The National ATM Council recently reported that the U.S. Secret Service and other law enforcement agencies have been responding to ATM jackpotting attacks targeting DMA (Direct Memory Access) of various ATM models and manufacturers by bypassing traditional security controls. This has resulted in significant financial loss and operational disruption, the association said.
The group shared a series of mitigation recommendations, which we’ll republish below.
Successful mitigation requires a multi-layered strategy and may include the following actions:
-
Update and set strong BIOS passwords (never keep default passwords).
-
Configure BIOS to disable unused ports or expansion slots that provide DMA access (PCIe, M.2, etc.).
-
To mitigate unauthorized access for ATMs lacking BIOS or other firmware support, vulnerable ports may be physically shut with epoxy. A secondary option may be using tamper-proof seals on vulnerable ports. However, both methods may result in damage to the motherboard.
-
Implement physical protection measures (to include protecting ports) and monitor physical access to ATMs.
-
Implement additional software protections that monitor and block new hardware changes or that recognize that they may be bypassed if memory is compromised.
-
Disable or physically secure unused expansion slots (network, Wi-Fi, video, etc.).
-
Upgrade hardware to support Kernel DMA protection available in newer hardware and operating systems.
-
Review logs for ATM power cycles, hardware changes, foreign device drivers, chained suspicious events, and cash discrepancies, which are key indicators of attack.
-
Implement real-time monitoring to identify attacks in progress.
-
Use Windows Group Policy to block unauthorized hardware changes.
-
Use application and hardware whitelisting where possible.
-
Employ advanced endpoint protection and sandboxing, as attackers may attempt to disable these tools.