Surge in ATM jackpotting incidents prompts renewed security urgency

Financial institutions across North Carolina are once again on high alert following a resurgence of ATM "jackpotting" attacks, where criminals manipulate machines to dispense large sums of cash. The North Carolina Bankers Association (NCBA) recently issued a renewed warning after a spike in incidents targeting standalone ATMs in the Piedmont region.

While the recent surge in ATM jackpotting incidents is currently concentrated in North Carolina, we believe it's critical to alert financial institutions nationwide. Criminals are moving fast, adapting quickly, and leveraging new technologies to strike wherever vulnerabilities exist.

What Is ATM Jackpotting?

Jackpotting is a form of cyber-physical crime in which attackers gain unauthorized access to an ATM’s internal systems and force it to dispense cash on command. These attacks are typically carried out by organized criminal groups using advanced tools and techniques, such as:

• Malware Installation: Criminals breach the ATM’s upper enclosure (commonly called the “top hat”) to install malicious software that overrides normal operations.
• Black Box Attacks: A rogue device is connected directly to the ATM’s internal components, issuing unauthorized commands to release cash.
• Man-in-the-Middle Intrusions: Attackers intercept communications between the ATM and its host network, impersonating legitimate transaction approvals.

Recent cases have involved the use of master keys, often sold on the dark web, to access older ATM models still equipped with factory-installed locks. The attacks frequently occur during weekends or overnight hours when surveillance and staffing are minimal. Perpetrators often wear masks and gloves to avoid identification.

A Growing National and Global Threat

ATM fraud is not limited to North Carolina. It is part of a broader trend of escalating ATM-related fraud across the U.S. and globally:

• According to the Federal Trade Commission (FTC), U.S. consumers lost an estimated $8.7 billion to fraud in the first three quarters of 2024. While this includes various types of fraud, ATM-related incidents are a growing contributor.
• Over 230,000 debit cards were compromised due to skimming and related attacks in 2024.
• ATM skimming incidents rose by more than 50% year-over-year in states including Virginia, Texas, New Jersey, Florida, and Colorado.
• The U.S. Secret Service has reported that jackpotting attacks have been traced to international crime syndicates, including operations linked to Eastern Europe and Southeast Asia.

Globally, ATM jackpotting has been a concern since at least 2010, when the first known attacks were reported in Europe. The U.S. saw its first confirmed cases in 2018, and the threat has steadily grown with the proliferation of off-the-shelf hacking tools and insider knowledge.

Recommended Security Measures

In response to the growing threat, the NCBA and cybersecurity experts recommend that financial institutions implement the following best practices:

• Encrypt ATM hard drives and network communications.
• Update operating systems and firmware.
• Upgrade physical locks and alarm systems.
• Implement software whitelisting.
• Disable unused ports and debug modes.
• Train staff to recognize impersonators.
• Evaluate surveillance and lighting at ATM locations.
• Conduct regular penetration testing.
• Perform daily tampering inspections, including checks for the presence of skimming devices, overlay keypads, foreign objects in car or cash slots, concealed cameras, and signs of forced or unauthorized entry.

Strategic Response and Risk Management

ATM jackpotting is a fast-moving and high-impact threat that can drain multiple machines in a matter of hours. Financial institutions, especially those operating older or standalone ATMs, should work closely with ATM vendors, cybersecurity consultants, and law enforcement to strengthen defenses. Best practices include:

• Reviewing insurance policies to verify coverage for cyber-physical attacks.
• Auditing vendor contracts for incident response and liability provisions.
• Participating in information sharing networks to stay informed on emerging threats.

Potential Outsourced Internal Audits

To reduce the risk of ATM jackpotting and related frauds, internal audits should be comprehensive and tailored to detect both technical and procedural vulnerabilities. These may include:

• IT Security Audit: Focuses on the security of ATM software, hardware, and network infrastructure.
• Physical Security Audit: Evaluates whether ATMs are physically secure against tampering.
• Transaction Monitoring Audit: Analyzes ATM transaction logs for anomalies.
• Vendor and Third-Party Audit: Assesses the security practices of ATM service providers and software vendors.
• Regulatory Compliance Audit: Evaluates adherence to regulatory standards and internal policies.
• Change Management Audit: Reviews how changes to ATM systems are managed.
• Incident Response Audit: Evaluates preparedness and response to ATM-related incidents.

We Can Help

As ATM jackpotting techniques become more sophisticated and accessible, financial institutions should treat ATM security as a constantly shifting challenge that demands vigilance, investment, and collaboration across banking and cybersecurity.

Elliott Davis offers a full suite of audit and advisory services tailored to the financial sector, including:

• Independent IT and physical security audits
• Vendor risk assessments
• Compliance and regulatory reviews
• Incident response readiness evaluations
• Customized internal audits focused on ATM and branch operations

Our team works closely with banks and credit unions to identify vulnerabilities, strengthen controls, and support a proactive security posture. If your institution is looking to assess its current defenses or prepare for future threats, contact us today.

The information provided in this communication is of a general nature and should not be considered professional advice.  You should not act upon the information provided without obtaining specific professional advice.  The information above is subject to change.