Cyber-attackers are withdrawing large amounts of money using stolen debit card information, often in amounts exceeding ATM limits or even the amount the victim has in the account, the Federal Financial Institutions Examination Council (FFIEC) said in a four-page statement last week.

The cash-fraud scheme, which the US Secret Services refers to as “Unlimited Operations,” appears to target Web-based control panels of ATMs frequently used by small-to-midsize financial institutions, the statement said.

“A recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts,” the FFIEC said in its alert. The council comprises various banking regulators, including the Federal Reserve and the Consumer Financial Protection Bureau.

While the regulators didn’t identify the victims or provide other information about the attackers, credit unions and banks were reminded to check all their systems involved with ATM transactions, including their fraud detection systems. Banks need to conduct ongoing information security risk assessments and add additional layers of security to prevent further attacks. Employees also need to be trained to recognize and properly handle phishing attempts.

These attacks appear to start with phishing e-mails sent to bank and credit union employees. When an employee falls for the trick, the cyber-criminals are able to install malware on the company’s network. The criminals then use the stolen login credentials to remotely access the ATM control panels and modify settings so that they can steal unlimited amounts of cash and change existing fraud alerts, according to the statement.

Attackers frequently target the ATMs during holidays and weekends there is more cash in the ATMs and less monitoring, according to the alert.

Criminals organize “simultaneous withdrawals of large amounts of cash from multiple ATMs over a short time period, usually four hours to two days,” the regulators warned.

Distributed denial of service attacks continues to cause problems with banking websites, and they can be used as “a diversionary tactic” to mask other types of fraud, the alert said.

“Each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack,” the FFIEC said.

Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including where she is a networking and security analyst.  She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products. 

Leave a Reply