Banks on alert for ATM heist
FBI warns of massive global cash-out scheme
The FBI has warned banks in the U.S. about an impending cybercrime, a heist called an “ATM cash-out,” in which thieves seek to swipe millions of dollars by using cloned ATM cards for fraudulent withdrawals.
This globally organized effort could be instigated soon, the FBI told banks Friday, with cybercriminals attempting to amass millions of dollars within a few hours, according to the confidential alert obtained by security researcher Brian Krebs.
“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation,’” the alert said, Krebs reported on his blog.
In an unlimited operation, cybercriminals deploy malware to obtain bank customer card information and network access in a way to execute massive ATM thefts, the FBI said, according to Krebs.
“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” the FBI’s alert said. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
The potential raids on ATMs are more of a problem for financial institutions than consumers because customers generally are not held liable for that type of attack on an account.
Banks are constantly trying to keep up with fraud schemes and head them off, said Rose Oswald Poels, president and chief executive of the Wisconsin Bankers Association.
“Financial institutions are always staying current with the latest scams that are occurring and making sure that their people as well as their equipment are up to date to prevent as much of this from happening as possible,” she said. “They’ve spent a lot money to try to make their physical ATM machines resistant to skimming devices and other sorts of malware that could potentially get put on them.”
Banking attorney John T. Reichert
said banks rarely talk specifically about security measures.
“If the bankers or the ATM networks are taking steps, they usually are a little reluctant to share what those steps might be,” said Reichert, a shareholder in the banking practice of the Milwaukee law firm Reinhart Boerner Van Deuren.
Reichert added: “This is a very bad thing and a big risk to banks, but as long as consumers are diligent and let the bank know if something’s suspicious, they’re going to be OK.”
The FBI, which would not comment on the specific alert, said in a statement: “The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”
Organized crime gangs typically hack into a bank or payment processor to remove fraud controls, such as maximum withdrawal amounts and limits on number of daily customer ATM transactions, Krebs says. Account balances and security measures within the institution are altered to make an unlimited amount of money available at the time of the illegal transactions.
To commit the crime, cyber criminals create fake bank cards by imprinting stolen credit card data on blank magnetic strip cards, the FBI said. “At a predetermined time, the co-conspirators withdraw account funds from ATMs using these cards,” the agency said.
Most ATM cash-out operations happen on weekends, usually just after the close of business Saturday, Krebs said.
A heist that occurred over last weekend in India could be the operation the FBI had warned about. India’s Cosmos Bank lost about $13.5 million (944 million rupees) in a wave of simultaneous withdrawals across 28 countries, Reuters reported.
Another example of an apparent unlimited operation resulted in the National Bank of Blacksburg in Virginia losing a total of $2.4 million in two separate ATM cash-out operations between May 2016 and January 2017, Krebs reported.
In that incident, a phishing email led to malware on a PC and the compromise of a computer at the bank that had access to Star Network, a debit card payment system run by First Data, which managed customer accounts and their use of ATMs and bank cards, Krebs said.
Hackers then disabled and altered anti-theft and anti-fraud protections, including four-digit PIN numbers and daily withdrawal limits. During one breach that began on May 28, 2016, and continued through Memorial Day, hackers obtained more than $569,000 from hundreds of ATMs across North America.
The FBI gave banks several security recommendations to combat any potential threats such as requiring strong passwords and two-factor authentication with a physical or digital token for critical employees.
Consumers should remain vigilant, said Paul Benda, senior vice president of risk and cybersecurity policy at the American Bankers Association. “They should be signed up for fraud alerts on their account. They should be monitoring their accounts for activity, and they should look for any unusual activity,” Benda said. “If they see anything they should report it. A bank would much rather hear about a potential fraudulent charge that turns out to be something that you don’t remember buying versus not hearing about that at all.”
Should a customer lose something from their account as part of a crime such as an “ATM cash-out,” he said, “the bank is going to make you whole.”