Visa recently alerted U.S. card issuers about increasing global ATM cash-out schemes, which could extract hundreds of thousands or millions of dollars from institutions.
To improve how they detect these attacks, banking institutions need to review transaction logs and card data. "It's the fact that you've got the same cards being used, and that really is where it has to stop," says Sturgill, a research director within the Retail Banking & Cards practice at CEB TowerGroup, in an interview with Information Security Media Group [transcript below].
"Within the institution itself, they have to be looking at the card numbers being used," she says. "They have to be looking at their electronic journals to be able to see that the same card is used over and over again."
The real concern, Sturgill says, is how quickly an institution can detect an ATM cash-out scheme and shut down its ATMs remotely.
Security offerings from electronic-funds-transfer networks have included fraud detection mechanisms to alert card issuers when fraudulent activity is suspected, she says. "The problem is that these types of schemes are happening so quickly that no one has time to respond to any sort of reporting of the issue before large sums of money are already gone," Sturgill says.
During this interview, Sturgill discusses:
- Why ATM cash-out schemes are increasing;
- Detection and prevention challenges card issuers face;
- How ATM cash-outs are often linked to network or processor breaches.
At CEB TowerGroup, Sturgill is responsible for research and advisory activities covering trends and developments in banking branches, ATMs, contact centers, online banking, mobile banking and social media. With more than 15 years of experience in financial services, she has expertise in ATM strategy and processing, cash supply chain management, operational analysis, best practices, vendor management and regulatory compliance. Before joining CEB TowerGroup, Sturgill was the manager of banking strategies at Transoft International, where she worked with banks in EMEA and North America. Previously, she worked at Fifth Third Bank as assistant vice president managing ATM operations, Regulation E compliance, and debit card operations.
TRACY KITTEN: What is an ATM cash-out?
NICOLE STURGILL: It's important to distinguish between [this] and an operational cash-out, which is really very simple. An ATM runs out of cash; you might need to do an emergency cash run depending on the timing of the next scheduled replenishment. What's really described here is a security cash-out. As it's defined here, a security cash-out is a large-scale effort to withdraw a lot of cash. By a lot, I'm talking tens or hundreds of thousands of dollars, millions of dollars in some cases, in a very short period of time.
KITTEN: How common are ATM cash-outs, and how rare is this warning that came out from Visa?
STURGILL: Cash-outs require a lot of advanced planning, hacking and cloning, so they're not very common. In my experience, a warning like the one that Visa issued really occurs only when they've seen direct evidence that a future scam could take place. It's not something that they're issuing regularly every time they see something. It very much is direct evidence that they think something could happen in the future based on the information they've been given.
Warning from Visa
KITTEN: Why do you think that Visa issued this warning?
STURGILL: The warning itself says that they've received information from international law-enforcement agencies that suggest further attempts may be imminent. I'm sure that they need to warn their issuers and networks, which really are the ones that end up processing all of this, to watch out for card numbers that are being used over and over in a very short period of time, maybe card numbers that are being used in different countries at the same time. They want to get that word out as quickly as they can in the event that there's a way to stop it before it happens.
KITTEN: How concerning is an ATM cash-out from a global perspective?
STURGILL: It can happen anywhere. A mag-stripe transaction for a card tied to an international network like MasterCard or Visa can happen anywhere in the world at any time. There are literally no borders for ATM transactions, and so it has to be a global warning in order to truly catch this before it goes too far.
KITTEN: The most notable ATM cash-out scheme actually dates back to November 2008, when money mules across 280 countries coordinated their efforts to withdraw $9 million from 2,100 ATMs within a 12-hour period. I know that you worked on this particular incident, which involved RBS WorldPay, and researched it quite a bit. Do you think these types of cash-outs are common?
STURGILL: They're not common. Last time we were talking about this was 2009, when we were reviewing what happened in November 2008, and so they're not common; but they're extremely newsworthy when they happen, just simply because of the scale. They require a lot of advanced planning, like I mentioned, so it's not something that you can just get people together over a weekend and figure out how you're going to do it. Generally, you have to figure out what networks you're going to use and how you're going to get the cards. All of the things that go into it require a lot of effort and so it's not something that I think we're going to see all the time; but definitely something that happened a few years ago, is happening now and can happen again.
