Banks losing millions to new wave of ATM hacks - FFIEC

US regulators have warned banks to protect their automated teller machines and card authorisation systems from a fresh wave of cyber-attacks that seek to exploit ATM control weaknesses to spew out millions of dollars in fraudulent withdrawals.

  16 4 comments

Banks losing millions to new wave of ATM hacks - FFIEC

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The Federal Financial Institutions Examination Council is alerting banks to an alarming rise in ATM fraud dubbed 'Unlimited Operations' by the Secret Service, where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to cash machine withdrawals.

Criminals perpetrate the fraud by initiating cyber-attacks to gain access to Web-based ATM control panels, which enables them to withdraw customer funds from ATMs using stolen customer debit, prepaid, or ATM card account information.

The FFIEC says a recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts.

"Unlimited Operations may cause financial institutions to incur large dollar losses," says the watchdog. "Therefore, the (FFIEC) members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorisation systems, systems that manage ATM parameters, and fraud detection and response processes."

The FFIEC is also calling on banks to step up their readiness to repel Distributed Denial of Service Attacks that aim to cripple public-facing Websites.

Says the regulator: "Each institution is expected to monitor incoming traffic to its public Website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate."

Read the full statement:

Download the document now 272.8 kb (PDF File)
Sponsored New Report – The Future of AI in Financial Services 2025

Comments: (4)

A Finextra member 

It's about "the weakest link"...

Cardless ATMs (with out-of-bound authentication via the phone) is the future. Most importantly, no h/w change is needed at all on the ATM level.

A Finextra member 

There are some great proof of concept solutions to remove cards from ATM using mobile and more....This is for sure the future.

A Finextra member 

If the ATMs didn't accept magstripe, the crims wouldn't be able to clone cards. And ... if financial institutions weren't forced to over-resource the ever increasing demands of PCI and the protection of the PAN, perhaps they could pay more attention to the vulnerabilities of the ATM control network. Chip and PIN is the future!

A Finextra member 

C&P requires ATM change and is still vulnerable to a degree. Cardless cash withdrawal allows to use ANY existing ATM. That approach excludes non-smartphone users, but with prices below $100 those will be few and far between. One can still attack cardless ATMs via "inside job", but that's another story...

[Webinar] PREDICT 2025: The Future of Faster Payments in the USFinextra Promoted[Webinar] PREDICT 2025: The Future of Faster Payments in the US