What’s Happening: There has been a recent uptick of “jackpotting” schemes nationally, regionally and within Virginia, in which criminals gain physical access to ATMs and instruct the ATMs to dispense cash until they are depleted.

In the most recent incidents, criminals used keys to access the top hat of the ATMs. Older model ATMs can be more vulnerable to this method if the ATMs use the original locks installed by the manufacturer as keys can increasingly be found on the black market. The criminals appeared well-organized and took advantage of weekend and evening hours and wore masks and gloves. Organized criminals often work in teams, with an initial breach of the top hat and the installation of a device to remotely manage the ATM, and others retrieving the cash.

The crime often involves:

1. Installation of Malware. After physically accessing an ATM, usually through the upper enclosure or “top hat,” criminals can install malicious software and command the cash dispenser to release cash. 
2. Black Box Attacks. Criminals bypass an ATM’s motherboard and connect a “black box” device like a small portable device to the ATM’s internal components to issue commands to the cash dispenser. 
3. Man-in-the-Middle Attacks. Criminals access ATM network cables and connect their own devices between the ATM and the host service provider to respond to transaction authorization requests from the ATM. 

Ways You Can Reduce Your Vulnerability:

• Use Encryption. Whether you have a new or an existing ATM, verify that your ATM hard drives are encrypted and do not assume that the ATM manufacturer installed encryption. Verify also that all network communications are encrypted. 
• Assess the ATM Operating System and Regularly Install Software Updates. ATMs running older versions of Microsoft Windows may be more vulnerable as criminals may exploit known weaknesses. 
• Upgrade the Locks and Alarms. As noted above, if the locks have not been upgraded, your ATMs may be more vulnerable to criminals using a common key that can be purchased online. Weaker locks can also be more readily picked or forced open. And assess how much of the ATM can be opened or accessed before an alarm is triggered. 
• Control Access through Whitelisting. Restrict the software that can run on the ATM to only authorized code. 
• Disable Unused USB Ports and the Ability to Boot into a Safe or Debugging Mode. Make sure that a person cannot readily swap out an existing hard drive, plug in a new component, boot to removable media, or manipulate the firmware on the ATM’s motherboard. 
• Inform Your Staff When Your ATM Will Be Serviced. Criminals may attempt to disguise themselves as service technicians. 
• Assess the Adequacy of the Existing Monitoring and Electronic Security Solutions. Consider whether lighting and video surveillance systems and sensors may need to be reevaluated, repositioned, or updated at certain locations. 

Multiple ATMs can be targeted and drained within hours, so please discuss with your bank’s security professionals and ATM vendors to make sure that your bank is well-prepared. Also, please assess your bank’s insurance coverage for these types of incidents and the scope of the security services provided in your ATM vendor contracts.

We encourage you to speak with your ATM vendor and implement steps to reduce your bank’s potential vulnerability.

Thank you to the North Carolina Bankers Association for this alert.