The U.S. Federal Bureau of Investigation (FBI ) has warned banks about the likelihood of cybercriminals carrying out a global fraud scheme known only as the “ATM Cash-out.” It employs the illegal use of cloned ATM cards which are gleaned through hacks of bank and payment card processors. In just a few hours, criminals have been able to pull out millions of dollars from cash machines around the world.
Brian Krebs, whose website krebsonsecurity covers all things cybersecurity, wrote a detailed post on the issue. He writes in a confidential FBI alert, “The FBI has obtained unspecified reporting indicating cybercriminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation.’ ”
Krebs’s website goes on to say, “The FBI said unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs. Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cybersecurity controls, budgets, or third-party vendor vulnerabilities.” The alert elaborates, “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
Such attacks are planned and executed in a systematic manner. Hackers initially resort to phishing scams to gain entry into a bank or payment card processor and recover all related data. After removing all customer fraud controls, like maximum withdrawal restrictions and daily ATM transaction limits, the criminals then cash out the accounts. And because they have altered the account balances to appear as if they have unlimited money available, they are able to clone the card data, use the card, and maximize their score from global bank networks.
Brian Krebs writes, “Virtually all ATM cash-out operations are launched on weekends, often just after financial institutions begin closing for business on Saturday.” Banks have been told to review their security measures, focusing mainly on the implementation of strong password requirements and two-factor authentication. According to KrebsonSecurity, “The FBI is urging banks to review how they’re handling security, such as implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles.”
The FBI has also offered a few other suggestions to banks, including the need to implement application whitelisting (which would help prevent malware execution); separate duties or dual authentication procedures for account balance or withdrawals above a certain amount; ensure encryption; and monitor network traffic in regions where noticeable activity has occurred.