Article written by:
Steve Boston, CPA, CISA
Senior Manager, Assurance & Information Technology Services
The FBI recently issued a private warning to banks and credit unions regarding the potential for a global fraud scheme involving ATMs. In an ATM Cashout scheme, the malicious deviant hacks a bank or credit card processor, allowing them to clone ATM cards hundreds of times over. These cloned cards are then used across the world at one time to pull out millions of dollars in cash at separate ATMs in just a few hours. These highly organized schemes typically take place over a weekend or holiday, to allow for extra time before the financial institution detects what is happening.
To read the FBI Warns of ‘Unlimited’ ATM Cashout Blitz please click here.
“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” the FBI alert states. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
These schemes all begin with someone at the financial institution or processor becoming compromised, often from a social engineering, or email phishing attack that compromises user credentials to protected financial systems. Once a hacker is able to gain access to the system, he will alter security configurations to open the doors for the main event, disabling fraud monitoring controls and increasing withdrawal limits.
“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores. At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards,” the alert continues.
All banks and credit unions need to take action now, starting with reviewing their own basic security practices, such as strong password requirements, multi-factor authentication and limiting administrative access to only those who absolutely need it. Employee awareness of security best practices and training how to identify potential email or voice phishing attacks is an increasingly important tool. Most attacks start with credentials becoming compromised, so your employees truly are the first line of defense.
GBQ can help you evaluate your security controls and procedures, including penetration testing, vulnerability scanning, email phishing campaigns and comprehensive FFIEC-compliant IT controls assessments and audits.