back to article Crooks make US ATMs spew million-plus bucks in 'jackpotting' hacks

Cash machines in the US are being hacked to spew hundreds of dollar bills – a type of theft dubbed "jackpotting" because the ATMs look like slot machines paying out winnings. A gang of miscreants have managed to steal more than $1m from ATMs using this attack, according to a senior US Secret Service official speaking to …

  1. Winkypop Silver badge
    Facepalm

    Physical access

    Now there's ya problem!

    1. Pascal Monett Silver badge
      Coat

      Re: Physical access

      Indeed. Quite disappointed when I read that. I was hoping for some newfangled card hijacked to make the ATM vulnerable from the outside or somesuch.

      But no, it's just boring old get-access-to-the-innards-then-profit.

    2. DontFeedTheTrolls
      Pirate

      Re: Physical access

      Search "ATM gas attack". Just how far criminals are willing to go with their physical access

  2. JeffyPoooh Silver badge
    Pint

    "...spew hundreds of dollar bills..."

    "dollar bills" ?

    This might be read as you thinking that US ATMs actually contain $1 bills, as opposed to larger denominations. I know what you meant. It just parses wrong(ish) in Americanese, which I can comprehend.

    Does the phrase "Pound Note" mean one UK Pound, or does it include fifty pound notes?

    1. really_adf

      Re: "...spew hundreds of dollar bills..."

      Does the phrase "Pound Note" mean one UK Pound, or does it include fifty pound notes?

      I'm from the UK and a "pound note" can only have a value of one pound*. Same idea for "dollar bill" and I had the same reaction as you to the article wording.

      * However, I am old enough to remember their withdrawal 30 years ago, which may or may not be relevant.

      1. Muscleguy Silver badge

        Re: "...spew hundreds of dollar bills..."

        Agreed, I would tend to use Sterling notes to denote a variety of higher bills. But then I live in Scotland where no fewer than 4 different bill types circulate. My wallet currently contains one bill from the Clydesdale and one from BoS.

        When we vote for Indy we could decide to keep the paper bills as they are, would certainly be cheaper. We just tell the banks that instead of depositing £1 in electronic funds for every £ issued in Threadneedle Street they have to deposit it in the Edinburgh Treasury instead. Then we just have to worry about the coinage. To help we could persuade RBS to reissue the £1 note.

      2. JeffyPoooh Silver badge
        Pint

        Re: "...spew hundreds of dollar bills..."

        R-ADF noted, "a 'pound note' can only have a value of one pound....withdrawal 30 years ago..."

        Mike Brewer from Wheeler Dealer in an episode several years ago offered "pound notes" when buying an old car for Edd China to fix. I took it to imply "cash", as opposed to actual one pound notes.

        In North America, a "dollar bill" is a $1 bill. I've not heard it used to mean "cash".

  3. Khaptain Silver badge

    Physical Access

    Physical access that requires switching of the machine, replacing the hard drive which requires "internal" physical access, then rebooting the machine all the while being unnoticed by anyone.

    Something is weird here, either their are bank employees, Siemens Nixdorf employees or security guards who have the keys involved here, How the hell does the average Joe get access to the internals of the ATMs, nost of which are behind brick walls....?

    1. PhilipN Silver badge

      Re: Physical Access

      My thought too, unless the risky outlets in supermarkets for example are exposed in standalone format.

      In any case, particularly in Mexico, why not just wait until the bank staff come to refill the machine? A swift crack on the head and no computer skills required. AND you get all of the dough instead of what must take ages to spew out of the slot.

      Needless to say I am merely hypothesising, opposed to violent crime etc etc

      1. Cuddles Silver badge

        Re: Physical Access

        "In any case, particularly in Mexico, why not just wait until the bank staff come to refill the machine? A swift crack on the head and no computer skills required. AND you get all of the dough instead of what must take ages to spew out of the slot."

        Rob a man once and you're paid for a day, siphon off his paycheque and you're paid for the rest of your life. Armed robbery will get you a one-off payment; hacking an ATM to pay out on command will let you keep taking money every time it gets refilled. It will also be much more difficult to figure out who actually did anything or when they did it, as well as likely carrying a lesser penalty if someone actually gets caught.

