The most memorable cyber attack demonstration I’ve ever seen was Barnaby Jack’s ATM jackpotting presentation at Black Hat 2010. (Rest in peace, Barnaby Jack.) He exploited vulnerabilities in two third party ATM models made by Triton and Tranax. He bought the ATM devices himself so he could research them and take them to the event. Both ran a version of Microsoft Windows CE. It’s eight years later and embedded versions of Windows 7 and Windows 10 are two of the most common ATM operating systems.
Barnaby Jack began by remotely connecting to the Tranax ATM from his laptop. From there he executed his Jackpot malware which caused the ATM to play music and spit out its money in a dramatic and messy way. If that happened in the real world, bystanders would probably be running to the ATM to grab as much cash as they possibly could. For his second attack, he put his USB stick into the Triton ATM. His Scrooge rootkit enabled him to rewrite the device’s firmware. Through the malicious firmware, Barnaby Jack was able to withdraw cash from the ATM without needing to use an authenticated bank account. No numbers changed in any bank accounts, the Triton ATM just released its cash as the Tranax ATM did. When a cyber attack causes an ATM to release cash without taking the money from a bank account or credit card, that’s called jackpotting.
The vulnerable ATMs could be found, targeted, and exploited by war driving if the device presented any sort of wireless network connectivity. (War driving is the act of looking for WLANs or WiFi connected devices while walking or driving around an area with a WiFi transceiver.)
Fast forward to November 2017. The FBI caught three men visiting ATMs in Wyoming, Colorado, and Utah together to engage in jackpotting attacks which helped them steal tens of thousands of dollars. Surveillance camera footage from one attack showed the men opening the top of an ATM in order to physically deploy Ploutus.D malware. The FBI said:
“Often the malware requires entering of codes to dispense cash. Codes can be obtained by a third party, not at the location, who then provides the codes to the subjects at the ATM. This allows the third party to know how much cash is dispensed from the ATM, preventing those who are physically at the ATM from keeping cash for themselves instead of providing it to the criminal organization. The use of mobile phones is often used to obtain these dispensing codes.”
On August 10th, the FBI sent an alert to banks around the world. Apparently, Jackpotting attacks are a bigger threat than ever, and banking institutions must be vigilant. All successful jackpotting attacks to date have involved physically deploying malware to targeted ATMs, one at a time.
“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach. Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
Another jackpotting attack methodology the FBI warns about involves magnetic strip cards.“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores. At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”
ATM manufacturers like Diebold, Tranax, and Triton must work with Microsoft to deploy better patches against jackpotting malware. Also, ATM manufacturers and banks should never use operating systems that are no longer supported with security patches. That’s been a common problem all around the world
The FBI has some additional tips.
- Implement application whitelisting to make it more difficult for malware to be executed on an ATM.
- Separation of duties or dual authentication procedures should be implemented for withdrawal increases above a certain threshold.
- Watch for TLS traffic from non-standard ports.
- Look for network connections made from outside the geographic area that would be atypical of the bank’s outbound connections.
- Monitor for the presence of remote network protocols and administrative tools.
- And finally, be very careful to monitor and limit user accounts that have privileges to modify ATMs or bank accounts in any way.
It seems that the FBI has reason to believe that many financial institutions don’t monitor their ATMs as thoroughly as they should. If ATMs aren’t configured to specifically whitelist the applications they were designed to use, that’s a serious security flaw that’s easily avoidable. The successful jackpotting attacks so far usually involve the attacker physically tampering with their targeted ATMs. Is there a way for police or armed security guards to be deployed to ATMs within a few minutes of tampering being caught on camera?
The financial incentive for banks to put serious effort into security hardening against jackpotting attacks couldn’t possibly be more obvious. I’d love to see the Beagle Boys try these sorts of attacks on DuckTales. Disney rebooted that show? Well, thanks for the childhood nostalgia!