The U.S. Secret Service has issued an alert warning ATM owners and operators of cash-out criminals conducting “jackpotting” attacks on standalone front-loading ATMs located in drive-throughs and retail outlets in multiple locations across the United States. Jackpot attacks, also known as “logical attacks,” combine physical intrusion and malware to command ATMs to empty themselves out in a matter of seconds.

According to the alert, criminals dressed as service technicians use ATM access keys readily available online to gain entry via the ATM’s top hat, install malware on the ATM and take control of the machine in order to initiate ATM withdrawals. In some cases, the criminals swap out the ATM’s existing hard drive and replace it with one already infected with malware. Banks are recommended to contact their ATM service providers for the latest security updates and patches to mitigate the risk from these attacks, to ensure proper physical security controls limiting access to the machine and to monitor for communications failures and alarms.

Diebold Nixdorf, a major ATM vendor, recommended limiting physical access to the ATM; implementing protection mechanisms for cash modules; monitoring unexpected opening of ATMs’ “top hats”; and keeping operating systems, software stacks and configurations up to date. NCR, another major ATM provider, also issued an alert with specific recommendations to address common forms of logical attacks against ATMs. The Financial Services Information-Sharing and Analysis Center is also issuing information on the attacks; the American Bankers Association encourages all banks to join FS-ISAC to receive the latest security alerts.

• Read the Secret Service alert.
• Read the Diebold Nixdorf alert.
• Read the NCR alert.
• Learn more about joining FS-ISAC.
• For more information, contact ABA's Heather Wyson-Constantine.