    2. Adam 1 Silver badge

      Re: Physical Access

      I watched the Barnaby Jack video years ago. It's well worth your time if for no other reason than to appreciate the mindset of someone determined to get into one.

      From memory*, he pointed out how the threat model was understood to be a case of protect the cash safe and not enough thought was given to protecting the PC itself which was accessible with a pretty simple key. A bit of social engineering would make your farting about non suspicious. Have two of you there, wear something resembling a uniform and bring a lanyard, and call the manager of the store an hour before you get there telling them that there has been an alert which requires a technician. Ask the manager to call some number when they arrive and when they leave "for security".

      *at least I think it was that video, apologies if it was another.

    3. Mark 85 Silver badge

      Re: Physical Access

      You're thinking of the ones inside the store's walls with just the front of the machine available. It's the front they go through which most of the time isn't inside the store. There really isn't any "armor" on these things.

      I've also seen more than a few machines that stand alone out by the parking lot or bank drive through. On those, I recall that a couple of guys were using a wrecker to pick up the machine and drive off with it.

    4. Cynic_999 Silver badge

      Re: Physical Access

      "

      Physical access that requires switching of the machine, replacing the hard drive which requires "internal" physical access, then rebooting the machine all the while being unnoticed by anyone.

      "

      The cash is behind armour plating, the PC is not. Breaking into the ATM's cash safe would take too long (unless you can remove the ATM and take it somewhere to work on undisturbed). Using a thermal lance to get into the cash safe quickly is no good, it would destroy most or all of the money, and mechanical cutting tools would take you all night.

      But you can break into the PC compartment relatively quickly using a glorified can-opener, power down & swap the HDD, then boot into your hacked software which immediately instructs the mechanics to spew out all the money. I would hope that ATM's have some sort of tamper alarm, but a thief may know how to cut or break into the PC compartment without triggering it.

  4. Louis Schreurs BEng

    i think the crooks are thinking, one more layer of difficulty for pinpointing to any identity of the thieves, and they get tp practise their burglary skills

  5. Adam 1 Silver badge

    > What is interesting about these attacks is that they require considerable physical access to the ATM itself, meaning that there is a high risk of getting caught,

    High risk of who being caught? Some gang foot soldier who got in to deep and is "paying off" their debt. Paraphrasing Lord Farquaad "some of you may get caught, but that's a risk that I'm willing to take".

  6. Flocke Kroes Silver badge

    Diebold?

    I thought they changed their name to Premier Election Solutions because of their well deserved reputation for poor security.

  7. Anonymous Coward
    Anonymous Coward

    Record note serial numbers ?

    To be honest, given the relative ease with which it could be done now, I am surprised there aren't more points in the money-go-round where note serial numbers get recorded.

    You'd think with the previous mania for "big data" that there would have been some use for that data set.

    But at the very least, a list of nicked notes would have given investigators a bit more to go on than they had before.

    Or is that just my idea ?

    1. phuzz Silver badge

      Re: Record note serial numbers ?

      But then you need a system for reading serial numbers when they're spent, otherwise the closest you'll get is finding out a week later when a shop takes it's cash into the bank that some of the stolen notes were used in a particular shop at some point in the last 24 hours (at least).

      It's entirely possible that serial numbers are recorded when cash is loaded into the ATM, but unless you can track where it's spent it's not much use as evidence.

  8. Elmer Phud Silver badge

    Times are a changing

    an ATM and Windows story and not one comment slagging off Windows?

    (and no fault of Windaaz)

    What has happened?

    Where are the Penguin Prodders?

    1. david 12 Bronze badge

      Re: Times are a changing

      ...This is what you get for putting your ATMs in your Windows...

  9. DougS Silver badge

    Sounds like a social engineering attack

    Dress like workmen and "service" the ATM during the day so its not suspicious that it is being opened up and the hard drive replaced. Those people need to be slick talkers in case someone at the location knows the "regular" service guy. Then you have a confederate come back in the middle of the night to "jackpot" it.

    I would think that ATMs have some sort of tamper indication, but maybe that's easily bypassed. Maybe the firmware should call home if it detects the hard drive has been changed...

