Jul 10, 2018
Jackpotting, a sophisticated cyber-attack combined with the physical manipulation of an ATM machine, has been sweeping across Europe, Asia, and Central America for the past decade. It recently made its way onto US soil in early 2018. In fact, these hackers swept up 1 million before anyone caught on, and they’ve continued targeting banks and credit unions in small towns with lax security and outdated software. In January, two men were arrested for a jackpotting attacks in Rhode Island and Connecticut. Other attempts and attacks have been reported in the Pacific Northwest, New England, and along the Gulf. While it’s unclear just how much money has been taken in total, these attacks are still occurring, and they won’t stop any time soon.
In this episode, we’ll be talking the “what, where, when, and how” of jackpotting, as well as how financial institutions can protect their ATM fleet - and their brand image - from damage.
DN website: www.dieboldnixdorf.com
COMMERCE NOW website: www.commercenow.libsyn.com
Amy Lombardo: 00:01
It's early evening and a standalone ATM sits in the middle of a mostly deserted strip mall. A man in a technician's uniform approaches the machine. He pops the top hat without hesitation and fiddles with the hard drive, swapping it out for a new one. When his job is done, he replaces the components and walks away. A few minutes later, someone else walks up to the ATM. He mimes the usual actions of an ATM customer, punching in numbers on the keypad, inserting a card and then he waits. Within the next few seconds the ATM begins to spin. The machine spits out wads of cash, up to 40 bills every 23 seconds. Anyone bothering to pay attention might think it's this guy's lucky day. Others might think he's withdrawing his life savings. But anyone with security expertise will recognize this as exactly what it is, a jackpotting attack.
Jackpotting, a sophisticated cyber attack, combined with the physical manipulation of an ATM machine has been sweeping across Europe, Asia, and Central America for the past decade. It made its way onto U.S. soil in early 2018. In fact, these hackers swept up one million before anyone caught on and they've continued targeting banks and credit unions in small towns with lax security and outdated software. In January only two men were arrested for a jackpotting attack in Rhode Island and Connecticut. Other attacks and attempts have been reported in the Pacific Northwest, New England, and along the Gulf. While it's unclear just how much money has been taken in total, these attacks are still occurring. And they won't stop any time soon.
In this episode, we'll talk about what, when, where, and how of jackpotting as well as how financial institutions can protect their ATM fleet and maybe even important, their brand image. I'm Amy Lombardo and this is Commerce Now. Hello and welcome to Commerce Now, your source for fin tech conversations along with emerging trends in the banking and retail industries. Today I'm joined by Scott Harroff, Chief Information Security Architect with Diebold Nixdorf. So, hey Scott. Thanks for joining me today.
Scott Harroff: 02:26
Good morning, thanks for inviting me.
Amy Lombardo: 02:28
It's always great to talk to you. So, today we're going to talk a lot about jackpotting and I want to start the conversation with just where did the term jackpotting come from. The only meaning I know of the word is something good, usually when someone wins the lottery. So what does jackpotting mean here in terms of security references?
Scott Harroff: 02:51
Jackpotting came about back in the 2010 timeline from a conference that's called DefCon. Once a year hackers and white hats and gray hats all get together and they present to each other for several days over a week in Las Vegas and one of the presentations was delivered by a speaker by the name of Barnaby Jack. And what Barnaby essentially did is he took an ATM and he brought it up on stage and after doing a whole bunch of research before the conference he found several vulnerabilities inside the ATM software stack. And by exploiting those vulnerabilities, he was able to make the ATM essentially jackpot itself and dispense all of its cash on the stage in front of the audience members. So, it really is kind of a term for ATMs dispensing all of their cash that came about as a result of Barnaby Jack's jackpotting speech during the DefCon Conference.
Amy Lombardo: 03:46
Ah, so there you go folks. If you're ever watching Jeopardy or some other trivia show and you're asked who originated the term jackpotting, now you'll know, courtesy of Scott Harroff himself. So, when a jackpotting attack occurs, is it something that happens immediately? You're giving this example of Barnaby up on stage and he did it real time but do these attackers carry out their mission immediately or is it something that maybe happens hours, days later?
Scott Harroff: 04:24
What we're seeing in the United States is the attacks are occurring very soon after the software or the tool is deployed at the ATM. Although they could visit the ATM and they could set the ATM up hours or days or weeks in advance, in the U.S. what we're seeing is they set the machine up and then very quickly after that they go through the process of making the ATM dispense all of its cash and then they leave.
