People who work in information security departments are confronted with security alerts every day; at large banks they get hundreds of thousands a day. Choosing which to act on and which to leave alone is never easy.
The FBI sent a confidential alert to banks late last week, warning that a rash of ATM theft is likely to hit soon.
“The FBI has obtained unspecified reporting indicating cybercriminals are planning to conduct a global automated teller machine cashout scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation,’ ” the notice said.
In unlimited attacks, cybercrime gangs hack or phish their way into a bank or payment card processor, said the security blogger Brian Krebs, who on Sunday broke the story about the FBI’s warning.
“Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily,” Krebs wrote. “The perpetrators also alter account balances and security measures … allowing for large amounts of cash to be quickly removed from the ATM.”
In an interview, Krebs pointed out that in some recent ATM attacks, criminals have stolen between $9 million and $13 million in a few hours. He speculated that in the case the FBI warned about, a large payment processor has been compromised and hackers will use that breach to infiltrate several small banks.
The payment processors First Data and Visa declined to comment for this article.
The FBI may have gotten wind that a criminal group was asking for help on the ground to conduct the ATM withdrawals, Krebs said.
“Usually there’s a flurry of activity right before they do these cashouts,” Krebs said. “Criminal types get pinged —if you can work in six hours, you can make $800. Sometimes law enforcement sees this.”
The three banks with the largest ATM networks — JPMorgan Chase, Bank of America and Wells Fargo — declined or did not respond to requests to comment. And the two largest U.S. ATM manufacturers, NCR and Diebold, did not respond to requests for comment.
Mike Lee, CEO of the ATM Industry Association, said his group was looking into the FBI alert.
“We’re not yet sure … whether [the FBI warning] is based on verified facts,” he said. “While we investigate this internally to assess the level of threat and probability of this event happening, we urge all ATM operators and networks to take additional precautions and implement all known security best practices.”
According to a survey the association conducted this year, 91% of ATMs have been upgraded to high-security technology that meets EMV standards, and the majority of those are actively accepting chip-on-chip transactions.
“That, of course, is our primary protection against the use of counterfeit cards at the ATM,” said David Tente, executive director of the U.S.A. and Americas for the ATMIA.
Who’s most at risk
In its alert, the FBI suggested that smaller banks have the most to worry about.
“Historic compromises have included small to medium-size financial institutions, likely due to less robust implementation of cybersecurity controls, budgets or third-party vendor vulnerabilities,” the notification said. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
Hackers in recent years used phishing emails to break into the $1.3 billion-asset National Bankshares in Blacksburg, Va., twice in eight months, making off with more than $2.4 million.
Steve Mott, principal of BetterBuyDesign, has also observed this trend of attacks on smaller banks.
“The hacker gets into the smaller financial institution or processor, compromises the debit card data on checking accounts, looks up the PIN, puts it on a card or sells it to another criminal to do so, then subverts the withdrawal limits or controls, and gets the cash — lots of it, fast,” Mott said. “It’s the most efficient form of account fraud yet.”
Hackers also tend to target unattended retail ATMs and old ATMs, as they did in some jackpotting incidents earlier this year.
“If an ATM runs out of cash, the bank will get an alert about that,” Krebs said. “Maybe not so much in the case of a third-party-managed ATM. Your average bank ATM is more secure than your average nonbank ATM. But bank ATMs get attacked, too.”
Bryan Burns, a vice president of research and engineering at the cybersecurity firm Proofpoint, sees phishing as the most common starting point for ATM cashout schemes.
“Attacks on banking infrastructure and ATMs in particular continue to evolve, but the initial compromise that enables most of these largely remains the same: an unwitting employee that falls victim to credential phishing or other form of social engineering attack,” he said. “Financial organizations can prioritize educating their employees to spot socially engineered attacks across email, social media, and the web and run phishing simulations” — fake attacks that use real-world tactics — “to understand who in their organization is most likely to fall victim to this form of attack.”
The consultant Richard Crone said ATM security incidents show the need for cardless payments.
“To extract the cash, these accounts must be synchronized with the nefarious creation of fraudulent debit cards,” Crone said.
When consumers access cash through a smartphone app rather than a card, he said, the cash access token is dynamic, it changes with each withdrawal request, and cardless cash systems typically require stronger authentication such as a biometric.
Mobile transactions also can be locked down with geographic validation and out-of-band review and release of a mobile payment, for instance through text message or phone call. Card “on” and “off” controls from the mobile device also prevent usage when the account holder is not aware.
“To hack mobile cardless cash, you’d have to spoof not just the account holder’s account and phone number, but the unique identifiers of their mobile device,” Crone said. “That’s far more difficult than printing fake cards.”
In its notice, the FBI recommended that banks make several efforts to step up ATM security:
- Implement strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business-critical roles.
- Establish separation of duties or dual-authentication procedures for account balance or withdrawal increases above a specified threshold.
- Limit the use of unapproved applications to block the execution of malware.
- Monitor, audit and limit administrator and business-critical accounts.
- Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer.
- Monitor for encrypted traffic traveling over nonstandard ports.
- Monitor for network traffic to regions where outbound connections from the financial institution do not normally occur.