The FBI is warning that ATM jackpotting attacks - where hackers make machines spit out cash like slot machines - are surging. It's low-tech physical hacking meeting software vulnerabilities, and it's netting criminals millions.

This is the kind of hacking most people think went extinct in the 90s. Open the ATM, plug in a device, watch cash pour out. Except it's not extinct - it's thriving. The FBI's latest advisory confirms what security researchers have been warning about for years: ATMs are just badly secured Windows boxes in metal shells, and criminals have figured out how to exploit them at scale.

Here's how jackpotting works. Criminals gain physical access to the ATM - sometimes by picking locks, sometimes by obtaining master keys that work on entire fleets of machines. Once inside, they connect a device directly to the ATM's computer, which is often running an outdated version of Windows XP or Windows 7. From there, it's a matter of running specialized malware that sends commands to the cash dispenser.

The ATM doesn't know it's been compromised. As far as the machine is concerned, it's receiving legitimate commands from the bank's system. The malware tricks it into dispensing cash without any corresponding withdrawal from an account. The criminals walk away with thousands of dollars per machine, often hitting multiple ATMs in a single night.

What makes this particularly frustrating is that the vulnerabilities are well-known. Security researchers have been demonstrating ATM attacks at conferences for over a decade. The fixes are straightforward: encrypt communications between the computer and cash dispenser, use full-disk encryption, keep software updated, improve physical security. Banks just haven't done it.

Why not? Because ATMs are expensive to upgrade, and most banks treat them as legacy infrastructure - deploy once, maintain minimally, replace when absolutely necessary. The average ATM in the US is over a decade old. Many are running operating systems that Microsoft no longer supports. They're sitting ducks.

The FBI says jackpotting attacks are netting hackers millions in stolen cash. That's not an exaggeration. A single well-organized crew can hit dozens of ATMs in a weekend, walking away with six figures. The stolen cash is difficult to trace and impossible to reverse - unlike credit card fraud or digital theft, there's no chargeback mechanism for physical cash that's already been distributed.

Banks are aware of the problem. Some have upgraded their ATMs, implemented better monitoring, and improved physical security. But many haven't, because the cost of upgrades exceeds the cost of losses from jackpotting - at least in the short term. That calculus changes when you factor in reputational damage and the reality that attacks are accelerating.

The criminals are getting more sophisticated. Early jackpotting required significant technical knowledge and custom hardware. Now, the tools are available on dark web forums, complete with tutorials and support channels. The barrier to entry has dropped from "skilled hacker" to "criminal with basic technical literacy and a few thousand dollars for equipment."

What can you do about this as a consumer? Honestly, not much. This isn't a problem you can solve by being vigilant or choosing better banks. It's an infrastructure security problem that requires banks to actually prioritize ATM security.

The broader lesson is about critical infrastructure. ATMs are financial infrastructure - we rely on them to access our money, especially in emergencies. They should be secured like infrastructure, not like disposable consumer devices. The fact that a determined criminal can open one up and make it dispense cash like a broken vending machine is embarrassing.

The FBI warning is significant because it confirms the problem is getting worse, not better. More attacks, more sophisticated techniques, more money stolen. This isn't a novel threat that banks couldn't have anticipated - it's a known vulnerability they chose not to fix.

ATM jackpotting is low-tech in the best way - no zero-day exploits, no sophisticated cryptography attacks, just physical access plus software that should have been patched years ago. It's a reminder that the weakest link in security is often the stuff we've been ignoring because it's not sexy or new. Those Windows XP machines in metal boxes? They're someone's retirement savings, and criminals are cashing out.