    1. John Brown (no body) Silver badge

      Re: Sounds like a social engineering attack

      "Maybe the firmware should call home if it detects the hard drive has been changed..."

      Or even some form of active monitoring so the owners know which of their machines are running low on cash, powered down, unexpectedly rebooting, system crashes etc.. You know, the normal stuff a sysadmin would be expected to do when looking after a fleet of computers.

      1. DougS Silver badge

        Re: Sounds like a social engineering attack

        They do know when they're running low on cash, and presumably the other stuff. I just wonder if they're worried about esoteric (at least at the time they were designed) attacks like breaking into it to replace the hard drive so they don't check for it. I'm sure they'd receive an alert when it is rebooted as part of the hard drive swap, but they probably ignore those alerts because 99% of the time they are from power outages or other stuff that had nothing to do with the ATM.

  10. James O'Shea Silver badge

    Amateurs

    Here in Deepest South Flori-duh, we have _professionals_.

    Step 1: a gentleman shows up at an ATM machine inside a premesis such as a drug store (Walgreens, CVS, I’m looking at _you_) or on the wall outside a supermarket or similar (Publix, Winn-Dixie, that’s _you_) and fiddles around with a debit card. Then goes to the manager of the establishment and says that there seems to be something wrong with the ATM. Manager says that it’s not his problem, it’s the bank’s (Chase, Wells-Fargo, that’s _you_) problem.

    Step 2: the manager gets a phone call from, allegedly, the bank or whatever which owns the ATM. The call asks if anyone has reported a problem with the ATM. The manager, of course, says yes. The voice on the call says that they’ll send techs around to fix the issue, and asks the manager to be on the lookout for John Smith (or, as this _is_ Deepest South Flori-duh, Juan Diaz) with [bank] IT ID #12345678. And to call 305-555-SCAM when the tech arrives.

    Step 3: Someone with a [bank] IT ID reading 12345678 shows up, asks the manager to call the office. ‘Tech’ opens up the ATM, fiddles around, tells manager that it’s fixed. Note: the ‘tech’ does NOT take out any cash. Nor does he swap out the hard drive, that’s alarmed.

    Step 4: John Public uses the ATM. And the scanner installed inside it records the card info, complete with PIN, etc., and beams it back to the mothership.

    Step 5: our heroes make copies of all the cards over a week or so and then roam wild for perhaps 24 hours before destroying the copies.

    Step 6: do it again at a different ATM.

    ‘Jackpotting’ makes it obvious that that particular ATM is hacked. If you do it this way, you can milk many, many, MANY ATMs over a long period of time before the cops work out which ones are trapped, and by that time you’ve moved on to other machines. You don’t make as much at one time as with ‘jackpotting’, but you make a lot more over time. Slow and steady wins the race, boyz.

    I just love Deepest South Flori-duh. I really do.

  11. Cynic_999 Silver badge

    Why don't ...

    Why weren't ATMs designed with bespoke electronics? It's not like it needs much computing power, and a PC running Windows is complete overkill. An 8-bit CPU could handle everything required with ease (including a LAN driver), the hardware would cost a fraction of a PC motherboard despite being bespoke and the PSU would also be a fraction the cost of a PC PSU and it would be virtually unhackable. Heck, you could put the firmware onto a 32kB or 64kB OTP soldered-in ROM. In the unlikely event that you need to upgrade the firmware within the life cycle of the ATM, swap out the entire CPU card - the cost will be less than £20, absolute tops. If you must have a fancy VDU display capable of displaying videos, use something such as the Raspberry Pi.

  12. handleoclast Silver badge

    Washington Post report

    The WaPo report (published on the 28th) covered the same ground as the article and also mentioned use of a modified medical endoscope to access an internal port to install their malware.

  13. Chairman of the Bored Silver badge

    And the left side of the intelligence distribution gives us...

    ...years ago my college had a freestanding ATM kiosk mounted on a steel pole near a road.

    Two men decided to uproot it and drive away using a pickup truck and some steel cable. Secured cable only to the rear bumper. When the driver punched it the bumper fell off. In a panic, they left the scene... Leaving behind the bumped and license plate.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019