you open it, but is poorly designed and you can replace key components and reset it without having to actually open it.

        porously designed

      • Diebold. Not NCR. NCR hasn't been targeted by recent hacks.

        I'm sure you wouldn't want someone to confuse your name with someone else's who got endoscoped and dumped his bowels without removing his pants.

    • by lgw ( 121541 )

      slot machines make it hard to open with out setting off an alert so why do AMT have less of that stuff?

      The security in an ATM is mostly focused on protecting the cash box from physical attack, and from the maintenance tech. ATMs thus have two layers of security: something simple to allow maintenance of the "computer parts" of the ATM to be done cheaply, plus a much more robust inner layer to protect the cash from anyone but the guards from the armored car company. It's just old-school thinking about security.

      It's also worth noting that there are still people who can open a slot machine, replace the ROM chi

    • by dfm3 ( 830843 )
      Many ATMs are in locations that don't have many eyes watching them for long periods of time. If you want to tinker with an ATM, in theory you could work in the middle of the night and spend minutes or hours without anyone getting suspicious. Sure, you might be on camera, but those are rarely monitored. Try tinkering with a slot machine or exhibiting any other suspicious behavior on a casino floor and employees are likely to notice you within moments and intercept you.
  • But why?? (Score:4, Funny)

    by CrimsonAvenger ( 580665 ) on Monday January 29, 2018 @09:11AM (#56026081)

    So, if I have physical access to the machine, I can install software that lets me loot the machine.

    Or, if I have physical access to the machine, I can just take all the money out of the machine without bothering with the software install.

    I'm failing to see this as a serious new threat to ATM's....

    • Re:But why?? (Score:4, Informative)

      by beelsebob ( 529313 ) on Monday January 29, 2018 @09:20AM (#56026129)

      What makes you think you can take money out of the machine without the software install?

      Cracking safes, quickly and quietly with no one noticing is really hard. Sticking a USB stick with some malware on it into a port and leaving, without anyone noticing is pretty trivially easy.

      • Sticking a USB stick with some malware on it into a port and leaving, without anyone noticing is pretty trivially easy.

        And so is designing a machine without an externally accessible usb port.

        Just ask Apple.

      • by green1 ( 322787 )

        What idiot would build a cash machine with a USB port on the OUTSIDE?????

    • Okay, you have physical access to the machine, and you use that to take all the money out. And then the next person who tries to use the ATM notices that there's no cash in the ATM and calls the bank. (Or the ATM does that by itself.)

      Or you install the software that allows you to take cash out as often as you want until the bank realizes what's happening and cycles that particular ATM out or unplugs it/puts an "Out of Order" sign on it.

      The first method, you get cash once, and it's probably far more obvious

      • Re:But why?? (Score:4, Insightful)

        by Baron_Yam ( 643147 ) on Monday January 29, 2018 @09:54AM (#56026353)

        I imagine you need an 'inside man' - maybe the person who reloads the cash dispenser and unloads the collection bin, but maybe not if the computer hardware is secured in a separate lock box. Anyway, you need somebody with physical access to compromise the machine.

        THEN you go and use the ATM to get cash... but remember you're on camera, and your transactions are logged, right? So what you probably want is the ability to have the machine spit out extra money when you enter a particular code (which hopefully you can do with a camera watching the suspicious activity) during an otherwise perfectly legitimate transaction.

        And you want to time it so you do it immediately after the machine has been reloaded, so you have the maximum possible time before the machine runs out of cash before it should and an investigation starts. And then you want to never hit that ATM again, or your risk of getting caught skyrockets.

        So you need two conspirators and you get one payout that needs to be limited so you don't get caught. You're going to clear a few hundred with a single attempt or maybe have it 'accidentally' slip you an extra bill over many visits. Certainly you're not going to make enough to justify the risks - the inside man is risking their presumably steady legitimate employment in addition to jail.

        So who is doing this and why?

        • There is a whole lot of "it depends" here. The malware could be installed and lie in wait for weeks or months. Long enough that it is no longer clear which ATM tech installed the malware. A little Googling suggests that most ATM's are capable of holding up to $200k, but with the average amount stocked in the machine being around $35k. Enough for a decent payday, even with multiple conspirators. The article suggest this hasn't been done in the US until very recently, and they are targeting specific mode

          • >the average amount stocked in the machine being around $35k. Enough for a decent payday, even with multiple conspirators.

            $17.5K/ea less any expenses for a two-man crew. That would NOT be worth it to me to even daydream about... in Canada the sentence for a conviction of Theft over $5000 is a max of 10 years... $1,750 per year (not indexed to inflation!) that you may not get to keep, though I suppose you do get free room and board.

