ATM Jackpotting: An Increasing Threat
As banking networks have shrunk, automated teller machines (ATMs) have become indispensable components of financial services. However, this independence has also made ATMs targets for cyberattacks and physical breaches.
The technique known as “jackpotting” combines both tactics. Criminals gain access to the machine’s cabinet—often using widely available generic keys—then either inject malware into the existing system or replace the hard drive with an infected one. Once installed, the malware enables bad actors to command cash dispensation.
While not new, the Federal Bureau of Investigation recently warned that incidents are increasing, citing over 700 reported cases in a single year resulting in around $12 million in losses.
The resurgence in ATM jackpotting in the U.S. underscores an old adage: ‘Everything old is new again,’” said Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. ATM jackpotting gained popularity back in the early 2000s when IBM retired OS/2, the operating system used globally by ATMs.”
With that OS retirement,” she continued, ATMs transitioned to Windows. This opened up new vulnerabilities as attackers could exploit weaknesses through network attacks or physical ones involving locally installing malware via a thumb drive. Like any device running common software, ATMs must be regularly scanned and updated for security.”
Adding to Fraud Concerns
This fraud trend adds complexity to the already formidable challenge faced by financial institutions dealing with relentless attacks. Many schemes focus on account takeover or social engineering, pressuring customers into sending payments or acting as money mules.
Jackpotting highlights another troubling shift: criminals are using advanced technology to directly attack banks’ systems. Sophisticated malware, similar in capability to ransomware tools, can disrupt operations at scale.
Criminal Strategies
Recent incidents illustrate the severity of these threats. An attack on payments provider BridgePay knocked systems offline and left customers without service for weeks.
This latest report does not highlight new techniques or tactics attackers are using in their ATM-jackpotting efforts,” Goldberg said. I suspect that socially engineered attacks against administrators with access rights, or physical compromises of ATMs by pretending to be employees or maintenance personnel, remain effective.”
Vigilance based on a zero-trust model is the best way organizations can secure their networks and all connected devices—including ATMs,” she concluded.