Amy Lombardo: 04:53
Got it, and it's usually with another individual, right? It's not a one person attack because someone's probably monitoring some software in some remote location and then there's said attacker who's walking up and taking out the cash, right?
Scott Harroff: 05:13
Well, it theoretically could be just one person if the one individual had the right tool and they understood how to use the tool and they were working all by themselves, a lone wolf, if you will. Then, yeah, absolutely one person could do it but what we're typically seeing is this is an organized crime ring activity. These are individuals that come in from Venezuela and Mexico and they work in groups. So, we typically have two or three individuals working together in any one attack. We have what we call the cash mule and that's the person that shows up at the ATM and their job is simply to be at the ATM and to take the cash out of the ATM, put it in a bag and then leave.
We have another individual called the tech and the tech is the technical person who arrives at the ATM prior to the cash mule. And what their job is, is to analyze the ATM to determine how the ATM's configured and then determine what the appropriate tool or technique is to use to jackpot that particular ATM. We also have what we call the operator. The operator is the person that, in some of the attacks, needs to authorize the software prior to it being able to be used at the ATM. They're typically remote and typically they're called on a cell phone to give the access codes to activate the software. And then what we've been seeing recently is we have what we call a surveillance team.
In much the same way that you would think about spies and counterspies working with or against each other, these are individuals that show up and while the people are physically at the ATM doing whatever they're doing, they're a little bit away from the actual scene and they're watching what's going on at the scene. They're watching what's happening around it. So if a consumer were to drive up to the ATM or if a police car were to pull in the parking lot, it's this person's responsibility to tell the other people that are at the ATM, hey, there's a police car coming, hey there's a customer coming, you need to leave and then they're watching the scene once they're gone. They say okay, the coast is clear, come on back, you can continue your job.
Amy Lombardo: 07:33
Wow, that sounds quite complicated just to get notes out of an ATM here. Is a jackpot attack, is it a one and done or could you go and, based on the amount of notes that the ATM can dispense at a time, or is that the way it's hacked, so it just that threshold is completely removed, and it'll just empty the ATM at once?
Scott Harroff: 08:03
Again, there's a variety of different techniques that we've seen used. One of the techniques would require the person to use what we call a black box and if they were using a black box they'd physically gain access to the inside of the ATM to disconnect the dispenser from the CPU in the ATM then connect it up to the black box and the black box would send some commands to the dispenser and if the dispenser wasn't configured correctly, that would start the dispenser into a cycle of continuously dispensing notes. So, you have the ATM physically opened, out of service, with a black box connected and it's pretty much go as quickly as you can, get as much as you can and if somebody's interrupting you, you just take your black box and cash and you leave. The ATM is left in an out of service situation so that would be one approach in one extreme, if you will.
The other side of it would be where software is used to actually put the ATM into a mode where it can be switched into and out of service. So, the software would be able to be controlled remotely. You'd use something like a wireless USB dongle that would provide keyboard and mouse functionality and then the tech would be somewhere in the parking lot or in near proximity of the ATM and they'd be sending commands ... okay, dispense your cash and that would start. The cash mule would start taking all the cash out of the ATM and then the technician would see somebody pulling up behind the cash mule and then send commands to the ATM ... go back in service and now the in service screen would appear, the consumer would use the ATM, it'd look completely normal, it would provide them exactly the transactions that the consumer wanted and then the consumer drives away. The cash mule comes back and then the technician remotely says, okay, I want you to start dispensing cash again. And again it starts dispensing.
And we've actually had video from customers where the person that's at the ATM doing the cash removal had been interrupted three or four times and as consumers came up and used it, it looked normal. Cash mule came back, did their thing, another consumer came up, the cash mule left and again, the consumer comes back. We've actually seen it go through cycles where they'll spend over an hour being interrupted and getting the cash out of the ATM while other people are there using the ATM.
Amy Lombardo: 10:24
Wow. So these criminals are pretty daring in those types of examples that they're going back and forth there.
Scott Harroff: 10:32
Actually they're really, really daring. We've got one example out in California where the folks jackpotting the ATM were actually in a big box retailer. So, imagine that, you're right at the ATM, right in front of the entrance, and right over your shoulder to the right hand side is all those cash registers, all those customers checking out, all the store people operating the cash registers and you know, somewhere there's all these cameras that are watching for shoplifters and things and in the middle of all that, we had a group of individuals literally jackpot the ATM while the store was open and all that was going on. So, yeah, really bold and daring.
