There’s been a media din lately about Windows XP end of support — now less than a week away — and the risk it poses for XP-driven ATMs that will not be protected by continuing Microsoft security patches after April 8.
What has been lost in the noise is a present and growing danger that has nothing to do with operating system migration. It involves a type of cyber attack that begins with phishing emails to bank employees and culminates in the installation of malware that removes ATM withdrawal limits and allows thieves to execute fraudulent transactions on a grand scale.
Today the Federal Financial Institutions Examination Council issued a stark warning about the growing risk to financial institutions of these attacks and instructed FIs to take steps to prevent them.
In a statement, the FFIEC explained how the attacks, which the U.S. Secret Service calls “Unlimited Operations,” are carried out.
Details of the Unlimited Operations expoit are excerpted below. The full statement, available online, includes steps for risk mitigation.
Unlimited Operations are a category of ATM cash-out fraud where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to ATM withdrawals.
Criminals perpetrate the fraud by initiating cyber-attacks to gain access to web-based ATM control panels, which enables them to withdraw customer funds from ATMs using stolen customer debit, prepaid, or ATM card account information. A recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts.
Criminals may begin the attack by sending phishing emails to employees of financial institutions as a means to install malicious software (malware) onto the institution’s network. Once installed, criminals use the malware to monitor the institution’s network to determine how the institution accesses ATM control panels and obtain employee login credentials.
These control panels, often web-based, manage the amount of money customers may withdraw within a set time frame, the geographic limitations of withdrawals, the types and frequency of fraud reports that its service provider sends to the financial institution, the designated employee that receives these reports, and other management functions related to card security and internal controls.
When criminals obtain this information, they may use an employee’s login credentials to gain access to the control panel and change the settings to permit greater or unlimited cash disbursements at ATM machines, and to change other fraud and security related controls.
Following an attack on an institution’s ATM control panels, criminals use fraudulent debit, prepaid, or ATM cards they create with account information and personal identification numbers stolen through separate attacks to withdraw funds from ATMs.
Card account information and PINs typically are stolen in a number of ways including through point-of-sale malware or skimming, ATM malware or skimming, or compromise of the issuer’s card operations.
The cash-out phase of the attack involves criminals organizing simultaneous withdrawals of large amounts of cash from multiple ATMs over a short time period, usually four hours to two days.
Criminals may conduct their operations during holidays and weekends to take advantage of increased cash levels in ATMs and limited monitoring by financial institutions during non-work hours.
The modus operandi is somewhat familiar, thanks to a highly publicized 2013 incident. In this exploit, a cybercrime organization hacked into credit card processor computer systems and eliminated the withdrawal limits on prepaid debit card accounts.
“Cashers” in 20 countries subsequently used counterfeit cards to make fraudulent ATM withdrawals “on a massive scale,” netting $45 million before the FBI shut down the operation. Cashers in New York withdrew $2.8 million in less than four hours.
In this notorious attack, cashers were still subject to ATM limits. It took hundreds or thousands of cards and more than 4,500 individual transactions to steal $45 million.
As today’s statement made clear, the removal of ATM withdrawal limits dramatically reduces the number of counterfeit cards and transactions and exponentially escalates the danger to FIs, whose ATMs can be emptied with as little as a single transaction. Which lead the FFIEC to issue the caution:
Unlimited Operations may cause financial institutions to incur large dollar losses. Therefore, the members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes.
(Source: ATM Marketplace)