Tech

Slots — Coming to an ATM near you

ATMs are a funny thing. Still heavily used, but slowly winding down as payments by card and mobile win over hard cash. For hackers, however, they are still prime targets.

First off, skimming. If you haven’t heard of skimming, this is one of the more common attacks against ATMs that you should be aware of. Generally speaking, this involves two pieces:

  1. A small camera setup to catch you entering your pin number
  2. An additional faceplate that is placed over the card reader that reads your card as you slide it in, such as the one below, available for purchase on many websites.
This one is for the larger readers, but every shape, size, and color exist for the right situation

What do you do about skimming? Be vigilant. Give the card reader a tug to see if it comes off easily (but don’t break the machine), check around the PIN pad for pinhole cameras (no pun intended), and cover your PIN entry as best you can. Skimmers are getting more and more complex, but vigilance will keep you safe from the vast majority of them.

ATMs can get viruses, too

More technical hackers have been increasingly leveraging malware directly — they will infect the ATM via vulnerabilities or by bypassing security controls, assuming there are any. Many ATMs still run Windows XP if that gives you any indication of how vulnerable these things are. Again, this plays into why we suck at cyber security; failing to upgrade, patch, or simply consider how bad guys might try to attack the systems being developed leaves systems such as these ripe for fledgling hackers.

For malware designed to empty the ATM, industry researchers have adopted the term “jackpotting”, an appropriate play on the purpose of the malware. The goal? What else, but money. Infect the ATMs and withdraw the cash before getting caught. One particular group, however, spent a bit of extra time to have some fun with their program.

WinPot malware

This particular malware plays off of the jackpotting term and displays the interface as if it were a slot machine. The malware determines how many bills are in each cassette in the ATM and, in theory, dispenses a random amount of bills from each cassette when the SPIN button is pressed.


This is really for the hackers’ entertainment, however; don’t count on being lucky enough to walk up to a slot-machine-ATM. You can buy the malware for your own uses for between $500 and $1000, though I wouldn’t recommend it, unless the idea of prison sounds attractive.

Featured image courtesy of Pixabay

Please Login to comment
avatar
  Subscribe  
newest oldest most voted
Notify of
susanh
Member
susanh

Thanks, Alex. This is so informative. And interesting!

Miche
Member
Miche

Haha, I love that there’s a legit market for malware, with competitive prices. Capitalist underground. I don’t think I’ve used an ATM (or gone to the bank at all….) more than about once a year since I’ve been able to deposit checks remotely using my smart phone. But it was a regular part of life back in the 1990s, when I pretty much withdrew cash for everything from putting gas in the car to buying groceries. I don’t even know what it’s like to carry cash around anymore, except when I travel out of the country. (Much to the consternation… Read more »

homanj1
Member

Michelle-I work in a bank. We are gradually phasing out driveup windows, teller lines, and employees. Of course that results in less personal service as people do more on line. Our ATM’s don’t seem to get skimmed. But daily I see folks that have been compromised on line. Or scammed. Or lost their personal information via stored credit card numbers on a retailer’s site or credit bureau database. I do the same as you. But it seems that lately I’m favoring cash when possible.

Miche
Member
Miche

I’m trying to figure out if I can ever favor cash again. It seems like so much work now. But you’re right about being compromised online…THAT’s becoming more work to avoid, too. Maybe there will be a tipping point. And I appreciate the great customer service I get from my credit union, in person or over the phone or online, on the rare occasions I need them. Hopefully that doesn’t get lost as we keep adapting to new technology… but then, we’ve probably lost a lot of things.

homanj1
Member
homanj1

We have ATMs where a teller comes up on a screen and has a conversation with the user. Every transaction that can be done inside except applying for a loan can be done. We have another type of ATM that allows certain transactions and policies that opened it up for fraud. That has happened prior to a fix. And finally, we have the old kind targeted by skimmers. I have a member service person right outside my office door, so it’s easy to work with cash.

Mic-Mac
Member
Mic-Mac

Good advice Alex. This past summer there were a bunch of ATM’s in our area that were found with skimmers. They were at gas/c-stores, all owned by the same owner. Didn’t take LE long to figure out that it was an employee that worked at a couple of the locations. Damn, there are just so many ways to get hacked these days. I have an elderly friend that withdrew $100 from an ATM. (paid in $20’s) From a LIGIT bank. She went to a local store, made a purchase and the alarms went off and she got locked inside. Yep!… Read more »

Joni Smith
Guest
Joni Smith

I do use the bank ATM on occasion to get cash or make deposits. I don’t carry a lot of cash but there are a few places I just prefer to pay cash. I think it’s prudent to have a little bit of cash on hand and maybe stashed in a secret place in your house just in case. When I do use ATM or any card scanner, I always pull on the scanner. I try to cover my hand entering the pin especially at gas stations. There are so many ways you can get scammed these days. If all… Read more »

Mason
Member
Mason

lol, I love the old Win 3.11 WFW GUI.

%d bloggers like this: