Future Tense

Hacking Techniques That Force ATMs to Spit Out Cash Have Made It to the U.S.

Some jackpots aren't pure luck.
Some jackpots aren’t pure luck.
Baris-Ozer/Thinkstock

Walking by an ATM spitting out cash might sound like a dream. But the Secret Service isn’t so amused. It’s issued a warning to financial institutions about cyberattacks that cause ATMs to issue cash like lottery prize money.

In a release shared with CNN Tech, the Secret Service said at least six attacks, known as “jackpotting” schemes, have been reported across the U.S. in the past week. The hackers, who target stand-alone ATMs at pharmacies and large retailers, as well as drive-through cash machines, have stolen more than $1 million so far.

Independent digital security reporter Brian Krebs first reported the warning on his website, Krebs on Security, and said officials have notified ATM makers, including Diebold Nixdorf and NCR Corp., of the threat.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” said an NCR alert cited by Krebs. (The industry appears to prefer the more staid “logical attacks” to the cha-ching of “jackpotting.”) “This represents the first confirmed cases of losses due to logical attacks in the U.S. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

Hackers have previously used other tricks to steal cash, like card skimming, but jackpotting represents a more lucrative maneuver—and a bigger problem for the banking industry.

Here’s how it works. First, the hackers, often operating in teams, must gain physical access to an ATM. (In some attacks, according to Krebs, jackpotters have used phishing techniques to steal access codes and then dressed up like ATM technicians to break into the locked door that guards the cash machine’s motherboard.) Once they have access, they use physical hacking tools to sync a laptop with the ATM network and remove it from service. From there, they install malware through a USB port that forces the machine to dispense cash.

To prevent further attacks, a Diebold Nixdorf advisory suggests that clients implement physical authentication access controls for technicians and improve investigations into unusual transactions.

Jackpotters have operated for years in other parts of the world, particularly in Europe and Asia.

For instance, Reuters reported in 2016, “Cyber criminals have remotely attacked cash machines in more than a dozen countries across Europe this year, using malicious software that forces machines to spit out cash, according to Russian cyber security firm Group IB.”

The international nature of cybercrime makes it difficult to prosecute. But before you try withdrawing dollars without a PIN at your local ATM, just remember three jackpotters who stole $2.6 million in Taiwan are serving time behind bars.

One more thing

You depend on Slate for sharp, distinctive coverage of the latest developments in politics and culture. Now we need to ask for your support.

Our work is more urgent than ever and is reaching more readers—but online advertising revenues don’t fully cover our costs, and we don’t have print subscribers to help keep us afloat. So we need your help. If you think Slate’s work matters, become a Slate Plus member. You’ll get exclusive members-only content and a suite of great benefits—and you’ll help secure Slate’s future.

Join Slate Plus
Jaime Dunaway

Jaime Dunaway is a Slate intern.