ATM Thieves Hit the Jackpot

(Bloomberg Businessweek) -- The cops watched as the car drove back and forth in front of the bank. It was early evening on Feb. 25 in Sandy, Utah, and FBI agents had been following the two people inside since they landed in Salt Lake City two days before. Law enforcement officials believed they were part of an organized crime ring responsible for more than 100 recent attacks on ATMs nationwide. When one of the men exited the car and began to approach the bank, the agents went to work, arresting the would-be bank robber just as the machine began spewing out cash.

The ATM-busting technique, known as jackpotting, has been around for almost a decade, and was already widespread in Europe, Latin America, and Asia by the time criminals began using it in the U.S. just a little more than a year ago. It’s not that American criminals were stupider or less savvy than their global counterparts—rather, America’s ATMs were. Until very recently, American debit cards relied on magnetic strips to store payment information. Scammers could simply buy a fake card reader for a few dollars on the dark web, attach it over the real card reader, and skim the card and PIN numbers of anyone who swiped. The rest of the world relies on the chip-and-PIN system of credit card verification—officially called EMV after the three companies that developed it: Europay, Mastercard, and Visa—which makes the cards more difficult to duplicate.

ATM jackpotting is both riskier and more complicated than card-skimming. For starters, scammers have to hack into the computer that governs the cash dispenser, which usually involves physically breaking into the machine itself; once they’re in, they install malware that tells the ATM to release all of its cash, just like a jackpot at a slot machine. These obstacles mean the process takes quite a bit longer than installing a card skimmer, which means more time in front of the ATM’s security cameras and jackpotters triggering an alarm in the bank’s control center at every step. But as chip-and-PIN becomes the standard in the U.S., would-be ATM thieves are running out of other options.

“In the U.S. we’re just now converting over to EMV technology,” says Matthew O’Neill, a special agent at the Secret Service. “It’s much more difficult to steal data from the chip,” which encrypts the user’s payment information, making duplication almost impossible.

The Secret Service may be best known as the president’s security staff, but it was originally established to crack down on counterfeiting. It was the Secret Service’s financial crimes division that spotted the series of attacks on multiple locations of the same bank in Florida in December and January, and put out a bulletin to financial institutions, law enforcement, and the public about the new style of ATM theft. The two major global ATM manufacturers, Diebold Nixdorf and NCR, also alerted the public and issued security patches within a few days. Banks started monitoring their ATMs around the clock. Less than 24 hours after the Secret Service’s public alert, Citizens Financial Group, a regional bank with branches all over the northeast, notified the local police that its security folks noticed one of its ATMs go off line. The police contacted the Secret Service, which made its first arrest on the scene.

The Secret Service eventually traced the string of attacks back to a May 2017 incident at an ATM in southern California committed by a group that appeared to originate in Venezuela. Over time, the group’s membership swelled to include Americans who seemed to be recruited on an ad hoc basis, although there’s no knowing for sure: Whoever is leading it has used untraceable IP addresses to conceal the source of its communications. Why a Venezuelan crime ring decided to target the U.S. is similarly unclear.

By January of this year, the group had managed to steal about $4 million in 125 attacks, O’Neill says. Deseret Credit Union, which has 11 branches all near Salt Lake City, was in the midst of implementing new security measures when cops traced members of the group to the location in Sandy. Deseret had already added alarms on the machine’s computer, says CEO Shane London, and contracted a monitoring service to watch for alerts 24/7. Even if the FBI hadn’t been trailing the people who tried to rob Deseret, the attackers wouldn’t have gotten far, London says. The string of attacks has united Utah’s community banks and credit unions in an effort to guard against such technological crimes. “We’re all talking to each other, sharing information,” London says. “With all these cyber threats nowadays, including attacks on customer data, we need all the collaboration we can have.”

After the raid in Sandy, the flow of attacks slowed to a trickle. Still, the Secret Service doesn’t expect ATM jackpotting will go away for good in the U.S. Different versions of the malware are still readily available, and given the method’s global prevalence, it’s only a matter of time before someone else decides to make a go of it. “Now that it’s here, even if we arrest everybody in this group,” O’Neill says, “it’s naive to think it will be over.”

To contact the editor responsible for this story: Jillian Goodman at jgoodman74@bloomberg.net

©2018 Bloomberg L.P.