Three Claims a Week: Fraudsters Target ATM Weak Spots

Three Claims a Week: Fraudsters Target ATM Weak Spots

ATM jackpotting targets the ATM’s upper enclosure and internal PC, not just the cash safe. Credit unions face rising losses as criminals use master keys, malware, and black-box tools. This article explains why attacks are accelerating and provides a practical checklist to harden machines, reduce losses, and limit service disruption.

Originally posted on CUToday.info

 

Imagine a late-night drive-up ATM kiosk at one of your branches. Within minutes, a well-coordinated crew uses a master key, hacks into the machine’s internal PC, and forces it to spew tens of thousands of dollars in cash, all without a card swipe, PIN, or suspicious account transaction.

For many credit unions, that scenario still feels abstract or “someone else’s problem.” The truth is: it’s creeping into the daylight, and credit unions that treat this threat as theoretical may soon wake up facing a six-figure loss and member-service disruption on their watch, Allied Solutions warns.

Joette Colletts

According to Colletts, many institutions historically focus on protecting the ATM cash chest, the “vault” portion of the machine, yet overlook the upper-hood enclosure—the computer, firmware, communication hardware. That is the very access point criminals use for jackpotting.

She notes three recurring oversights:

  • The use of factory-installed or universal keys on the top enclosure. These “master keys” are so generic in some older ATM models that they can be purchased online.
  • Failure to alarm the hood. Branches typically alarm the money safe, but criminals bypass that by targeting the upper enclosure.
  • Not encrypting the hard drive and communication inside the ATM PC, making them vulnerable once physically accessed.

In short: even well-intentioned credit unions may assume their ATMs are “secure enough” if the cash safe is locked, but jackpotting does not operate by breaking into the safe; it operates by commandeering the computer system to make the machine dispense the cash. Colletts emphasizes that size doesn’t matter—they have seen up to three claims per week at Allied Solutions involving jackpotting.

 

The Growing Threat: Statistics Speak Loudly
  • According to the ATM Industry Association (ATMIA), U.S. ATM crime incidents increased roughly 600% from 2019 to 2022, with a 165% year-over-year rise from 2021 to 2022.
  • In a December 2024 ATMIA summary, the United States Secret Service reportedly tracked “about 200 attacks” in one year with losses of around $6 million, and already over 300 attacks as of early the next year.
  • A blog by the American Bankers Association Insurance Services states that jackpotting attacks have been “rampant since 2018 and are showing no signs of letting up.”
  • A white-paper style summary from Sepio claims as many as 69% of ATMs worldwide are vulnerable to “black-box” type jackpotting attacks.

 

These numbers may understate the true risk to credit unions because many jackpotting attempts aren’t publicly disclosed by institutions seeking to avoid reputational damage, analysts have stated.

 

Why the Risk Is Accelerating Now

Several factors are converging:

  • Older ATM machines with legacy enclosures and standard locks are widespread in the credit-union market. Colletts said gangs see the “weakest link,” and once they succeed at one branch, they often hit additional branches of the same institution.
  • The tools of the trade (universal keys, malware kits, black-box attachments) have become commoditized and are sold or circulated in underground markets, lowering the barrier for organized crime.
  • Remote-trigger capability: once inside the machine, hackers can send commands (via cell phone or laptop) to force the ATM to dispense until its cassettes are empty, sometimes without a human standing in front of the ATM machine, according to the Federal Reserve Bank of Atlanta.
  • Credit unions may be slower than large banks to refresh ATM hardware or enforce patching, encryption, and whitelisting of ATM PC systems—especially where outsourcing is common. A Bank Director article notes smaller institutions and credit unions are “particularly susceptible” to jackpotting.

 

What Credit Unions Should Do — Practical Steps

Colletts stressed that CUs do the following: secure the hood; encrypt all drives and communications; enforce software whitelisting; audit vendor controls. Here’s a practical checklist:

  1. Lock replacement and enclosure alarm
    • Change factory or universal keys on the ATM top enclosure (often referred to as the “hood” or upper cabinet).
    • Install audible and visual alarms (flashing lights, sirens) on the hood so tampering triggers immediate deterrence and signals law enforcement.
    • Consider physical barriers or access controls around the enclosure for drive-up or unattended kiosks.
  2. Encrypt the ATM PC
    • Hard drives in the ATM PC must be encrypted so that malware or rogue drives cannot be loaded or activated.
    • Communications between the ATM terminal and host server must use TLS 1.2 (or higher) to block interception or injection of commands.
  3. Software whitelisting and change default credentials
    • Default passwords on ATM vendor machines must be changed. Colletts noted some credit unions still use vendor-default passwords.
    • Whitelisting ensures only approved software and processes run on the ATM PC, blocking malware launch.
    • Disable unused ports and debug modes.
  4. Vendor/third-party risk management and regular audits
    • Review vendor contracts for patching obligations, firmware updates, and incident response.
    • Schedule periodic physical inspections of ATMs (especially overnight or low-traffic hours) to check for tampering, master-key access, or added devices.
    • Include board-level reporting: number of tamper attempts, security gaps identified, branch audit results.
  5. Insurance and incident preparation
    • Confirm your credit union’s coverage includes “logical” ATM attacks (not just physical vault breaches).
    • Maintain partnership with your alarm vendor and ATM vendor to ensure incident logs, surveillance footage, and forensics are preserved and accessible.

 

How Allied Solutions Is Supporting Credit Unions

Allied Solutions, a full-service insurance, risk-management, and vendor-program partner for credit unions, is emphasizing this risk. Colletts reports that Allied is already handling as many as three claims per week where jackpotting is the root cause. That volume underscores the reality: this threat is not “theoretical,” it’s real, and it’s happening to institutions of all sizes, she said.

The threat has evolved: it’s now about malware, black boxes, universal keys, and remote command of machines. Organized crime is targeting the weaker FIs, Colletts said. “They’re chasing vulnerabilities, and no size of credit union makes you immune,” she said.