Increase in Cash-Outs
KITTEN: Are there any indications that cash-outs are increasing?
STURGILL: The fact that we're discussing it at all really means they can happen, and that's the problem itself. It's a far cry from 10 years ago when this type of scheme was unthinkable. We really just never even considered something like this happening. Now, it's not only possible but it's happening, even if it's every few years. And there are variations of the scheme I think that have happened in-between, but nothing really large-scale. It's usually very controlled in a certain network or a single network. But they [ATM cash-outs] will continue unless we find a way to stop them before they start.
RBS WorldPay Scheme
KITTEN: Do you think that a similar breach could have been the catalyst for Visa's alert in this case?
STURGILL: I think so, yes. Who knows if it's at the same scale of RBS WorldPay? I'm sure if it is, we will hear about it soon. I doubt it. I really feel like if there was information that showed that something like this had happened, we would already be hearing more detail than simply a warning. I don't think at this point that we can make any judgment about whether it's at the same scale, but I do think it must be a similar type of scheme for a warning to come out like this.
Possible Network Breach?
KITTEN: Have you heard any rumblings in the industry about a network that has been breached?
STURGILL: Not at all. I haven't heard anything that makes me think that anyone knows what might have been the cause of this, and it may not have been local. It could have been in another country in which maybe it's local there and it's making the news there and it just hasn't made its way here. I have not heard any rumblings whatsoever to precisely what the breach might have been that caused the warning.
Steps to Detect Cash-Out Schemes
KITTEN: Predicting cash-outs and detecting them is challenging because the transactions occur simultaneously, within a short window of time. What steps should card issuers take to ensure that they detect a cash-out scheme?
STURGILL: Before we get to detection, we have to consider the continuing capability to clone the card, which is going to persist as long as - particularly here in the U.S. - we continue to reject chip-and-pin in favor of mag-stripe cards. We've done that for very interesting reasons, cost reasons. We're moving obviously toward chip-and-pin, and there's a lot of discussion around that. That's definitely a part of this.
But for detection and elimination of this type of scheme, historically security offerings from the EFT networks encompass fraud detection systems that alert issuers when fraudulent activity is suspected. The structure allows the issuer to make decisions affecting their clients, typically viewed as a customer service matter for good reason. The problem is that these types of schemes are happening so quickly that no one has time to respond to any sort of reporting of the issue before large sums of money are already gone.
There's no good answer just simply because they do happen so fast. It really has to come from a changing of the roles between EFT networks and financial institutions to figure out how they can change the security at the EFT networks to prevent such a large number of transactions in such a short period of time.
Role of ATM Deployers
KITTEN: We've talked about card issuers and the EFT networks, but what about ATM deployers? What role do they play and what should they be doing to help cash-out schemes?
STURGILL: I have to say I'd be guessing if I tried to answer this question. The capability for detection lies in the data. It's the fact that the same card numbers are being used over and over, and at this point the ATM itself isn't going to catch that and stop accepting a card because it's the processing that tells the ATM that the same card is being used over and over. If there's something that an ATM manufacturer can do, I would love to hear it just simply because it's not so much at the ATM level itself that you can catch the fact that the card is being used multiple times.
Recommendations for Institutions
KITTEN: What recommendations do you have for financial institutions where detecting and preventing some of these cash-out schemes is concerned?
STURGILL: Smart scammers are going to use only one or two ATMs from any one institution. Stopping this while it's happening isn't really an option. Again, I have to just keep going back to [the fact that] it's the data. It's the fact that you've got the same cards being used, and that really is where it has to stop.
Within the institution itself, they have to be looking at the card numbers being used. They have to be looking at their electronic journals to be able to see that the same card is used over and over again. There the issue is just on how quickly they can detect that and do they have a way to shut that ATM down remotely. The technology exists to be able to do that, so they have to be able to detect card number being used many times, and then they have to figure out how many times they want to do that before they shut down an ATM, and they have to have the ability to remotely shut down the ATM.