Visa Issues ATM Cash-Out Warning

Card Issuers Alerted to Organized Global Fraud Schemes

By , January 22, 2013.
Visa Issues ATM Cash-Out Warning

Visa has issued an advisory to U.S. payment card issuers, advising them to be on alert for suspected ATM cash-out fraud schemes.

See Also: Actionable Threat Intelligence: From Theory to Practice

Visa could not be reached for comment about the Jan. 10 advisory. But BankInfoSecurity obtained a copy of the advisory from an executive at a top-tier issuing institution who asked not to be named. The advisory states international law enforcement agencies have determined global ATM cash-out schemes could be on an upswing, based on a recent case involving a limited number of stolen payment cards used to conduct thousands of withdrawals at ATMs in numerous countries over the course of a single weekend.

Card issuers have been asked to increase their monitoring of ATM traffic and report any suspicious activity, especially ATM withdrawals involving prepaid cards.

Meanwhile, FICO Card Alert Service, which analyzes card transactions across a network of 11,000 institutions to detect counterfeit card use, issued an alert to its member banks and credit unions the week of Jan. 14 about ATM cash-outs. In the alert, FICO notes that fraudulent ATM withdrawals in certain northeastern U.S. cities had been identified by law enforcement, and a global connection was suspected.

ATM Cash-outs

ATM cash-out schemes involve a coordinated effort to make withdrawals at multiple ATMs over a short period of time, typically within hours of each other. Fraudsters collect card numbers and PINs over time - either through skimming attacks, network hacks or purchases in underground carding forums - and hold the information until they reach a relatively massive number.

Fraudsters create fake cards with the stolen details and then use the cards at multiple ATMs simultaneously or within a short period of time in an effort to make numerous withdrawals before fraud-detection systems pick up on suspicious activity.

The most notable ATM cash-out scheme dates back to November 2008, when fraudsters spread across 280 countries withdrew $9 million from 2,100 ATMs within a 12-hour period. Hackers attacked the network of U.S. payments processor RBS WorldPay and are believed to have stolen 1.5 million card numbers and PINs associated with payroll accounts. Only about 100 of those cards were reportedly affected by fraud linked to the cash-out scheme.

In 2009, a handful of suspects were indicted for the roles they played in this global ATM fraud scheme. Investigators believe several more conspirators were involved, although they were never identified (see RBS WorldPay Sentence Too Light?).

Issuers' Response

An executive at one large issuing institution, who also received the VISA advisory and asked not to be identified, says no suspicious local ATM transactions have been identified yet.

Jerry Silva, an ATM fraud expert and independent financial consultant, says detecting an ATM cash-out scheme is challenging for card issuers. In fact, Silva believes Visa likely would not have issued an alert about expected cash-outs unless the card brand had confirmation that payment card data had been skimmed and was suspected of being held for a cash-out hit.

It's also possible, however, that law enforcement uncovered an underground forum where plans about a cash-out attack were posted, possibly with card numbers, he adds. But even with inside information and heightened information-sharing among card issuers, the card brands and law enforcement, banking institutions might catch wind of a suspected cash-out scheme, but they would never be able to determine when it might hit, he says.

Silva says cash-out schemes are designed to fly under the radar by having all of the fraudulent transactions occur within a short period of time. So, there really is not much issuers can do to prepare in advance, he contends. And just because the card numbers were stolen does not mean they will all be used as part of a scheme, he adds.

"Unless you did periodic tests on every ATM, and checked for all card numbers that had been used on an ATM where a skimmer was found, it would not be easy to isolate" Silva says.

FICO Alert and Visa

The FICO alert notes that four suspects were arrested Jan. 13 by police departments in New Jersey for their alleged connection to unauthorized ATM cash-outs in the area.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Third-Party Breaches: Eyeing the Risks

Target is the high-profile example, but many organizations have been breached through third-party...

Latest Tweets and Mentions

ARTICLE Third-Party Breaches: Eyeing the Risks

Target is the high-profile example, but many organizations have been breached through third-party...

The ISMG Network