Amy Lombardo: 11:15
All right, I don't know if I can say this on this podcast but that's a little [inaudible 00:11:20] there. I mean, my goodness.
Scott Harroff: 11:24
Yeah. And you know they're not wearing masks, they're not wearing disguises. It's like you and I just walk up to an ATM and pretend we're technicians servicing the ATM and take all the cash right there in front of all these people and all those video surveillance things going on so, yeah, it's pretty aggressive sometimes.
Amy Lombardo: 11:44
All right, so listeners, just for the record, don't look up Scott and I and look what we look like on LinkedIn, and think we're going to be jackpotting ATMs. All right, let me get back to my questions here. I've got a lot here for you. You mentioned some examples here in the U.S., but are we finding these attacks all over the world because I could have sworn a colleague mentioned to me once that maybe jackpotting even started in Russia or am I just thinking of something totally not related?
Scott Harroff: 12:18
No, you're actually correct. No, you're spot on. It's a global thing. It's been going on for many, many years. It's relatively new to the U.S. We actually have a security alert from one of our competitors that they published in the 2016 timeframe warning their customers that their ATMs were vulnerable to these attacks. Our first record is competitors ATMs being attacked in 2016. We actually didn't see anything happening on our equipment until the 2017 timeframe and then they were in the U.S. hitting large ISO, an ISO is a deployer of ATMs for a third party. So, if you didn't want to own and operate your own ATM, but you wanted to have your logos on the ATM so your consumers could use them, that's what an ISO is. They deploy ATMs on behalf of somebody else. They focused in on this ISO pretty heavily from the spring to the fall of 2017 and then once that ISO did a good job of counteracting the vulnerabilities on their fleet, the bad guys were forced to expand out and go after other folks' ATMs. So, that's when we started seeing it move off that ISO on to other customer's ATMs and at that point we started sending out security alerts, doing customer awareness training and letting them know, hey, if you haven't done A, B, C, D, F, G to protect your ATMs, it's a really good idea to start working on that right now.
Amy Lombardo: 13:45
Got it. Are there certain types of ATMs or maybe even locations that they're at that seem to be more vulnerable than others?
Scott Harroff: 13:56
You know, that's a really good question. The commonality here is ATMs need to have up to date firmware, up to date software, up to date configuration settings and good physical security. So, theoretically any ATM running what's called XFS, XFS is the middle ware layer that sits at the operating system level and it kind of acts as the intermediary between whatever your terminal software stack is like Agilis or Vista or pick your software stack and the operating system. It kind of translates what the terminal software stack wants to do and the commands for the devices. And that's an open standard, it's published on the internet. So, if you could use this uncommon tool called Google and you did a search for XFS specifications ...
Amy Lombardo: 14:51
Scott Harroff: 14:52
Never been there. You could actually Google for the XFS specifications for the dispenser and you could find out what you need to do in order to tell XFS how to operate the dispenser. Or, if you're a little bit more lazy and a little bit less creative, you could actually Google for applications that do test dispenses on the internet and then that would actually give you the actual software itself to interact with XFS and to make the machine dispense cash. Any ATM running a common software layer called XFS is theoretically vulnerable to this. Now, if you've got XFS up to date, firmware up to date, and configuration setting up to date, again, you add layers of defense to protect you and slow the attacker down. But, really almost any ATM running that layer is vulnerable.
Then again, you move on to ATMs that might not run XFS, some really low end cash dispensers that you might see in gas stations or maybe convenience stores, they don't run XFS but, again, the attackers have stolen ATMs and have analyzed how they work and then found attacks that work against non-XFS ATMs as well. I would pretty much say any ATM is vulnerable but then we gotta talk about the likelihood of attacking an ATM successfully is. So, if you've got an ATM that's sitting in the middle of a branch and you've got all these branch people around the ATM, the doors are locked from 5:00 at night to 8:00 in the morning, the chance of somebody walking into that branch while all those employees are there and spending an hour jackpotting the ATM and removing handfuls of cash, time and time and time again, really low probability. Could it happen? Yeah. Is it likely? Not so much. So, we'd put those into what we call a low risk category.
