ATM jackpotting in America: The gathering storm

On April 26 at 10 a.m. EST, ATM Marketplace and TMD Security will present ATM jackpotting: The latest news on attack methods, targets, trends and defenses an in-depth look at the problem of ATM jackpotting and effective defenses against it.

In advance of the webinar, ATM Marketplace spoke with Vincent Wong, program director for Security Management Software at TMD Security, about the comparatively short and extremely costly history of ATM jackpotting.

In the second half of our two-part report, we discuss the recent arrival of jackpotting in the U.S. and ways that ATM deployers can protect their fleet — and their business — against this scourge.

If you missed part one, a look at the brief and costly history of ATM jackpotting, you can read it here.

Q: The U.S. experienced its first jackpotting malware attacks just a few months ago. Suspects in these incidents were apprehended fairly quickly; will that have a damping effect, perhaps preventing this type of attack from becoming a full-blown trend?

A: It would be good if this fast result serves as a deterrent, but based on the number of jackpotting attacks we have seen globally, organized crime is persistent and inventive, so jackpotting remains a serious risk.

Q: Certain ATM brands and models seem to be particularly prone to jackpotting. Does that mean that deployers who don't have those models in their ATM fleet can consider themselves safe?

A: All ATM brands and models are vulnerable, and deployers need to have industry best practice defenses in place no matter what type of ATM or location.

Q:  Some physical measures — such as changing out top box locks — have been suggested to thwart jackpotting attacks. How effective are they and are they enough?

A: As we have talked about, in a number of jackpotting attack vectors, the criminal takes advantage of very weak top box security to access the ATM PC core.

Many ATM deployers use one key for access control across their whole network. And even without a key, it is very easy to get into the top box in just seconds.

Best practice is to make the top box more secure and control access with locks that have one-time passwords instead of keys, together with central monitoring that will respond to unauthorized opening of the top box.

Other best practice defenses include tilt and vibration sensors that trigger an alert if the criminal attempts to access the electronics inside the top box by drilling or cutting the fascia.

There is no one silver bullet to counter jackpotting because the attack vectors are so varied. Top box security is just one critical layer of security in the complete defense strategy.

Q: What are the most important things for an ATM deployer to do to prevent jackpotting attacks?

A: A complete defense strategy includes securing physical access to the ATM and its electronics, ensuring that only authorized personnel have remote access, and that access credentials are secure, preventing the criminal from planting malware on the ATM through USB protection, for example, and making sure that if there is malware on the ATM that it is "quarantined" and removed so that it cannot be triggered to send commands to the dispenser.

The key to deploying effective countermeasures for a particular ATM, or ATM network, is to understand exactly how the criminal may try and execute an attack for each ATM brand and model.

For example, stand-alone ATMs such as lobby ATMs or drive-ups have different attack vectors to through-the wall ATMs.

Q: TMD just made the announcement about Security Management Software a few weeks ago. How does SMS work? Is it effective against all types of jackpotting?

A: Jackpotting, as we have discussed, is a complex type of attack with a number of MOs, and effective security is always a combination of technology, people and processes.

Security Management Software — in combination with security hardware — provides layered defenses against most, if not all, known jackpotting attacks.

In addition to the top box security features mentioned before, here are more examples of how the software works:

Changes to the hardware configuration, such as disconnection of the dispenser from the ATM PC core, trigger an alert. Additionally, predefined business rules might include shutting down the power to the dispenser so that a jackpotting attack is not possible.

USB connections to the PC core are protected against unauthorized use of mass storage devices. Secure BIOS password management prevents the criminal rebooting from a USB device.

Even if unauthorized software — any unknown executable file that is likely to be malware — is planted on the ATM, the software is immediately detected and quarantined so that it cannot be used by the criminal to trigger a cash-out.

This is important because criminals can disable or remove anti-virus and whitelisting products in an offline malware attack.

Q: Historically, TMD has been in the business of protecting ATM hardware, so why the focus now on software security?

A: The ATM threat landscape is changing. Logical attacks such as jackpotting are spreading fast.

We are also seeing ATM explosive attacks become a serious concern in many regions. There were 19 explosive attacks per week during 2016 in Europe, according to EAST. And skimming — especially deep insert skimming — remains a global threat.

ATM deployers need a cost effective defense strategy that is designed to address all of these threats, according to their risk profile.

Most importantly, an effective security strategy needs to be centrally managed and controlled. To do that, you need software, which is why software is now the heartbeat of everything we do.

The combination of TMD Security hardware and proven software from our sister company, TMS ATM Software, puts us in a unique position to help our customers and partners with a complete, end-to-end defense strategy.

Register now for ATM jackpotting: The latest news on attack methods, targets, trends and defenses, a free one-hour webinar on April 26 at 10 a.m. EST, presented by TMD Security and hosted by ATM Marketplace.