On a chilly October night in a Denver suburb, two men entered a small credit union’s after-hours vestibule, pried open the ATM and took out the hard drive, then reconfigured the machine to spit out $24,000.
It was possibly the first case of “ATM jackpotting” in the U.S., a crime in which technology is manipulated to get the machine to dispense all the money it has. The two men, later identified as Venezuelan nationals, went on to hit other ATMs. Their faces or their license plate were captured on surveillance footage in each case, and they were eventually busted smoking pot in a rental van parked on a Wyoming mountain pass, according to a criminal complaint filed in U.S. District Court in Colorado.
Jackpotting has been around at least since 2009 and is widespread in emerging-market countries. Unlike most cyber crime, it requires physical access, which increases the chances of getting caught. The speed with which the alleged culprits of the first U.S. attacks were snatched highlights tougher defenses in more-developed regions.
“ATM jackpotting is low-tech in nature, but there’s a higher risk of getting caught,” said Charles Carmakal, vice president of consulting at FireEye Inc., a cybersecurity firm that has helped companies in Latin America fight similar attacks. “In a location already riddled with so much crime, you might be able to get away with it. But in the U.S., it will be much harder to do.”
Sergey Golovanov, a senior security researcher at Kaspersky Lab, said his firm had seen cases in Eastern Europe where as much as $200,000 was stolen from one ATM using the jackpotting method. U.S. financial institutions have already reacted to the threat, according to Financial Services Information Sharing and Analysis Center, whose nearly 7,000 members include banks, payment processors and other firms.
“When there’s a wall between the ATM screen and the rest of the ATM, it’s hard to get into the computer,” said Charles Bretz, director of payment services at the industry group. “Banks here have alarms for warning of breaches to their ATMs, hidden cameras in the vestibules, lots of other security measures.”
Jackpotting isn’t as lucrative as other types of attacks. In 2008, hackers stole debit-card data from the U.S. payment-processing division of the Royal Bank of Scotland Group Plc, increased withdrawal limits and managed to siphon off $9 million.
Still, the stakes are high. About half a million ATMs operate in the U.S., almost a quarter of the total in use worldwide, according to the ATM Industry Association. The machines can hold around $100 billion at peak times, while typically carrying less cash during off-hours when attempted thefts are more likely.
The U.S. Secret Service has issued a warning to all financial firms about the attacks. Diebold Nixdorf Inc. and NCR Corp., the two major manufacturers of ATMs in the U.S., sent alerts to clients about defensive measures to take — if not already implemented.
The ATM in Colorado may have been less secure than most machines in the country, according to Dmitry Volkov, head of threat intelligence at Group-IB, a cyber investigation firm. Most ATMs won’t allow rebooting from an external hard drive or CD-ROM, and won’t accept unknown software, he said.
The thieves “either were lucky to have found an ATM that allowed rebooting or had some insider information that helped them target the right ATM,” Volkov said. The jackpotters also hit ATMs in Utah before being caught, the criminal complaint alleges.
“Why it took so long for this type of attack to reach the U.S.?” asked Golovanov. “They probably drive from ATM to ATM to conduct these attacks, and they must have just crossed the border recently.”
The case is U.S. v. Romero, 17-mj-00116, U.S. District Court, District of Wyoming (Casper).