CUNA Mutual Group Risk Alert: ATM Jackpotting Empties Credit Union ATMs

ATM Jackpotting – using malware to cause ATMs to dispense cash until emptied – has caused financial institutions to incur seven-figure losses. Fraudsters can infect ATMs physically at the ATM or remotely via the credit union network. Ensure your credit union has proactive security solutions to minimize the risk and potential financial impact.

Financial institutions have incurred seven-figure losses when fraudsters infected several ATMs with malware. ATM Jackpotting – also known as ATM Cash-Out – occurs when a fraudster infects ATMs with malware causing the ATMs to dispense cash. Infecting ATMs with malware can be done either physically at the ATM or remotely via the credit union network.

Physical Attacks: Fraudsters install malware in a physical attack either by:

• Prying open the ATM top hat using a crow bar or other tool; or
• Obtaining a master key to access the ATM.

Once the attacker has access to the ATM, the malware is installed using the internal hardware ports. The USB port is the most common infection point; however, older ATMs using a CD reader have also been abused in the same manner. After the malware is installed, a code is entered and the money is dispensed. The attacker can command the ATM to dispense the money immediately or wait until a more opportune time. Physical malware attacks are typically carried out at night or on the weekends to evade detection.

Once infected with malware, the ATM’s middleware is targeted to orchestrate the attack. Middleware is an application programming interface (API) that is used to communicate with the ATM’s peripherals (e.g., the PIN pad and money cassettes).

Remote Attacks: Malware attacks via the credit union network are more difficult for attackers to carry out. However, remote attacks typically present less risk of being caught.

In the remote attacks, fraudsters access the credit union’s local network, bypassing existing defenses, which allows them to gain control over the ATM. Fraudsters often use phishing emails sent to credit union employees containing attachments infected with malware or links to infected Web sites.

Employees that fall victim to the phishing attack inadvertently provide the necessary employee credentials to hack into the credit union network. Within the network, fraudsters hack the computers that control the ATM network and upload the malware, which then gives them remote control to the ATMs. Specific times can be set for triggered dispense or fraudsters can arrange for accomplices to wait at the ATMs to retrieve the money immediately.

Credit unions running ATMs with old operating software that is no longer supported by the manufacturer are typically more vulnerable to ATM Jackpotting, since these ATMs are not receiving important software security patches.

Risk Mitigation

Credit unions should consider these controls:

• Encrypt the ATM hard drive to protect the data and make data manipulation more difficult for attackers. This is the most effective way to prevent ATM Jackpotting attacks; 
• Work with ATM vendors to ensure jackpotting exposures are properly addressed;
• Equip the top hats of ATMs with an alarm;
• Ensure ATM operating software is supported and install security patches as soon as possible after they are made available by the manufacturer;
• Perform daily ATM inspections to ensure lighting is adequate, the ATM is not obstructed or concealed, and cameras and alarms are functioning properly; and 
• Train credit union employees on how to recognize phishing. If a suspicious email is received, employees should report the suspicious email to management immediately. Never respond or open attached files that appear suspicious.

Risk Prevention Resources

Access CUNA Mutual Group’s Protection Resource Center at for exclusive risk and compliance resources to assist with your loss control. The Protection Resource Center requires a User ID and password. To learn more, check out the ATM Inspection Checklist.