How to Protect Your ATM Fleet from “Man-in-the-Middle” Attacks
Published: Thursday, January 29, 2026
Unfortunately, ATM crime continues to grow across the country, and it’s no longer just a matter of brute force. While physical attacks, like “ram-raids” and robberies of cash-in-transit (CIT) personnel remain a concern, the threat landscape has shifted toward more sophisticated, less bombastic crimes.
In mid-2024, the cyber investigative division of the U.S. Secret Service issued a memo warning of increased jackpotting activity, including man-in-the-middle (MITM) and black box techniques observed across more than a dozen states. And, according to the ATM Industry Association (ATMIA), jackpotting/cash-out attacks were the most common type of ATM crime in the U.S in 2025, making up 74% of all criminal activity.
Physical security remains vital, but credit unions need to be prepared and know how to defend themselves against MITM attacks.
How MITM Attacks Work
An MITM attack occurs when a criminal intercepts the communication between the ATM’s internal computer (the CPU) and its hardware components. Here’s how an attack typically unfolds:
- Physical Access: Using a universal manufacturer key, which can be bought easily on the gray market, the criminal unlocks the “top hat” (upper section) of the ATM.
- Interception: They physically disconnect the cables between the PC and the cash dispenser, inserting a rogue device (often a small “black box” or laptop) in between.
- The Jackpot: This rogue device sends a direct command to the dispenser to empty the cash vault. Because this bypasses the traditional banking network, no cardholder accounts are touched and no alerts are triggered at the host level.
The attack often happens after hours, and unfortunately, no one is made aware until a cardholder attempts a withdrawal and is denied due to a lack of funds in the ATM. The system still thinks it has cash because the link between the CPU and ATM hardware was cut when the cash was removed.
Universal Access Presents Vulnerabilities
It’s a frustrating reality of the industry: Most ATM manufacturers use standardized keys for the top hat enclosure. While this was designed for the convenience of maintenance technicians who may service dozens of machines a day, it has created a massive security loophole that criminals are now exploiting with precision.
While deterrents like sirens, strobes and silent alarms can help, they are often just hurdles for a determined criminal. The real solution lies in the architecture of the ATM’s communication and the expertise of the operator managing the fleet.
These attacks can be devastating for a credit union of any size, because once a vulnerability is found, criminals immediately look for other ATMs in the credit union’s fleet they can attack next. And, they can hit several ATMs in just a few hours.
Secure Your Fleet with Dolphin Debit Access
Protecting your credit union shouldn’t be a DIY project or a hidden expense. Rather, you need an ATM operator that implements proactive defense parameters, including encrypted communications and advanced hardware monitoring, without charging you out-of-pocket for every necessary security upgrade.
Interested in learning more about Dolphin Debit and how its solutions can support your credit union’s goals? Carrick Professionals proudly partners with trusted providers like Dolphin Debit to bring effective, forward-thinking tools to the credit union movement. Contact us or use our online matching tool to explore this and other solutions that may be right for your organization.