FBI sounds alarm over ATM cash-out attack
The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a global fraud scheme known as an “ATM cash-out”, according to Krebs on Security.
This cash-out means that thieves can use a bank or payment card processor and use cloned cards at cash machines to potentially withdraw millions of dollars in a few hours.
“The FBI has obtained unspecified reporting indicating cybercriminals are planning to conduct a global ATM cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” reads a confidential alert the FBI shared with banks privately.
Krebs on Security explains that just prior to executing on ATM cash-outs, the intruders will remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily.
The perpetrators also alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM.
“The cybercriminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores,” the FBI warns. “At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”
According to Krebs on Security, virtually all ATM cash-out operations are launched on weekends, often just after financial institutions begin closing for business on Saturday.
The FBI is urging banks to review how they’re handling security, such as implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles.
Quite a few people had responses to the FBI. One example is quite enough.
Jonathan Sander, CTO, Stealthbits Technologies, comments: “The scariest thing about these FBI advisories to banks and other organisations isn’t the idea of the bad guys doing bad things, it’s the advice they are giving the good guys.
“All the advice the FBI gives sounds like the basics of an effective cybersecurity programme. That is no reflection on the FBI, though. They are saying what they feel needs to be said based on the controls they see in place at the banks they are advising.
“To imagine that security pros at a bank can’t force IT to have strong password policies and two factor for administrative users is very shocking. In a world with breaches in the news nearly as often as presidential tweets, how can anyone argue against strong security for the more privileged users in the system?”