Visa Issues ATM Cash-Out WarningCard Issuers Alerted to Organized Global Fraud Schemes
Visa has issued an advisory to U.S. payment card issuers, advising them to be on alert for suspected ATM cash-out fraud schemes.
See Also: Rethinking Endpoint Security
Visa could not be reached for comment about the Jan. 10 advisory. But BankInfoSecurity obtained a copy of the advisory from an executive at a top-tier issuing institution who asked not to be named. The advisory states international law enforcement agencies have determined global ATM cash-out schemes could be on an upswing, based on a recent case involving a limited number of stolen payment cards used to conduct thousands of withdrawals at ATMs in numerous countries over the course of a single weekend.
Card issuers have been asked to increase their monitoring of ATM traffic and report any suspicious activity, especially ATM withdrawals involving prepaid cards.
Meanwhile, FICO Card Alert Service, which analyzes card transactions across a network of 11,000 institutions to detect counterfeit card use, issued an alert to its member banks and credit unions the week of Jan. 14 about ATM cash-outs. In the alert, FICO notes that fraudulent ATM withdrawals in certain northeastern U.S. cities had been identified by law enforcement, and a global connection was suspected.
ATM cash-out schemes involve a coordinated effort to make withdrawals at multiple ATMs over a short period of time, typically within hours of each other. Fraudsters collect card numbers and PINs over time - either through skimming attacks, network hacks or purchases in underground carding forums - and hold the information until they reach a relatively massive number.
Fraudsters create fake cards with the stolen details and then use the cards at multiple ATMs simultaneously or within a short period of time in an effort to make numerous withdrawals before fraud-detection systems pick up on suspicious activity.
The most notable ATM cash-out scheme dates back to November 2008, when fraudsters spread across 280 countries withdrew $9 million from 2,100 ATMs within a 12-hour period. Hackers attacked the network of U.S. payments processor RBS WorldPay and are believed to have stolen 1.5 million card numbers and PINs associated with payroll accounts. Only about 100 of those cards were reportedly affected by fraud linked to the cash-out scheme.
In 2009, a handful of suspects were indicted for the roles they played in this global ATM fraud scheme. Investigators believe several more conspirators were involved, although they were never identified (see RBS WorldPay Sentence Too Light?).
An executive at one large issuing institution, who also received the VISA advisory and asked not to be identified, says no suspicious local ATM transactions have been identified yet.
Jerry Silva, an ATM fraud expert and independent financial consultant, says detecting an ATM cash-out scheme is challenging for card issuers. In fact, Silva believes Visa likely would not have issued an alert about expected cash-outs unless the card brand had confirmation that payment card data had been skimmed and was suspected of being held for a cash-out hit.
It's also possible, however, that law enforcement uncovered an underground forum where plans about a cash-out attack were posted, possibly with card numbers, he adds. But even with inside information and heightened information-sharing among card issuers, the card brands and law enforcement, banking institutions might catch wind of a suspected cash-out scheme, but they would never be able to determine when it might hit, he says.
Silva says cash-out schemes are designed to fly under the radar by having all of the fraudulent transactions occur within a short period of time. So, there really is not much issuers can do to prepare in advance, he contends. And just because the card numbers were stolen does not mean they will all be used as part of a scheme, he adds.
"Unless you did periodic tests on every ATM, and checked for all card numbers that had been used on an ATM where a skimmer was found, it would not be easy to isolate" Silva says.
FICO Alert and Visa
The FICO alert notes that four suspects were arrested Jan. 13 by police departments in New Jersey for their alleged connection to unauthorized ATM cash-outs in the area.
The arrests were made with the cooperation of the U.S. Secret Service and Homeland Security, FICO notes.
John Buzzard, who monitors card fraud for FICO's Card Alert Service, could not comment about the arrests, but says that FICO had not yet detected any spikes or suspicious activity that would suggest a cash-out scheme had hit. "FICO Card Alert Service is keeping a watchful eye in case something develops," he said.
In January 2011, Visa identified ATM cash-out schemes as a top fraud concern for card-issuing institutions, noting that card details used in cash-out schemes were often linked to unsecured third parties, as was the case in the RBS WorldPay card heist.
Visa noted that ATM cash outs were often successful because of 10 common security deficiencies:
- Weak or lacking key management procedures at ATMs or point-of-sale devices;
- Excessive online permission to networks and systems;
- Lack of segmentation on the network;
- ATM hardware security modules configured to accept plain text PINs;
- ATM hardware security modules configured with weak PIN pad formats;
- Insecure database configurations;
- The storing of full track data from cards' magnetic stripes as well as PIN blocks;
- Lack of monitoring of networks, hosts, privileged accounts and transactions;
- Limited filtering on firewalls; and
- Lack of incident response procedures.
To address those concerns, Visa's recommendations for issuers included:
- Ensure third parties and ATMs comply with the Payment Card Industry Data Security Standard and PCI PIN security;
- Implement advanced transactional authorization, which provides real-time risk data to issuers during the transaction authorization request to alert them of possible fraudulent activity; and
- Implement a system that allows issuers to react to high-risk transactions at the point of transaction as well as conduct offline case management.