Wednesday, August 15, 2018
The impending ATM cash-out scheme is imminent and will be global in reach, the FBI said, and it's not apt to be a one-off occurrence.
ATM cash-out schemes start with crooks hacking into bank or card processor systems to purloin account numbers and PINs, and to knock out fraud controls (such as ATM cash withdrawal limitations). Using the account information, they clone debit cards and enlist foot soldiers who work simultaneously, hitting ATMs and draining as much money as possible from accounts.
Virtually all such attacks to date have been launched on weekends. Recently, for example, news broke of a series of ATM cash-outs that resulted in several million dollars being siphoned from accounts at a small Virginia bank between May 2016 and January 2017. All of those heists occurred over holiday weekends, according to published reports.
The scheme the FBI is warning about now could result in crooks emptying millions of dollars from bank accounts worldwide in just a few hours, Krebs reported.
"The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global automated teller machine cash-out scheme in the coming days, likely associated with an unknown card-issuer breach," the alert stated. "Historic compromises have included small-to-medium-sized financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. … The FBI expects the ubiquity of this activity to continue or possibly increase in the near future."
The FBI urged banks to review and boost security measures, such as strong password requirements and two-factor authentication. Other offered advice included:
While the advice is sound, Jonathan Sander, CTO at STEALTHbits Technology, said it points to obvious failures on the part of many banks. "[W]hat the FBI is advising should be considered table stakes for any organization operating infrastructure as sensitive as ATMs," he said. "To imagine that security pros at a bank can't force IT to have strong password policies and two factor for administrative users is very shocking."`
Sander urged banks and processors to do more. "Not only should these networks have their admins locked down with multi-factor [authentication] and strong passwords, they ought to be using specialized privilege access workstations or at least be using session controls," he said. He also recommended strict procedures for automated actions that require privilege, such as backups and patches. And real-time monitoring.
"The general idea is that the basics for these sorts of systems ought to be in the rear view," Sander added. "It's a bit surprising that the FBI must see enough shops without those basic controls that they feel they need to give that advice."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.