The FBI has issued a warning to banks of a coordinated ATM cybercrime campaign that could see the withdrawal of millions in cash from ATMs around the world.
The alert comes days after ATM maker NCR issued software security updates to patch flaws in communication encryption between ATM computers and dispensers. Researchers had found that these flaws could open them up to cash thefts.
Andrew Ellis, senior researcher of Cyxtera Threat Analytics team, explained how the attacks could take place: “It has to do specifically with security controls at the financial institution level, versus at the consumer level. This isn’t card holders who’ve misplaced their data, this is really the case of dedicated cybercriminals who are targeting financial institutions, exploiting vulnerabilities in the software, processes and using that to gain deeper access to the banking network.”
How can the consumer protect against ATM cybercrime?
Because the attacks are directed against the institutions, their systems and personnel, Ellis said that although consumers might see these warnings, there really is little they can do.
Once the attackers gain access to the bank’s networks, by phishing banking personnel, or physically hacking in, they take a number of steps towards accessing the bank’s cash.
They disable systems designed to alert customers of withdrawals of large amounts of money in foreign countries and target the actual data stored within the institutions; the account numbers and pin numbers.
“Then they’ll combine those two pieces, the data they’ve harvested and the disabling of the controls and are able to create fraudulent credit cards that they distribute physically to people around the world who then go out and insert them into ATMs and no one will be the wiser,” said Ellis.
“Unfortunately the biggest weakness to a cyberattack comes from phishing through a person working at a financial institution, for data or access.”
FBI sources and monitoring ‘in the wild’
To find out about possible attacks, the FBI has strong partnerships with security firms who do security monitoring ‘in the wild’, then information is filtered back to them.
“Then they start putting the puzzle pieces all together,” said Ellis. “Another way this is ascertained is through the dark web or through private forums, or other places cybercriminals communicate in the recesses of the internet.”
A big part of countering potential attacks is through common defence-in-depth or general security hygiene practices.
Ellis explained: “The FBI talks about standard security practices, installing two-factor authentication, making sure you have login monitoring, authentication control, and things like that. This is the best way to defeat these attacks or at least to mitigate and slow the occurrence of them.”
An ATM cash-out attack, like this one warned against, is really a series of smaller attacks, and when they are linked together they allow an attacker to draw money out of an ATM.
Having good security hygiene across an organisation increases the odds of catching at least one of the attacks in the chain.
“If you catch it anywhere before the very last one where they’re cashing out the money, then it doesn’t matter because the attackers didn’t catch up,” Ellis explained.
“It’s less about defending against the attack in itself, but about giving yourself as many opportunities as you can to detect that something’s happening and react before the attackers reach their ultimate goal.”