The American Bankers Association (ABA) and other news sources had reported that the FBI released a confidential notification to the financial industry on August 9, 2018, warning that cyber criminals are planning to conduct a global ATM cash-out scheme in the coming days, likely associated with an unknown card issuer breach. Per the alert, these schemes are commonly referred to as an ”unlimited operation,” involving the compromise of a financial institution or payment card processor with malware to access bank customer card information and exploit network access to enable a large scale theft of funds from ATMs.
POST-ALERT UPDATE: FS-ISAC (Financial Services - Information Sharing and Analysis Center) recently posted the following update from the FBI:
“The immediate threat resulting in the writing of this PIN [Private Industry Notification] has subsided, but does not preclude further cybercriminal activity of this nature. The FBI provided this PIN as advance warning and, unfortunately has no further information to provide. At this point in time, the FBI has observed no recent ATM cash out attempt from a card issuer breach with a US BIN.”
Several media outlets have reported that a bank in India lost about $13.5 million (944 million rupees) following a series of simultaneous withdrawals across 28 countries this past weekend.
What is an ATM Cashout Strike? To successfully complete this ATM scheme, criminals need unauthorized access to unencrypted bank card data and the expertise and ability to manipulate the security and anti-fraud protocols pertaining to account balances, withdrawal limits, and bank, card and ATM-specific security measures. The criminals typically create counterfeit cards by imprinting the stolen data on reusable magnetic strip cards, such as gift cards, and act during low-visibility times and holiday weekends, when they have uninterrupted and prolonged access to the ATM to withdraw the funds.
The FBI recommended several steps that banks can take to safeguard against this threat, including implementing dual controls for account balance or withdrawal increases above a specified threshold, implementing application whitelisting to block malware, and patching all systems for critical vulnerabilities.
The ABA encourages all banks to join the Financial Services Information Sharing and Analysis Center to receive the latest security alerts.