The FBI has recently warned banks that a group of criminals might be planning a large-scale ‘ATM cash-out’ that could steal millions of dollars.
“The FBI has obtained unspecified reporting indicating cybercriminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” reads a confidential alert, reported by the cybersecurity blog KrebsOnSecurity, that the FBI shared with banks last week.
In the potential attack, criminals would first install malware on a payment card processor or bank network to gain access to card numbers and other information. They’d then use this access to remove fraud controls on ATMs, such as withdrawal limits. Finally, the group of criminals would use ‘clone cards’—plastic cards with customized magnetic strips—to withdraw money from ATMs in person at a predetermined time, likely on the weekend when banks are closed.
“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” the alert read. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
In July, the KrebsOnSecurity blog broke a story “about an apparent unlimited operation used to extract a total of $2.4 million from accounts at the National Bank of Blacksburg in two separate ATM cashouts between May 2016 and January 2017.”
Another unlimited operation hit India’s Cosmos Bank just this weekend when criminals withdrew millions of dollars from ATMs in 29 countries in a two-hour timeframe.
“During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system,” the bank said.
So, how should bank customers protect themselves?
“They should be signed up for fraud alerts on their account,” Paul Benda, senior vice president of risk and cybersecurity policy at the American Bankers Association, told USA Today. “They should be monitoring their accounts for activity, and they should look for any unusual activity. If they see anything they should report it. A bank would much rather hear about a potential fraudulent charge that turns out to be something that you don’t remember buying versus not hearing about that at all.”