ATM Cash-Outs: An Emerging Scheme

FFIEC Warns of Increasingly Sophisticated, Costly Scams
ATM Cash-Outs: An Emerging Scheme

Banking regulators' latest alert about emerging ATM cash-out risks comes just as two leading defendants in an international cash-out scheme pleaded guilty for roles they played in defrauding consumers and leading institutions of more than $15 million (see 2 Guilty Pleas in Huge Cash-out Scheme).

See Also: How to Mitigate Credential Theft by Securing Active Directory

In that case, the two suspects helped to manage the U.S.-based operations for a global cash-out scheme that involved hijacking funds from online bank accounts and prepaid cards, which were opened with stolen identities. The scheme was linked to an international cybercrime ring that hacked customer accounts at more than a dozen banks, brokerage firms, payroll processing companies and government agencies.

Two days after the guilty pleas were entered, the Federal Financial Institutions Examination Council issued a statement warning banking institutions of the risks associated with cyber-attacks on ATM and card authorization systems.

And fraud experts say the timing is no coincidence. Concerns about ATM cash-outs have reached new heights, as fraudsters hone their efforts to exploit the inherent vulnerabilities of magnetic-stripe payment cards before the U.S. completes its migration to chip and PIN.

"The evolution that's going on is an increase in attack sophistication and intensity, where fraudsters are analyzing the whole payments ecosystem, finding the weak points, and exploiting those," says financial fraud expert Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation. "The FFIEC press release talks about cyber-attacks against the ATM. That's one big one; and the other is cyber-attacks against the payment platform itself, which can also result in 'unlimited operations.'"

FFIEC Warning

"Unlimited operations," as defined in the FFIEC's April 2 statement, refer to ATM cash withdrawals for monetary amounts that exceed daily-limit controls or even the cash balance in a customer's account.

The FFIEC notes a recent so-called unlimited-operations attack that netted more than $40 million with only 12 debit cards.

"Criminals may begin the attack by sending phishing e-mails to employees of financial institutions as a means to install malicious software onto the institution's network," the FFIEC notes. "Once installed, criminals use the malware to monitor the institution's network to determine how the institution accesses ATM control panels and obtain employee login credentials."

The ATM controls, which are often Web-based, manage how customers can withdraw cash - either by setting limits on the amounts or the time periods during which withdrawals can be made. The controls also usually manage other functions, such as fraud reports sent by service providers; which employees are designated to receive fraud reports; and other functions related to card security and internal controls.

When these controls are compromised, a hacker can use an employee's login credentials to gain access to the control panel and change settings to permit higher or even unlimited cash disbursements at ATMs, and the hacker change fraud and security-related controls, regulators warn.

From there, the standard fraud protocol is followed - using a fake or white ATM card that is encoded with stolen card numbers and an intercepted PIN to make fraudulent withdrawals.

"The end of security patches for ATM XP system as well as cyber-attacks on ATM and card authorization systems are the major ATM vulnerabilities that concern NCUA and other FFIEC agencies," a spokesman for the National Credit Union Administration told Information Security Media Group on April 4.

"To manage and mitigate stated threats to ATMs, NCUA and other agencies provided guidance in the statements of End of Microsoft Support for Windows XP Operating System and Cyber-Attacks on ATM and Card Authorization Systems, issued on October 7, 2013 and April 2, 2014, respectively. If there are any foreseeable threats exploiting ATM vulnerabilities, NCUA will consider issuing additional guidance."

The Evolution of Cash-Outs

While cash-outs have traditionally described schemes that involve the simultaneous withdraw of cash from numerous ATMs in multiple regions, definitions for cash-outs are evolving to include more sophisticated schemes.

Some of the financial industry's most notable cash-out schemes, such as the 2008 RBS WorldPay heist and the $45 million heist involving RAKBANK in 2013, have revolved around evading fraud detection based on the time and number of ATM withdrawals. But cash-outs are changing, fraud experts say.

"The simultaneous ATM withdrawal is one very ingenious and alarming way of doing it, but also withdrawals at a single ATM, or even a teller window, can be called 'cash-out,' in reference to a fraud scheme," says Wills.

Today's cash-out schemes are increasingly elaborate, he says. And the payouts for fraudsters are getting bigger.

Al Pascual, a lead analyst at consultancy Javelin Strategy & Research, says hackers have figured out how to streamline and simplify the cash-out process.

"With the proper technical skills, hackers and criminal groups have learned that they can still walk away with millions with fewer moving parts," Pascual says. "These ATM cash-out operations have been relatively complex, but they have found that it is less of a logistical challenge to compromise institutions, processors or the ATMs themselves to alter limits on cards, rather than to use multiple machines and runners in a coordinated exercise."

Simon Gamble, president of ATM-network security firm Mako Networks, says enhanced technical solutions are critical for detecting and thwarting these emerging schemes, but banking institutions also need to devote more time to employee education about engineering. They should be updating staff regularly about new threats, he says.

"In the security industry, we've become very good at designing technologies that are very advanced and behave predictably," Gamble says. "But with people, they're subject to persuasion and judgment errors. That's why malware and phishing attacks are still so successful. The 'Human OS' is in need of constant updates and patching, just like your technology. Regular staff training and enforcement of security policies are an important part of network defense."

Advice for Banking Institutions

The experts agree that today's sophisticated cash-out schemes require much more than mere ATM monitoring - a point Wills has discussed at length when reviewing emerging trends in prepaid card fraud.

"Attacks have become multidimensional, so your defense has to be multidimensional," Wills says. "I think the advice in the FFIEC statement is sound."

The FFIEC says it expects banks and credit unions to:

  • Conduct ongoing information security risk assessments;
  • Perform security monitoring, prevention and risk mitigation;
  • Protect against unauthorized access;
  • Implement and test controls around critical systems regularly;
  • Conduct information security awareness and training programs;
  • Test incident response plans;
  • Participate in industry information sharing forums.

Additionally, Wills recommends institutions assess the risk of their entire banking ecosystem, not just the parts they own or control.

"Most banks will look at their mobile and Web applications, and their back-end platform, but not vendors who might have privileged access to their network," he says. "There's the mobile network operator, the payment gateway, the ISP [Internet service provider]."

Banking institutions may not be able to control what these third parties do, Wills adds. But the onus is on banks and credit unions to ensure they work with any entity that could potentially compromise their network or security.

"Your only option is to collaborate and coordinate with ecosystem partners on securing your service," Wills says. "Most institutions will need outside specialized help with this, as it's more than most will have the know-how to take on."

News writer Jeffrey Roman contributed to this story.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.