Updated: Jun 6, 2020
A worldwide, highly choreographed ATM hack dubbed "ATM Cash-Out" or "Unlimited Operation" could be imminent warns the FBI (Federal Bureau of Investigation). The threat was reported last week by Krebs On Security, a respected cybersecurity blog run by Brian Krebs.
In a private and confidential alert that was shared by FBI with banks on Friday cited "The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’. Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities”.
"Unlimited operation" is a scheme where malware is used to access bank customer card information. The hackers then delete fraud controls, such as limits on ATM withdrawal amounts, which allows for large-scale theft, according to Krebs. Account balances and security measures can also be altered to make an unlimited amount of cash available to the hackers.
"The hackers typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores" the FBI warning stated, according to Krebs. "At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards".
Weekends and national holidays are the preferred times for cash-out attacks, in part because financial institutions are closed and the ATM attacks are less likely to be noticed, but also because ATMs are generally well stocked with cash at these times.
The National Bank of Blacksburg, Virginia reportedly lost USD2.4 million to Russian hackers in two separate ATM cash-outs that took place over an 8 months period between May 2016 and January 2017. The two incidents involved weekend-long sprees in which hundreds of ATMs were used to plunder accounts.
Over in Asia, hackers pilfered USD2.2 million from Taiwan's First Commercial Bank from dozens of ATMs using three types of malware in July 2016. It was believed that the hackers gained inside access to the bank's network and installed three types of malware (Taiwan heist highlights ATM weaknesses). Three Eastern European men who were part of a group of money mules who withdrew the cash were sentenced to jail time, but more than a dozen others managed to flee the country without being caught.
Such operations are also no longer confined to a specific locality or country. In May 2016, in an attack on South Africa's Standard Bank, hackers managed to siphon USD19 million via ATMs in Japan (Lessons from ATM Cash-Out Scheme in Japan). That strike took place in less than three hours. The money mules used 1,600 counterfeit mag-stripe debit cards cloned from card data stolen to withdraw the money from 1,400 ATMs located in 7-Eleven convenient stores.
In the alert, the FBI also made several recommendations to the banks:
Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.
Implement application whitelisting to block the execution of malware (See also Why application whitelisting is the perfect antivirus replacement for fixed function terminals).
Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer.
Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.
Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.
We provide the following solutions and professional services:
Solutions: Two Factor Authentication and Application Whitelisting solution for Ransomware Protection & Fixed Function Terminals such as kiosks, Point-of-Sales terminals and ATMs).
Contact email@example.com for more information.