27 July 2016
Find out more

Banks losing millions to new wave of ATM hacks - FFIEC

03 April 2014  |  9182 views  |  4 ATM 2

US regulators have warned banks to protect their automated teller machines and card authorisation systems from a fresh wave of cyber-attacks that seek to exploit ATM control weaknesses to spew out millions of dollars in fraudulent withdrawals.

The Federal Financial Institutions Examination Council is alerting banks to an alarming rise in ATM fraud dubbed 'Unlimited Operations' by the Secret Service, where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to cash machine withdrawals.

Criminals perpetrate the fraud by initiating cyber-attacks to gain access to Web-based ATM control panels, which enables them to withdraw customer funds from ATMs using stolen customer debit, prepaid, or ATM card account information.

The FFIEC says a recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts.

"Unlimited Operations may cause financial institutions to incur large dollar losses," says the watchdog. "Therefore, the (FFIEC) members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorisation systems, systems that manage ATM parameters, and fraud detection and response processes."

The FFIEC is also calling on banks to step up their readiness to repel Distributed Denial of Service Attacks that aim to cripple public-facing Websites.

Says the regulator: "Each institution is expected to monitor incoming traffic to its public Website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate."

Read the full statement:» Download the document now 272.8 kb (PDF File)

Comments: (4)

Alexander Peschkoff
Alexander Peschkoff - TEDIPAY - London | 03 April, 2014, 11:33

It's about "the weakest link"...

Cardless ATMs (with out-of-bound authentication via the phone) is the future. Most importantly, no h/w change is needed at all on the ATM level.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Andrew Smith
Andrew Smith - CloudZync - London | 03 April, 2014, 17:11

There are some great proof of concept solutions to remove cards from ATM using mobile and more....This is for sure the future.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 04 April, 2014, 07:27 If the ATMs didn't accept magstripe, the crims wouldn't be able to clone cards. And ... if financial institutions weren't forced to over-resource the ever increasing demands of PCI and the protection of the PAN, perhaps they could pay more attention to the vulnerabilities of the ATM control network. Chip and PIN is the future!
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff
Alexander Peschkoff - TEDIPAY - London | 04 April, 2014, 08:36 C&P requires ATM change and is still vulnerable to a degree. Cardless cash withdrawal allows to use ANY existing ATM. That approach excludes non-smartphone users, but with prices below $100 those will be few and far between. One can still attack cardless ATMs via "inside job", but that's another story...
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Feds bust international card fraud gang

Feds bust international card fraud gang

01 April 2014  |  4985 views  |  0 comments | 4 tweets | 5 linkedin
Hacked Target hastens migration to chip cards

Hacked Target hastens migration to chip cards

05 February 2014  |  6032 views  |  0 comments | 4 tweets | 9 linkedin
Bank Muscat to recover $39m card fraud losses

Bank Muscat to recover $39m card fraud losses

02 December 2013  |  3721 views  |  0 comments | 4 tweets | 2 linkedin
Millions looted as DDoS attacks provide cover for wire transfer heists

Millions looted as DDoS attacks provide cover for wire transfer heists

22 August 2013  |  7700 views  |  0 comments | 13 tweets | 8 linkedin
Man pleads guilty in $200m credit card fraud case; eight charged over $15m cash-out hack

Man pleads guilty in $200m credit card fraud case; eight charged over $15m cash-out hack

13 June 2013  |  7494 views  |  0 comments | 1 tweets | 3 linkedin
Crooks steal $11m in ATM heists; 18 accused of £200m card fraud

Crooks steal $11m in ATM heists; 18 accused of £200m card fraud

06 February 2013  |  6575 views  |  0 comments | 7 tweets
EU card fraud nets organised crime EUR1.5bn a year - Europol

EU card fraud nets organised crime EUR1.5bn a year - Europol

08 January 2013  |  10856 views  |  1 comments | 16 tweets | 3 linkedin
Bank settles with hacked customer over ACH fraud losses

Bank settles with hacked customer over ACH fraud losses

29 November 2012  |  7679 views  |  0 comments | 6 tweets | 7 linkedin

Related blogs

Create a blog about this story (membership required)
Find out moreVisit www.abe-eba.euVisit VocaLink.com

Top topics

Most viewed Most shared
satelliteContactless Bitcoin startup Plutus Tap &am...
9456 views comments | 9 tweets | 4 linkedin
MasterCard agrees £700m VocaLink acquisitionMasterCard agrees £700m VocaLink acqu...
9353 views 14 comments | 32 tweets | 38 linkedin
Apps crush internet for UK banking loginsApps crush internet for UK banking logins
8130 views comments | 19 tweets | 25 linkedin
Telefonica Germany launches Fidor-backed mobile banking serviceTelefonica Germany launches Fidor-backed m...
6104 views comments | 14 tweets | 19 linkedin
Thomson Reuters and Imperial College form fintech and regtech research partnershipThomson Reuters and Imperial College form...
6024 views comments | 29 tweets | 16 linkedin

Featured job


Brussels (Belgium) or Paris (France)

Find your next job