An ATM that's in a drive up configuration where the key to the ATM's computer is exposed to general public, we'd put that into a medium risk category. An ATM that is on premise, maybe in a vestibule, maybe in a corner of a branch parking lot, again, without good security would be a medium risk. And then a high risk ATM would be an ATM that's off site. So let's say it's in a university, let's say it's in a public building somewhere, maybe it's in a college campus, maybe it's in a gas station or a convenience store. Those are high risk and, again, the highest risk would be an ATM that would, believe it or not, be in a shopping mall. We had a lot of attacks occur where an ATM was literally on site in a shopping mall with all those people moving around the ATM, the jackpotters right there jackpotting the ATM. So, from lowest risk to highest risk, that's kind of what we've seen here in the U.S.
Amy Lombardo: 17:44
Huh. Okay. Yeah, you would think it would be the other way around with the shopping mall example but in reality you're not, as a consumer, looking for that. You're going on with your day to day activities. Are ATMs the only system or device that can get jackpotted? Could a kiosk that dispenses money be vulnerable to this? And I'm thinking back to the grocery store example that you gave me earlier on.
Scott Harroff: 18:17
Absolutely. Any device that has a reward whether that reward is I get cash or whether that reward is I get credit card data that I can then sell on the dark web or I can use myself to clone cards and go redeem by using a stolen pin and a stolen card number somewhere else, any device that has value to organized crime or an attacker would be subject to these attacks.
Amy Lombardo: 18:44
So, jackpotting is not just getting some sort of notes out of an ATM, it ... to your point here, it could be data as well. Am I understanding that right? Or did I just take you down a rabbit hole?
Scott Harroff: 19:01
No, so jackpotting, in the way we're talking about it, typically occurs at ATMs. That's the way that the media has been presenting this. This is the way all of the experts have been talking about it. When they say jackpotting these days, what they typically mean is somebody at an ATM stealing cash from an ATM but you could take the concept and extend it. You'd have to be pretty brazen but what if I were to somehow put malware onto a casino's gaming machine. What if, as opposed to getting cash out, what I do is I get a jackpot on my casino machine and it just gives me all the coins that are in there. What if somehow I manipulate that into sending the signal back to the main system that says person at this machine just hit the jackpot and they won the $5 million dollar grand prize. You could extend this concept into a lot of other areas but typically it's around ATMs.
Amy Lombardo: 20:01
And in that instance, consumers, anyone who's listening Scott Harroff will be visiting Las Vegas in two weeks. Just kidding, just kidding. All right, let's shift the conversation into talking a little bit about preventative measures and what a financial institution can do to be the most prepared for these types of vulnerabilities. Can you just walk us through steps a bank should take and really that process, how complicated it could be or maybe not?
Scott Harroff: 20:41
Sure, absolutely. The first thing I want to bring about is that there's a lot of different scenarios that can lead up to a jackpot, a lot of different techniques, a lot of different tools. One of the biggest misconceptions is some institutions that haven't had an in depth discussion, they kind of think a jackpot is a jackpot. It really, really isn't. There's many different vectors that could lead up to a jackpot scenario. You could remotely get into an unprotected ATM across the network and jackpot it, for example. But most of the time it involves being physically close to the ATM. Again, we have some attacks called man in the middle attacks and what that means is somebody gets between the ATM and the host and they, on the network, change the traffic, so the ATM thinks that the host is telling it to do things that the host really didn't tell it to do. So, that's a remote attack as well.
It could happen at the host, it could happen between the host and the ATM or it could actually happen on the network cable that goes right into the ATM itself so, that's an attack that has a proximity kind of affect to it. But the most common attack is an attack that involves getting into the computer area of the ATM. If you have an ATM that is, again, in a branch lobby chances are no one's going to go in there and try to jackpot that machine. They're going to look for something's that's maybe a little easier, maybe a little less risk. An ATM that has a lock that's exposed to the general public, if you will, is really the first main indicator of an ATM you should be concerned about and especially if that lock hasn't been changed from the factory configuration.
So, if your ATM has exactly the same lock as your bank, or your credit union down the street who's a competitor, you know, you're probably vulnerable because, well, if the key that opens your ATM opens 20 or 50 or 100 or 1,000 other ATMs from competitors around you in the state, that's really the first major weakness that they look for. Today if they show up and they put the key in and the key doesn't turn, you know maybe they could pick it, maybe they could force it open but what they're really looking for most of the time in the U.S. attacks we've seen so far is an ATM where the lock is just in the factory configuration. You put a key in you can buy off of eBay, for example, you turn it and it opens. That's the first step. The second step is really, what if when I open that door an alarm goes off. What if I now think that for whatever reason, I've just tripped something, am I going to stay there when an alarm's going off and try to perform this jackpot? Probably not. Maybe I'm really, really aggressive and I do but chances are, if the top hat were to open and an alarm were to go off, the bad guy's probably going to leave quickly.
