Physical Securityhigh

ATM Jackpotting: Black Box Attack Forces ATM to Dispense All Cash

US Secret Service and FBI warned that ATM jackpotting attacks — where criminals attach a device to the ATM's internals and command it to dispense all cash — had reached the United States after years of success in Europe and Latin America.

US / Global Banking·2018·2 min read

Background

ATM jackpotting attacks do not require stealing card data — they attack the cash dispenser mechanism directly. European and Latin American banks had reported attacks since 2010. The first confirmed US jackpotting attacks were reported in January 2018.

The Attack

ATM jackpotting uses two main techniques: Ploutus-style attacks (attaching a laptop to the ATM's internal computer via USB or serial cable and running malware that commands the cash dispenser), and "black box" attacks (physically opening the ATM top cabinet and attaching a device that connects to the ATM's ATM dispenser bus, then issuing commands directly). Attackers dress as ATM technicians to access the ATM's internal components. Once connected, the device can command the dispenser to release all available cash. A "money mule" waits at the ATM to collect bills as they dispense.

Response

The US Secret Service issued a confidential advisory to financial institutions. ATM manufacturers Diebold Nixdorf and NCR published security guidance. Banks began requiring additional physical security on ATM top cabinets. Some ATMs were upgraded to encrypt the communication bus between the ATM computer and dispenser.

Outcome

ATM jackpotting attacks emptied machines of tens to hundreds of thousands of dollars per attack. The combination of physical access (technician impersonation) and digital command execution made it a hybrid physical-cyber attack. Hundreds of ATMs were hit across the US in 2018.

Key Takeaways

  1. ATM top cabinets should be secured with tamper-evident seals and alarm systems that detect unauthorised opening
  2. ATM dispenser communication buses should use encrypted, authenticated protocols resistant to direct command injection
  3. ATM monitoring systems should alert on unusual cash dispense patterns — rapid full-dispense in non-business hours is a clear indicator
  4. ATM technician impersonation is a known attack vector — verify identity of anyone claiming to service ATMs

How to Prevent This

All guides
intermediate

Verify the identity of anyone claiming to service hardware — call their employer directly

ATM jackpotting attacks involve criminals dressing as ATM technicians to open ATM cabinets. The NSA TAO hardware interdiction involved intercepting Cisco equipment in transit and resealing packages. FIN7 mailed USB drives in Amazon packaging. Physical security of hardware requires verifying the identity of anyone who physically touches infrastructure equipment. Before allowing anyone access to a server room, network closet, or ATM cabinet, call the organisation they claim to represent using a phone number from your own records — not a number they provide. Require government-issued ID and a work order that you can verify.

See: ATM JackpottingPhysical Security
ATM jackpottingblack box attackcash dispenserphysical ATMmoney mule

More in Physical Security

1995high

Kevin Mitnick Tailgating: How America's Most Wanted Hacker Walked Into Secure Buildings

2 min readPhysical Security
2016medium

USB Drop Attack: 60% of People Plug In Dropped USB Drives

2 min readPhysical Security
2020high

FIN7 BadUSB Mail Drop: Ransomware Delivered via Fake Amazon Gift Cards to Hotels

2 min readPhysical Security