Banks losing millions to new wave of ATM hacks - FFIEC

Banks losing millions to new wave of ATM hacks - FFIEC

US regulators have warned banks to protect their automated teller machines and card authorisation systems from a fresh wave of cyber-attacks that seek to exploit ATM control weaknesses to spew out millions of dollars in fraudulent withdrawals.

The Federal Financial Institutions Examination Council is alerting banks to an alarming rise in ATM fraud dubbed 'Unlimited Operations' by the Secret Service, where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to cash machine withdrawals.

Criminals perpetrate the fraud by initiating cyber-attacks to gain access to Web-based ATM control panels, which enables them to withdraw customer funds from ATMs using stolen customer debit, prepaid, or ATM card account information.

The FFIEC says a recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts.

"Unlimited Operations may cause financial institutions to incur large dollar losses," says the watchdog. "Therefore, the (FFIEC) members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorisation systems, systems that manage ATM parameters, and fraud detection and response processes."

The FFIEC is also calling on banks to step up their readiness to repel Distributed Denial of Service Attacks that aim to cripple public-facing Websites.

Says the regulator: "Each institution is expected to monitor incoming traffic to its public Website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate."

Read the full statement:» Download the document now 272.8 kb (PDF File)

Comments: (4)

A Finextra member
A Finextra member 03 April, 2014, 11:33Be the first to give this comment the thumbs up 0 likes

It's about "the weakest link"...

Cardless ATMs (with out-of-bound authentication via the phone) is the future. Most importantly, no h/w change is needed at all on the ATM level.

A Finextra member
A Finextra member 03 April, 2014, 17:11Be the first to give this comment the thumbs up 0 likes

There are some great proof of concept solutions to remove cards from ATM using mobile and more....This is for sure the future.

A Finextra member
A Finextra member 04 April, 2014, 07:27Be the first to give this comment the thumbs up 0 likes If the ATMs didn't accept magstripe, the crims wouldn't be able to clone cards. And ... if financial institutions weren't forced to over-resource the ever increasing demands of PCI and the protection of the PAN, perhaps they could pay more attention to the vulnerabilities of the ATM control network. Chip and PIN is the future!
A Finextra member
A Finextra member 04 April, 2014, 08:36Be the first to give this comment the thumbs up 0 likes C&P requires ATM change and is still vulnerable to a degree. Cardless cash withdrawal allows to use ANY existing ATM. That approach excludes non-smartphone users, but with prices below $100 those will be few and far between. One can still attack cardless ATMs via "inside job", but that's another story...
EBA Winter School 2019

Trending Stories

Featured Job
All Jobs »
London, UK

Sales Director, Private Equity Solutions (London, UK)

Competitive base, double ote, benefits, stock options

22 Jul