Recently, the Federal Financial Institutions Examination Council (FFIEC) released an alert regarding ATM machine control panels. The guidance aims at addressing a recent wave of ATM cash-out attacks that have been dubbed “Unlimited Operations” by the secret service. The guidance explains that in this kind of attack, criminals gain access to the web-based control panels used to run ATM machines from small and medium-sized financial institutions. Once they’ve gained control, their goal is to change the settings and withdraw customer funds from those ATMs using cards or account information stolen in other attacks.
These attacks have already caused large losses, with one recent attack allowing criminals to steal over US$40 million using only 12 debit card accounts. Now, FFIEC members are expected to address this threat by reviewing the adequacy of their controls over their infrastructure as well as their fraud detection and response processes.
How ATM Cash-Out Attacks Really Work
Criminals begin the process by stealing debit card information and PIN numbers, often through skimming or malware attacks aimed directly at customers. Then, they initiate phishing and other social engineering attacks that seek to install malware on the computers of a financial institution’s employees. Criminals then used the malware to monitor the institution’s network and figure out how the institution regulates access to web-based ATM control panels. Once the criminals have deciphered how to manipulate that control panel, they can begin to change the limits on how much money customers are allowed to withdraw in a single transaction, take away in any geographical restrictions on where money can be withdrawn, and modify the parameters of the generation of fraud reports when atypical transactions are processed.
With fewer constraints on withdrawals, criminals are then able to take out a lot of money unhindered, using fraudulent debit or prepaid cards with the card information they previously stole. Then they cash out: the criminals organize simultaneous withdrawals of large amounts of cash from multiple ATMs over a short period of several hours up to two days.
What Can You Do?
Security and fraud analysts agree that multiple layers of fraud protection are the only way to ensure robust electronic security. Just like stock brokers must diversify their holdings to manage risk, the same goes for anti-fraud solutions.
To mitigate cash-out attacks, the FFEIC recommends following several steps, which I listed below as well as the solutions characteristics that will ensure proactive defense.
- FFIEC recommends conducting ongoing information security assessments, and implementing and testing controls regularly. While getting the highly skilled personnel needed for these tasks on your payroll can be costly, opting for third party professional services may just be the answer you need. This is not only effective on the economic front but it can also give your organization a fresh and new perspective on your strategy and find vulnerabilities you may now know exist.
- FFIEC recommends performing security monitoring, prevention and risk mitigation. Many organizations rely on systems that identify attacks. But, how many of these solutions actually remove the threat from the web? And what’s the time frame of the takedown? Many of our customers see the benefits of a complete cloud-based anti-fraud monitoring solution that provides threat detection and removal service, offering proactive brand threat intelligence, anti-phishing, pharming and malware.
- FFIEC recommends protecting against unauthorized access. The key to meet this recommendation is to have a strong multi-factor authentication protocol in addition to a system that can find and block malware that gives criminals access to your critical infrastructure. One of these, working alone is an O.K. strategy but far from effective and the real power is unlocked only when they are put to work together.