'Jackpotting' takes advantage of fixable ATM security gaps

Register now

ATM crime faces an emerging threat, placing more pressure on banks to adopt new measures to protect cash machines.

The U.S. Secret Service is warning financial institutions that jackpotting attacks, where ATMs fraudulently dispense cash, are now a risk in the US, according to Krebs on Security.

The security that protects ATM transactions has improved significantly over the past several years, including using EMV chip cards and enhanced authentication using consumers’ mobile phones, so criminal are being forced to revert to more brazen physical attacks on ATMs.
With banks’ focus on digital channels, like ATM and mobile, to drive down costs and better serve customers, it’s no surprise that cybercrime is following. The relatively low-tech skimming attacks still represent the vast majority of ATM losses, but more coordinated attacks using physical access to the machine (i.e. master key and keyboard) along with more sophisticated malware are enabling much bigger paydays for hackers.

This trend will continue until banks have addressed key vulnerabilities. And to beat the bigger issue of skimming, banks should consider cardless security technologies like mobile authentication via visual cryptogram. Also, this is a good time to consider some of the myths around ATM safety and security.

The first myth is that it's easy to see and avoid devices implanted in ATMs for theft. Criminals use ATM interface components for theft that are custom designed to fit seamlessly into the card readers of specific manufacturers. Some of these appliances can be tough for even a trained specialist to spot quickly and casually.

The second is chip cards fully stop hacking. The launch of chip card technology (EMV) began a decade ago in Europe and has been spreading throughout the world, and has helped cut card fraud, but even EMV can't always prevent fraud. EMV protections can be circumvented through ultrathin metal or plastic devices installed in the readers, for example.

Another myth is it takes a sophisticated hacker to steal from an ATM. It doesn't take a sophisticated hacker to defraud an ATM. In California, five teens were arrested for putting card data theft devices at three ATMs located in banks. Today, any interested party can become a professional thief in this segment with a modest investment in cash.

Also, ATM security does not depend on the customer. Although some IT and security professionals cite customer carelessness in ATM fraud, the fact is that there is a growing risk vector that has nothing to do with customer mistakes. Researchers have found that IoT devices such as personal smart clocks or pulse physical activity controllers can be used to steal an ATM access code. By collecting hand-movement information, researchers could accurately guess passwords and access codes with up to 80% success on the first try.

Finally, thin copy devices or hidden cameras are not the only ATM attack strategies. Bank security professionals need to look at and beyond reader devices and hidden cameras. There's a new array of ATM fraud technology, such as Bluetooth-enabled devices that install on circuit boards. When fraudulent components are integrated into ATM circuits, thefts can potentially continue for years undetected.

For reprint and licensing requests for this article, click here.
ATMs Payment fraud Security risk ISO and agent