lolloj - Fotolia
Cyber criminals are planning to withdraw millions in cash from automatic teller machines (ATMs) around the world in a coordinated campaign, the FBI has said in a confidential alert to banks.
The warning comes just days after it emerged that ATM maker NCR issued software security updates after researchers at Positive Technologies reported flaws in encryption of communications between ATM computers and dispensers that could enable attackers to steal cash.
The “ATM cashout scheme” is planned “in the coming days”, according to the FBI alert, obtained by cyber security author and blogger Brian Krebs.
The FBI said “unspecified reports” indicate that the attack is likely to involve a card issuer breach that enables cyber criminals to clone cards for gangs to use to make ATM withdrawals.
The attack is expected to take place over a relatively short period of time, most likely over a weekend when the banks are closed, the FBI said.
The warning also said that, based on similar schemes in the past, the most likely targets are small to medium-sized financial institutions to take advantage of third-party vulnerabilities and less robust cyber security controls.
“The FBI expects the ubiquity of this activity to continue or possibly increase in the near future,” the alert said.
According to Krebs, a similar operation reported in July 2018 resulted in losses of $2.4m for the National Bank of Blacksburg in two separate ATM cashouts in May 2016 and January 2017 and involved hundreds of ATMs across the US.
“Virtually all ATM cashout operations are launched on weekends, often just after financial institutions begin closing for business on Saturday,” he said in a blog post.
The first National Bank ATM cashout, for example, began on Saturday 28 May 2016 and continued through the following Monday, which was Memorial Day, a federal holiday in the US, which meant bank branches were closed for more than two days after the heist began. The second ATM cashout at the bank also took place over a weekend.
In both cases, said Krebs, the attackers managed to phish someone working at the bank, which enabled them to compromise systems the bank used to manage credits and debits to customer accounts.
In ATM cashouts, cyber attackers typically use their access to bank systems to disable security alerts and remove ATM withdrawal limits.
In September 2017, Europol issued a warning that cyber attacks on bank cash machines were a growing problem in the light of criminal capabilities to access ATMs via bank networks.
The FBI has urged banks to review their security measures, keep their software up to date, and implement stronger protections as soon as possible.
Specifically, the FBI recommends that banks implement:
- Two-factor authentication (2FA) using a physical or digital token for local administrators and business critical roles.
- Segregation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.
- Application whitelisting to block the execution of malware.
- Monitoring of administrator and business-critical accounts with the authority to modify the account attributes mentioned above.
- Monitoring for the presence of remote network protocols and administrative tools.
- Monitoring for encrypted traffic over non-standard ports.
- Monitoring for network traffic to regions where you would not expect to see outbound connections from the financial institution.