ATM hacking becomes a priority in IBM cybersecurity facilities

As jackpotting becomes an increasingly frustrating problem for banks, IBM has stepped in to find a solution.
Written by Charlie Osborne, Contributing Writer

ATMs provide quick access to your cash -- but these days, it may not be your hands that money ends up in.

Best practice in many cities is now to perform a quick check before you insert your credit card into one of these machines in case a camera or skimmer is in operation.

Cameras can record PIN numbers if your hand is not covering the keypad and skimmers can exfiltrate basic card data so, together, cybercriminals have the means to clone your card and conduct fraud.

No matter how careful you may be, sometimes, it just isn't enough.

See also: Here's the one surprising lesson I learned as a victim of debit card fraud

However, it is not just consumers that are at risk of losing funds due to the compromise of ATMs -- financial institutions often have to take the brunt, and in some cases, the ATM itself, rather than an individual's account balance, is targeted.

Jackpotting, also known as a black box attack, is when an ATM is physically targeted. Drills and damaging the front of these machines can open the way for criminals to access the network and system within.

ATMs, of which there are roughly 300 million in operation worldwide, are often far behind in patch cycles and may also run antiquated and obsolete operating systems, which makes them easy to compromise through a simple network patch link or a USB key laden with malware.

Logic attacks and malware including Ploutus.D malware are used by criminals to drain ATMs.

Once a threat actor has established a connection and exploited the system, an ATM can be forced to spew out cash uncontrollably. To make things worse, these systems are sometimes compromised and then remotely controlled later, when cash mules are waiting to grab the proceeds.

See also: Court orders community service for CoinVault ransomware operators

From Mexico to the US, jackpotting is a serious problem and a costly one for banks.

In order to try and tackle the issue, IBM Security has launched X-Force Red Labs, a set of four facilities to test and improve the security of devices including ATMs.

At the Black Hat conference in Las Vegas on Monday, IBM said the facilities will be based in Austin, TX; Hursley, England; Melbourne, Australia; and Atlanta, GA, and include a dedicated ATM testing practice "in response to increased demand for securing financial transaction systems."

The facilities are due to open this year.

The centers will be operated by IBM's X-Force Red cybersecurity and penetration testing team, which has experienced a 300 percent increase in ATM testing requests since 2017.

TechRepublic: How one small hack turned a secure ATM into a cash-spitting monster

"Many financial organizations are also still running dated operating systems on these devices that they cannot adequately patch to harden the machine," IBM says. "By identifying vulnerabilities in these machines in advance, before a criminal gains access, financial institutions can address and prevent future compromise."

The team will evaluate the physical protections of ATMs, networks, and computer system security, hacking into ATMs in order to uncover security holes and vulnerabilities before threat actors on the street do.

CNET: This app helps you find ATM skimmers so you don't get scammed

In addition, X-Force Red will offer recommendations to improve ATM security and to ensure compliance with financial standards such as the Payment Card Industry Data Security Standard (PCI DSS).

Alongside ATMs, both consumer and industrial technologies and automotive equipment will be tested.

"IBM X-Force Red has one mission - hack anything to secure everything," said Charles Henderson, Global Managing Partner of IBM X-Force Red. "Whether it's the newest smartphone that hasn't been released, an Internet-connected refrigerator or a new ATM, we have the capability to test, identify, and help our clients remediate vulnerabilities before the bad guys can exploit them."

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards