The Federal Bureau of Investigation has warned banks in the U.S. of an impending cybercrime, a heist called an "ATM cash-out," in which thieves seek to swipe millions of dollars by using cloned ATM cards for fraudulent withdrawals.
This globally organized effort could be instigated soon, the FBI told banks Friday, with cybercriminals attempting to amass millions of dollars within a few hours, according to the confidential alert obtained by security researcher Brian Krebs.
“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation,’ ” the alert said, Krebs reported on his blog.
In an unlimited operation, cybercriminals deploy malware to obtain bank customer card information and network access in a way to execute massive ATM thefts, the FBI said, according to Krebs.
“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” the FBI's alert said. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
The FBI, which would not comment on the specific alert, said in a statement: "The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals."
Organized crime gangs typically hack into a bank or payment processor to remove fraud controls, such as maximum withdrawal amounts and limits on number of daily customer ATM transactions, Krebs says. Account balances and security measures within the institution are altered to make an unlimited amount of money available at the time of the illegal transactions.
To commit the crime, cyber criminals create fake bank cards by imprinting stolen credit card data on blank magnetic strip cards, the FBI said. "At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards,” the agency said.
Most ATM cash-out operations happen on weekends, usually just after the close of business Saturday, Krebs said.
A heist that occurred over the weekend in India could be the operation the FBI had warned of. India's Cosmos Bank lost about $13.5 million (944 million rupees) in a wave of simultaneous withdrawals across 28 countries, Reuters reported.
Another example of an apparent unlimited operation resulted in the National Bank of Blacksburg in Virginia losing a total of $2.4 million in two separate ATM cash-out operations between May 2016 and January 2017, Krebs reported.
In that incident, a phishing email led to malware on a PC and the compromise of a computer at the bank that had access to Star Network, a debit card payment system run by First Data, which managed customer accounts and their use of ATMs and bank cards, Krebs said.
Hackers then disabled and altered anti-theft and anti-fraud protections, including four-digit PIN numbers and daily withdrawal limits. During one breach that began on May 28, 2016, and continued through Memorial Day, hackers got more than $569,000 from hundreds of ATMs across North America.
The FBI gave banks several security recommendations to combat any potential threats such as requiring strong passwords and two-factor authentication with a physical or digital token for critical employees.
Consumers should remain vigilant, said Paul Benda, senior vice president of risk and cybersecurity policy at the American Bankers Association. "They should be signed up for fraud alerts on their account. They should be monitoring their accounts for activity, and they should look for any unusual activity," Benda said. "If they see anything they should report it. A bank would much rather hear about a potential fraudulent charge that turns out to be something that you don’t remember buying versus not hearing about that at all."
Should a customer lose something from their account as part of a crime such as an "ATM cash-out," he said, "the bank is going to make you whole."