Jackpot! How Banks Can Prevent ATM Attacks 

So-called ATM jackpotting attacks are on the upswing, and smaller banks are particularly susceptible to losing money to these crimes. 

In February, police in Florence, South Carolina, extradited a New York man for allegedly stealing almost $100,000 in an ATM jackpotting attack on Oct. 9, 2024. In early March, U.S. attorneys in Buffalo, New York, charged two men with bank theft and conspiracy to commit bank theft for stealing nearly $300,000 across several ATM jackpotting attacks in October and November 2024, according to a news release. The targets in the attacks were small banks and credit unions.

ATM jackpotting schemes “are typically being done by organized crime groups,” says David Tente, executive director, USA and Americas with the ATM Industry Association. “It’s not the kind of attack you would see from the novice who wakes up and decides to steal an ATM.” 

Jackpotting manipulates a machine’s cash dispenser so it discharges all the money inside the ATM. A thief typically uses a standardized master key, easily purchased online, to open the ATM. They then install an infected hard drive or malware that allows a hacker to take control of the machine and withdraw all its cash, unconnected to any bank account. A jackpotting attack is usually discovered well after the fact, when someone at the bank reviews security footage from the ATM in question, says Alex Martirosyan, lead penetration tester in the IT assurance services group at Wolf & Co.

The U.S. Secret Service alerted banks nationwide to an uptick in ATM jackpotting attacks in mid-2024, per the ATM Industry Association. The first of these attacks hit the U.S. in January 2018, according to Krebs on Security.

It’s hard to estimate a typical loss from a jackpotting attack because it depends on how much cash is left in a machine when it’s targeted, sources say. One jackpotting scheme that affected multiple institutions in Upstate New York in December 2023 netted the purported thieves around $400,000 across four separate attacks, according to the U.S. Attorney’s Office for the Northern District of New York. In another case from 2023, two men charged in a jackpotting scheme allegedly stole more than $2.6 million from banks and credit unions in several states, according to the Department of Justice.

Community banks and credit unions can be particularly susceptible to ATM jackpotting attacks. Smaller institutions would be more likely to use a standardized ATM model that could be easily opened by a key obtained online. While most larger banks buy and operate their own ATMs, community banks are more likely to outsource ATM servicing to a third party, which introduces another risk vector. ATMs usually run on a Windows-based operating system, creating another vulnerability if that system isn’t patched and updated regularly, Martirosyan says. Tente recommends encrypting the ATM’s hard drive so it won’t recognize any other motherboards.

Information sharing can be a powerful tool. Talking with other financial institutions could help bank leaders understand whether a particular model of ATM has been vulnerable recently, or if a jackpotting ring has been operating in a bank’s markets. Organizations such as the ATM Industry Association and FS-ISAC provide data about ATM-related crime to their members.

ATM security should be part of a broader conversation about risk management and fraud. Management should report to the board, on a quarterly basis, about successful and unsuccessful fraud attempts on the bank, including the cost and root causes of each type of scam. Specific to ATM attacks, banks could regularly audit who has access to its ATMs, says Tente. Third-party risk management should also include a review of vendors that might touch a bank’s ATMs at one point or another in its life cycle.

Directors can ask about the validation and testing of the controls the bank has in place for its ATMs. Boards could also question whether the machines’ operating systems are promptly patched and updated, and inquire about the effectiveness of alarm systems for the bank’s machines.

“Until [boards] recognize that it is an issue, they are somewhat late in terms of actually validating or putting in the controls that need to be implemented,” Martirosyan says. “Until it happens to you, you don’t realize that these types of gaps and exposures exist.”