            • Good point, but your average criminal does not always weigh the consequences of getting caught, and often think they have the system beat. The evening news is filled with examples of stupid criminals robbing convenience stores for the $500 in the register. The cases of jackpotting that I have heard about are usually coordinated enterprises, with folks recruiting (blackmailing?) the inside man, and multiple people hitting the machines for small amounts over a short period of time. Like a lot of criminal g

            • by j-beda ( 85386 )

              $17.5K/ea less any expenses for a two-man crew. That would NOT be worth it to me to even daydream about... in Canada the sentence for a conviction of Theft over $5000 is a max of 10 years... $1,750 per year (not indexed to inflation!) that you may not get to keep, though I suppose you do get free room and board.

              People who turn to a "life of crime", even highly intelligent ones, don't think like "most people", and seldom think that they might get caught. A single $15,000 payout might be very enticing, even if it actually takes a whole lot of work to get it.

              http://articles.latimes.com/20... [latimes.com]

              Why Drug Dealers Live With Their Moms
              If you had a job paying $3.30 an hour, you'd be bunking at home too.
              April 24, 2005|Steven D. Levitt and Stephen J. Dubner |

              During the crack cocaine boom of the 1990s, the image of the millionai

        • So who is doing this and why?

          Mexican gangs, from how I understand the article. They figure out a way to attack an ATM machine type, then train some low-level goons to perform the attack, then send them across the country looking for ATM machines of that type.

    • by Anonymous Coward

      Because the case is inside yet another safe within the main ATM. It is far easier to trick the machine into handing out the cash, then attempt to break into the inner safe that actually contains the cash. Plus, it doesn't sounds like they are opening the ATM itself, just using a endoscope to find and attach a USB cable through a small crack or opening. Actually opening an ATM is very difficult without the combination (both layers). For an example, check out https://www.youtube.com/watch?v=08EXOjZgxf0 wh

    • by swb ( 14022 )

      The standard argument seems to be it's a safe on the inside, you can't crack it easily or without setting off alarms.

      To which I reply, why not steal the entire ATM? This limits you to a subset of all ATMs -- mainly freestanding models, but I can see potential ruses for thieves who make like they're doing an intentional swap of a machine, slightly broadening the potential number of machines and reducing the need for brute force thefts of the machines.

      With the entire ATM at your disposal, you have much more

      • To which I reply, why not steal the entire ATM? This limits you to a subset of all ATMs -- mainly freestanding models,

        People have literally broken into banks just so that they could punch holes in the wall so they could run a chain through the holes... and around the ATM. That lets them pull the ATM out of the wall with a truck, at which point it can be loaded onto the truck with a crane or a liftgate (or just four big guys.)

    • Just having access to the ATM might not be enough to get money out of it.
      In Germany, the ATM often is in the front floor, the money is in the basement. Without credentials or exploiting a software bug most maintenance guys have no access to the money ...
      So, like in this scenario, they try to get malware installed on the machine.

    • by Macdude ( 23507 )

      So, if I have physical access to the machine, I can install software that lets me loot the machine.

      Or, if I have physical access to the machine, I can just take all the money out of the machine without bothering with the software installhttps://www.youtube.com/watch?...

  • ...at least in Europe and in the US thieves are sofisticated enough to hack the ATMs. In my country, they explode them [nydailynews.com]. It's a security nightmare in smaller towns with insufficient police forces.

    • ...at least in Europe and in the US thieves are sofisticated enough to hack the ATMs. In my country, they explode them [nydailynews.com]. It's a security nightmare in smaller towns with insufficient police forces.

      You should never link to NY Daily News. They're lying bastards. They aren't even good liars, either. They try to blame my ad-blocker for preventing the loading of their articles when I see the whole article load and then get covered up by this page suggesting that there is some software bug in the ad-blocker.

      • that isn't them, it's liveleaks.com that something on the page refers.

      • my geek autism was triggered reading that article, claiming "TNT" being put in ATM when in fact it is dynamite that they're using. Dynamite is a trinitroglycerol gel

      • You should never link to NY Daily News. They're lying bastards. They aren't even good liars, either. They try to blame my ad-blocker for preventing the loading of their articles when I see the whole article load and then get covered up by this page suggesting that there is some software bug in the ad-blocker.

        Sorry about that. It was the first article in English that I've found (most Slashdot users don't speak Portuguese, I suppose) about a well-known problem in Brazil.

      • by dargaud ( 518470 )
        [F12] in Firefox, identify the covering element, remove, voilà...
  • Hmm, maybe instead of reloading ATMs with cash, just have a "module" that is the real ATM that is drop-in-replaced into the "outside box" as needed.

    The "outside box" would just handle the user interface and provide additional physical security.

    The "module" would be very tamper-resistant. It would be taken to a controlled location to be reloaded. It would also have a time lock on it so it could not be accessed before it unlocked without causing obvious physical damage.

    This wouldn't stop ATM thefts but it w

  • Did they use the code 790 to get the cash?
  • with my atari profilo!

You know you've landed gear-up when it takes full power to taxi.

Working...