FBI warns of impending global ATM cash-out blitz

The FBI is warning banks, transaction processors, and operators of ATMs and ATM networks of an impending cyberheist involving ATMs. This is according to a confidential alert sent by the FBI to U.S. banks and obtained by Krebs on Security, which tracks cybersecurity breaches and trends.

The impending ATM cash-out scheme is imminent and will be global in reach, the FBI said, and it's not apt to be a one-off occurrence.

ATM cash-out schemes start with crooks hacking into bank or card processor systems to purloin account numbers and PINs, and to knock out fraud controls (such as ATM cash withdrawal limitations). Using the account information, they clone debit cards and enlist foot soldiers who work simultaneously, hitting ATMs and draining as much money as possible from accounts.

Virtually all such attacks to date have been launched on weekends. Recently, for example, news broke of a series of ATM cash-outs that resulted in several million dollars being siphoned from accounts at a small Virginia bank between May 2016 and January 2017. All of those heists occurred over holiday weekends, according to published reports.

The scheme the FBI is warning about now could result in crooks emptying millions of dollars from bank accounts worldwide in just a few hours, Krebs reported.

"The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global automated teller machine cash-out scheme in the coming days, likely associated with an unknown card-issuer breach," the alert stated. "Historic compromises have included small-to-medium-sized financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. … The FBI expects the ubiquity of this activity to continue or possibly increase in the near future."

Vigilance as 'table stakes'

The FBI urged banks to review and boost security measures, such as strong password requirements and two-factor authentication. Other offered advice included:

• Implement separation of duties or dual authentication procedures for account balance or withdrawal increases over specified thresholds;
• Monitor, audit and limit administrator and business critical accounts with authority to modify withdrawal limits;
• Monitor for encrypted traffic traveling over non-standard ports; and
• Monitor for traffic to regions where outbound connections would seem unusual.

While the advice is sound, Jonathan Sander, CTO at STEALTHbits Technology, said it points to obvious failures on the part of many banks. "[W]hat the FBI is advising should be considered table stakes for any organization operating infrastructure as sensitive as ATMs," he said. "To imagine that security pros at a bank can't force IT to have strong password policies and two factor for administrative users is very shocking."`

Sander urged banks and processors to do more. "Not only should these networks have their admins locked down with multi-factor [authentication] and strong passwords, they ought to be using specialized privilege access workstations or at least be using session controls," he said. He also recommended strict procedures for automated actions that require privilege, such as backups and patches. And real-time monitoring.

"The general idea is that the basics for these sorts of systems ought to be in the rear view," Sander added. "It's a bit surprising that the FBI must see enough shops without those basic controls that they feel they need to give that advice."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.