18 December 2014

Banks losing millions to new wave of ATM hacks - FFIEC

03 April 2014  |  7156 views  |  4 ATM 2

US regulators have warned banks to protect their automated teller machines and card authorisation systems from a fresh wave of cyber-attacks that seek to exploit ATM control weaknesses to spew out millions of dollars in fraudulent withdrawals.

The Federal Financial Institutions Examination Council is alerting banks to an alarming rise in ATM fraud dubbed 'Unlimited Operations' by the Secret Service, where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to cash machine withdrawals.

Criminals perpetrate the fraud by initiating cyber-attacks to gain access to Web-based ATM control panels, which enables them to withdraw customer funds from ATMs using stolen customer debit, prepaid, or ATM card account information.

The FFIEC says a recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts.

"Unlimited Operations may cause financial institutions to incur large dollar losses," says the watchdog. "Therefore, the (FFIEC) members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorisation systems, systems that manage ATM parameters, and fraud detection and response processes."

The FFIEC is also calling on banks to step up their readiness to repel Distributed Denial of Service Attacks that aim to cripple public-facing Websites.

Says the regulator: "Each institution is expected to monitor incoming traffic to its public Website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate."

Read the full statement:» Download the document now 272.8 kb (PDF File)

Comments: (4)

Alexander Peschkoff - TEDIPAY - London | 03 April, 2014, 11:33

It's about "the weakest link"...

Cardless ATMs (with out-of-bound authentication via the phone) is the future. Most importantly, no h/w change is needed at all on the ATM level.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Andrew Smith - CloudZync - London | 03 April, 2014, 17:11

There are some great proof of concept solutions to remove cards from ATM using mobile and more....This is for sure the future.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
David Griffiths - gryffle - Hertford | 04 April, 2014, 07:27 If the ATMs didn't accept magstripe, the crims wouldn't be able to clone cards. And ... if financial institutions weren't forced to over-resource the ever increasing demands of PCI and the protection of the PAN, perhaps they could pay more attention to the vulnerabilities of the ATM control network. Chip and PIN is the future!
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 04 April, 2014, 08:36 C&P requires ATM change and is still vulnerable to a degree. Cardless cash withdrawal allows to use ANY existing ATM. That approach excludes non-smartphone users, but with prices below $100 those will be few and far between. One can still attack cardless ATMs via "inside job", but that's another story...
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board, sign up now.

Related blogs

Create a blog about this story (membership required)

Related stories

01 April, 2014
05 February, 2014
02 December, 2013
22 August, 2013
13 June, 2013
06 February, 2013
08 January, 2013
29 November, 2012

Featured job

Basic £130-140K OTE £250K (no ceiling)
London based and across EMEA

Find your next job