Having that alarm there, if you open the door and if you don't put in, for example, a four digit disarm code to turn off the alarm and the alarm starts going off, that's another layer of protection that would prevent the bad guy from probably staying there and jackpotting it. And then the next step is making sure that the ATM software stack is up to date. Making sure that the communications between the CPU and the dispenser are appropriately configured. Making sure that all of the different details around the software security and the configuration of the ATM are up to date, those things all added together can either significantly slow down the attacker to the point where they're probably not going to get any cash or only a little bit before somebody shows up to intercept them or maybe prevents them all together. Those are the kind of things you really want to do is adding these layers of physical security and information security controls to the ATM to make sure that you've really slowed somebody down or you've stopped them all together. That would be what I would be looking at doing.
Amy Lombardo: 24:48
Got it. And is there a way that a financial institution can actually tell when this might be happening? Is it just as simply as what you were talking about, an alarm going off? Or is there some sort of software that they can actually tell?
Scott Harroff: 25:07
Actually the physical security of the top hat area and the chest, having sensors that noticed that somebody's doing something they shouldn't be doing is a really good first layer of defense but as you pointed out there's also software on the ATM that could notice that something's occurring that's not normal. For example, my dispenser was unplugged from my CPU. Well, how many times does a dispenser disconnect itself from a CPU in a normal ATM? It really doesn't so if you have software that watches for that, that could be a detection mechanism that says hey, I want to now respond to this or another good example might be how often does your hard drive physically unplug itself from an ATM while it's up and running normally? Well, the answer is it doesn't ever disconnect itself while the ATM is up and running normally. So, again, having software that watches for something like that would aid you in detecting that something unusual is occurring and you probably want to have your physical security people log into their cameras or DVR's, look to see what's going on or maybe even send an alert to a security monitoring system so that a third party could actually respond on behalf of the bank and send somebody out to check out the ATM.
Amy Lombardo: 26:23
Got it. As we close out the topic for today, what did I miss, Scott? Is there other recommendations that you would give here or, really, I didn't miss anything. It's really you. Anything else that you would just add to this conversation of just kind of in closing here?
Scott Harroff: 26:42
Absolutely, I think one of the things that most financial institutions in the United States haven't really done a thorough job of yet is assessing their fleet and really looking at them from the perspective of which of my ATMs are at the highest risk. Which of my ATMs are not at risk at all? And then looking at those ATMs and saying okay, this is a high risk ATM, which vectors would work at my ATM and basically doing an internal analysis of how could my highest risk ATMs be attacked. What do I need to do with my ATM vendor to try to now counter these different attack vectors and make my highest risk ATMs as secure as they can be from these attacks? I really think that we've got some financial institutions that have done a very good job of assessing their fleets. They've done a good job of remediating their open vulnerabilities but I think there's far, far too many customers out there that haven't gone through and done that work and they're actually still vulnerable to these attacks when the bad guys come back next time.
Amy Lombardo: 27:52
Okay, okay. So, obviously that would be our plug there to talk to someone like yourself or an account rep at Diebold Nixdorf to get more information.
Scott Harroff: 28:04
Yeah and again, this isn't really a Diebold Nixdorf problem although our ATMs, if they're not properly set up and configured and protected, they are vulnerable. NCRs are vulnerable, your Tritons, your Tranaxs, those other ATMs are vulnerable as well. Again, I just want to make sure we close with this, this isn't really a Diebold Nixdorf problem although this is a Diebold Nixdorf doing the podcast. It's really an industry challenge and everybody needs to be diligent. As long as you own a machine, that's loaded with cash, you need to be concerned about this risk.
Amy Lombardo: 28:37
Yeah, that's a great point and a great way to close this. So thanks, Scott, for being with me here today and to our listening for tuning into this episode of Commerce Now. To learn more about jackpotting or how you can better defend your ATM fleet against evolving attacks, log onto DieboldNixdorf.com. Until next time, keep checking back on iTunes or your favorite podcast listening channel for new topics on Commerce Now.