top of page
Search

RMS Jackpotting Attacks Continue! How can YOU protect your ATMs?

  • National ATM Council, Inc.
  • 21 hours ago
  • 4 min read

Ongoing RMS Jackpotting attacks against retail ATMs are continuing to take place in different parts of the country.

It is imperative for all U.S. ATM deployers who are using RMS on the ATM routes to TURN OFF YOUR RMS SYSTEM - unless and until you have loaded the LATEST ATM manufacturer software and confirmed the RMS syste is fully safe and secure - in accordance with the following information and advisements.


In a continuing effort to address the most recent outbreak of RMS jackpotting cyberattacks against Independent ATM terminals in various states across the US, Hyosung and Genmega have recently updated their RMS Software to add additional protections and eliminate the option for remote modification of the Host IP Address (your processor’s platform) where the ATM terminal is supposed to be directed for its transaction processing/communications.


If you have not already done so, please obtain and downloade the new software versions ASAP into your RMS servers/ATM terminals. Although the new software is not a silver bullet or panacea, these latest modifications will help protect your route against RMS-based jackpotting and should be downloaded as promptly as possible.


Prior to downloading the new software, it is also of utmost importance to have an

ATM/IT/Security specialist conduct a thorough “audit/review/cleanup” of your RMS servers, desktops, laptops, mobile phones, and ATM terminals to ensure there’s no hidden malware already present in any of these systems/devices. If you do not take this step first to identify any existing exposures and ensure everything is clean, your subsequent attempted fixes/updates may be ineffective.


As part of the “IT Security Audit”, it is especially important for you to have in place a robust and “Commercial Grade” Hardware-Based Firewall, behind which all your RMS Servers/CPUs and other sensitive ATM hardware/devices/systems reside and are protected.


 

More details!

To ensure the safety and security of your ATM route, you should take the following specific steps to protect yourself against the RMS based jackpotting attacks:


  1. It is recommended that a physical Commercial Grade Hardware-Based Firewall (a separate standalone "box") should use a U.S.-branded chips only (no Huawei chips from China).


    Typically, a Commercial Grade Hardware-Based Firewall designed for small-medium sized businesses will cost in the range of $1-4K – not inexpensive – but absolutely necessary to

    operate RMS safely on your route – and well worth the investment to avoid a much larger dollar loss.

    Your Firewall configuration should only allow RMS traffic to/from your designated/approved ATMs’ static IP addresses and ideally not allow any other external connections to the RMS server(s). In addition, you should:

    • enable the software based firewall that is included in your Microsoft operating system on the Server(s)/CPU(s) running your RMS software(s). Please ensure all your Server(s)/CPU(s) are running the latest version of Windows WITH all the latest Microsoft security updates in place;

    • download and enable an additional software based firewall onto those Server(s)/CPU(s) running your RMS software(s); and

    • download and enable the Microsoft + additional software based firewalls on all youyour other relevant end point devices (phones/tablets, etc.). If you are required to utilize any remote access to your RMS Server(s), this should ONLY be done in conjunction with using a dedicated VPN connection and not using any open internet/wi-fi connection. If your operations require allowing multi-party access to your RMS system (i.e. – ISO & Affiliates) – this presents a significant security risk. In order to avoid this major potential exposure, such configurations will require immediate consultation with a qualified network security specialist regarding necessary use of VPNs, additional firewall(s), etc., in order to be safe.


  2. Updated passwords are recommended to be at least ten (10) (and preferably more) characters in length and use a random and not easily guessed mix of capitalized & lower case letters/numbers/symbols.

    Do not write these passwords down anywhere on/in/around your ATMs in the

    field – or record them anywhere else other than behind a password

    restricted Commercial Grade Firewall. Change them at least once a year or in

    the event of any compromise.


  3. Fully enable TLS communications between your ATMs and the applicable host processor(s) (check with your ATM & Modem providers for details on steps required). (Older software versions or inadvertent misconfigurations in loading the software may result in TLS being disabled or not working properly.)


  4. Work with a lock company to change the core lock from manufacture default to control fascia and cabinet access.


  5. Secure your communications boxes and routers, either inside the cabinet or in a controlled environment, so they are not visible or accessible to the general public.


  6. Check with your insurance agent on your current cybercrime coverage, if any, and what coverage(s) may be available to you in the marketplace.


 

If your company does experience an RMS jackpotting attack, in addition to already having taken the above steps, it is imperative to immediately take the following additional remediation steps:

  • Suspend use of and disconnect your RMS Server(s).

  • Speak with your ISO/Manufacturer/Distributor to let them know what’s occurred and for advice on specific recommended remedial steps.

  • Have an IT/ATM “hacking” specialist check your server(s)/computers/software files to identify and remove any malware and restore a clean environment.

  • Speak with local law enforcement to report the specifics of the incident – being sure to use the term “RMS Jackpotting” in your written Police Report.

  • Speak with your closest local/regional US Secret Service and FBI offices – being sure to use the term “RMS Jackpotting” in your incident reports.

  • File an incident report with NAC’s new US SecureATM Database:

    https://secureatm.us/#report-incident

  • Contact your insurance agent to determine whether any insurance

    coverage(s) may be available.


    If NAC can be of any other assistance on these vital matters, as always,

    please do not hesitate to reach out for assistance. However, given the highly

    technical and company-specific nature of the issues involved, if you do have

    specific equipment or software related questions, we encourage you to

    please contact your ISO / Manufacturer / Distributor directly for the most

    expeditious and effective advice and guidance.

    

    Thank You for Your Attention to this Important Information – Please

    Stay Safe!

 
 
 
bottom of page