Expert news and views on cash, ATMs and the payments industry


Cardtronics Blog

ATM Jackpotting: What You Need to Know

11/07/2018 - Jason McCarley

ATM jackpotting may sound a bit like a new scratch-off lottery game, but unfortunately it’s nothing of the sort. The term “ATM jackpotting” is used to describe the illegal practice in which criminals use a combination of malware and/or hardware to cause an ATM to dispense large sums of cash at will. The image comes to mind of a slot machine spitting out all of its coins when the gambler hits a winning jackpot. After years of these types of attacks in Europe and Asia, this sophisticated criminal tactic finally made its way onto United States soil during the past year. In fact, in January of this year, the U.S. Secret Service delivered a security warning to many of the nation’s leading financial institutions that these attacks were beginning to happen stateside.

ATM JackpotIn the fall of 2017, Diebold, a large ATM manufacturer, became aware that criminals in Mexico were conducting sophisticated ATM attacks using endoscopes and special “black box” hardware. The endoscopes, which are essentially long extension cameras with lights, were used to give criminals a look inside the ATM and enable them to manipulate the computer driving the ATM by attaching black box devices that send commands into the ATM computer, manipulating the cash dispenser to dispense cash on command.

During this same timeframe, the European Association for Secure Transactions (EAST) issued a warning that black box attacks had surged in Europe. During the first half of 2018, there were 114 black box attacks reported in Europe, which represented a three-fold increase from the 28 that were reported during the same period in 2017.

Further investigation into these new style of attacks confirmed that the bad actors involved were dressed as ATM technicians. In an alert released about this issue, Diebold stated, “As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanism and the authorization process for setting the communication with the [cash] dispenser,” Once the malware was installed, the crook(s) contacted co-conspirators who are able to remotely control the ATMs and force the machines to dispense all of their cash.

The malware used during these attacks was confirmed by Cardtronics to be Plotus.D, a variation of a malware first seen in Mexico back in 2013. Plotus.D is designed to disable security software that is typically installed on an ATM. Once the malware was fully installed, remote commands could be sent to the ATM via SMS to dispense cash. Attackers could then visit the ATM and simply collect the cash as it was dispensed. In many instances, these attacks were perpetrated in broad daylight. Cardtronics’ own analysis of such attacks showed it would take thieves approximately 20-25 minutes to completely empty a typical ATM cash load.

Once these criminal methods were identified, Cardtronics confirmed the attack vector within our labs and developed a countermeasure solution within a month of the attack’s first appearance in market. To prevent future jackpotting attempts, a physical security bracket was designed to effectively prevent all manipulations of the dispenser sensors while using an endoscope. With this design, a metal plate is attached inside the ATM to protect the two controls used to re-sync the machine’s cash dispenser through the dispenser’s communication port. Our installation of this metal bracket solution is both highly secure and cost-effective, preventing the endoscope-style attacks first seen in Mexico and other geographical locations.

While a path to upgrade most terminals was provided by ATM manufacturers, the upgrades in many cases were costly and placed a heavy impact on ATM resources. As an alternative, the bracket solution deployed by Cardtronics has proven to be extremely effective with zero instances of jackpotting after installation.

The security and fraud prevention team at Cardtronics fully anticipates that criminals involved in these attacks will pivot and adjust their methods, and that newer forms of jackpotting will be developed. As a result, we place a heavy emphasis on intelligence analysis in order to direct our defense strategies, working closely with law enforcement, vendors, and others to stay a step ahead and be ready to react with speed when new threats emerge. Whether perpetrating jackpotting schemes or other illicit activity, criminals don’t take days off – and neither do we.

Jason McCarley
Information Security Manager