Ride the Lightning

FBI Warns Banks About Potential ‘Unlimited’ ATM Heist

August 22, 2018

USA TODAY reported on August 14^th that the FBI has warned banks in the U.S. of an impending cybercrime, a heist called an "ATM cash-out," in which thieves seek to steal millions of dollars in a few hours by using cloned ATM cards for fraudulent withdrawals.

This globally organized effort could be instigated soon, as the FBI warned banks in a confidential alert obtained by security researcher Brian Krebs.

"The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an 'unlimited operation,' " the alert said. In an unlimited operation, cybercriminals use malware to obtain bank customer card information and network access in a way to execute massive ATM thefts, the FBI said.

Organized crime gangs typically hack into a bank or payment processor to remove fraud controls, such as maximum withdrawal amounts and limits on number of daily customer ATM transactions. Account balances and security measures within the institution are altered to make an unlimited amount of money available at the time of the illegal transactions.

To commit the crime, cyber criminals create fake bank cards by imprinting stolen credit card data on blank magnetic strip cards and "At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards," the FBI said.

A heist that occurred recently in India could be the operation the FBI had warned of. India's Cosmos Bank lost about $13.5 million (944 million rupees) in a wave of simultaneous withdrawals across 28 countries, Reuters reported.

Another example of an apparent unlimited operation resulted in the National Bank of Blacksburg in Virginia losing a total of $2.4 million in two separate ATM cash-out operations between May 2016 and January 2017, as I have previously reported in this blog.

In that incident, a phishing email led to malware on a PC and the compromise of a computer at the bank that had access to Star Network, a debit card payment system run by First Data, which managed customer accounts and their use of ATMs and bank cards. Hackers then disabled and altered anti-theft and anti-fraud protections, including four-digit PIN numbers and daily withdrawal limits.

The FBI gave banks several security recommendations to combat any potential threats such as requiring strong passwords and two-factor authentication with a physical or digital token for critical employees.

I don't often send cyber alerts to my bank manager, but in this case I made an exception!

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson