ATM Jackpotting & Cyber Threats: Protecting Your FI
ATM jackpotting attacks have evolved significantly — and the most dangerous current variant doesn't require a crowbar, malware, or physical access to the machine's computer. In this episode of the Bank Customer Experience Podcast, Cook Solutions Group's Michael Strange and Levi Daily walk through the two most active ATM cyber threat categories CSG is tracking, why organized crime groups are increasingly targeting service providers rather than individual machines, and the layered defense approach every financial institution should have in place.
What Is an RMS Attack and Why Is It the Biggest ATM Threat Right Now?
The most significant and fast-growing ATM threat CSG is currently tracking is the Remote Management Software (RMS) attack. Rather than targeting an individual ATM directly, attackers compromise the remote management server that has access to an institution's — or a service provider's — entire ATM fleet.
Here's how it works: legitimate remote management software is installed on ATMs by manufacturers and service providers for remote diagnostics and configuration. Attackers who gain access to the RMS server can use that manufacturer-trusted software to reconfigure ATMs remotely — turning off TLS 1.2 encryption and redirecting the host IP address to a server they control. The ATM then believes it is communicating with its legitimate host, but is actually communicating with the attacker's server. From there, transactions for any dollar amount on any account receive approval, and the machine dispenses cash.
Because this attack uses legitimate manufacturer software — not malware or a virus — it bypasses many local protections on the ATM itself. It is what Michael Strange describes as a "man in the middle" attack, and it is particularly dangerous because it can target service providers with remote access to thousands of machines simultaneously.
The implications for financial institutions are significant: your ATM security posture is not just about what's on your machines — it's about the security posture of every service provider that has remote access to them. Asking providers about their SOC audits, multi-factor authentication, and log monitoring practices is not just reasonable — it's necessary.
The Geography of ATM Jackpotting: Organized Crime on the Move
ATM jackpotting is not a random or opportunistic crime. The groups conducting these attacks are organized criminal enterprises — domestic and international — operating as businesses. They are methodical, well-funded, and move strategically.
CSG has tracked attack patterns moving from south to north along major interstate corridors. Recent concentrations have been in Georgia and Texas, with activity spreading northward and appearing in Oregon and the broader Pacific Northwest. When arrests occur in one area, groups relocate and resume operations elsewhere. Understanding this pattern helps institutions assess their own geographic risk and prioritize preventive investment accordingly.
A Layered Defense Approach to ATM and ITM Security
No single protection stops every attack. The goal is to make your machines the ones attackers choose to skip — by stacking enough layers that the effort-to-reward calculation stops working in their favor. CSG recommends evaluating the following layers:
Server and Network Security
For institutions or service providers running their own RMS servers, cybersecurity fundamentals apply with urgency: multi-factor authentication on all remote access, active log monitoring, access controls limiting who can reach the server, and regular security audits. Spinning up a server in Azure or AWS is not sufficient protection on its own — the configurations surrounding that server matter just as much as the platform it runs on.
Network Segmentation at the Branch
ATMs should not share a network with general workstations, servers, or other IT devices. An air gap or properly configured firewall between the ATM network and the production network prevents a compromised workstation from becoming a pathway to ATM systems. Ethernet cable security matters too — a vestibule ATM plugged into a wall jack three feet away from the machine is an accessible network entry point that should be secured or eliminated.
Hard Drive Encryption
Hard drive encryption directly counters both hard drive attacks and RMS-style configuration injections. If attackers remove the hard drive or attempt to inject software at the drive level, encryption prevents them from reading or writing to it. It also protects sensitive data stored on the machine — electronic journal records, check images, account numbers — in the event the computer is extracted.
Top Hat Physical Security
The computer that drives an ATM lives in the top hat — not in the UL-rated safe. Most ATMs have no factory alarm contacts on the top hat door. Adding a top hat alarm contact means that physical access to the computer triggers an immediate alert, significantly hampering hard drive attacks and local jackpotting attempts. Changing top hat keys — a simple, low-cost step — reduces the risk of attackers using universal or copied keys to gain access undetected.
Bollards and Physical Deterrents
Physical barriers including bollards, security gates, and reinforced mounting plates reduce the effectiveness of hook and chain attacks and vehicle ramming. Many ATM manufacturers have bolstered their mounting plate designs in response to the increase in physical attacks. These physical layers work in combination with cyber protections — a machine that is difficult to steal and difficult to compromise electronically is a machine attackers will pass over.
CSG-Specific Solutions: Going Beyond the Basics
Beyond the standard layered approach, CSG has developed specific solutions that directly address the RMS and hard drive attack vectors:
ATM Configuration Monitoring — Leveraging CSG's RemoteView platform, this service monitors ATM configurations continuously and alerts CSG's operations team if a configuration changes to an unrecognized IP address or if critical security settings — such as TLS 1.2 — are toggled off. Because CSG has a national footprint and a comprehensive list of known host IPs, anomalous configuration changes are detectable immediately rather than days or weeks after the fact.
Suspicious Activity Notification (SAN) — This solution approaches the skimmer installation problem from the behavioral side rather than relying solely on hardware-based skimmer detection. Smart camera analytics evaluate the behavior of the person in front of the ATM and cross-reference it with concurrent transaction data to flag anomalous activity for human review. CSG has identified dozens of skimmer devices that bypassed manufacturer anti-skimming hardware — including deep insert skimmers that passed passive plates — but were caught by the behavioral analytics layer.
The Bottom Line: ATMs Are IT Devices
One of the most practical points in this conversation is the framing Levi Daily offers at the close: ATMs have historically been managed as a separate channel, distinct from the institution's broader IT infrastructure. That separation is no longer defensible. An ATM is a Windows computer connected to a safe with a significant amount of cash — and it should be treated with the same patching discipline, network security rigor, and access control standards applied to any other critical IT device in the institution.
Financial institutions whose IT departments are asking hard questions of their ATM service providers — about SOC audits, MFA, log monitoring, and remote access controls — are taking the right approach. CSG welcomes those conversations and can provide the documentation and transparency to back them up.
