Fraudsters have found a new way to hijack card information and transfer it to cards that allow them to withdraw massive sums.
ATM swindles have moved beyond mere skimming -- planting tiny cameras on gas pumps, for instance, to spy on your swipe and steal your cash.
U.S. financial institutions have been put on alert for a potential round of more sophisticated, and more dire, ATM cash-out fraud schemes.
Both credit card juggernaut Visa Inc. and Fair Isaac Corp., a leading payments fraud analytics company, issued separate alerts to clients in the past two weeks with general warnings about the potential risk of ATM cash-out fraud schemes.
A copy of the data security alert Visa sent clients around Jan. 10, obtained by the Star Tribune, warns of cases in which organized criminal groups in various parts of the world have been plundering cards and accounts by penetrating internal networks at financial institutions.
"In a recently reported case, criminals used a small number of cards to conduct 1000's of ATM withdrawals in multiple countries around the world in one weekend," the Visa advisory begins.
It goes on to say the hackers are "gaining access to issuer authorization systems and card parameter information," to manipulate daily withdrawal amount limits and card balances, among other things, "to facilitate massive fraud on individual cards."
"In some instances over $500K USD has been withdrawn on a single card in less than 24 hours," the advisory reads.
It urges card issuers, which include banks and non-bank companies, and ATM acquirers and processors to review their monitoring for transaction velocity, for instance.
Visa would not discuss its advisory. A spokesman said the alert was confidential and only for clients.
Payments experts and data security pros say Visa's advisory is notable because the activity described goes beyond conventional ATM cash-out fraud schemes, such as skimming.
"The Secret Service and the FBI have been watching cash-out schemes for a while," said Tom Kellermann, vice president of Trend Micro Inc., a major security vendor whose North American headquarters are in Cupertino, Calif. "What's interesting now is the magnitude and the level of organization behind these cash-out schemes."
Where two years ago the typical ATM swindle involved a handful of people, it now involves organized rings of dozens of people hacking into financial databases, using software to recode the data onto the magnetic stripe on blank white plastic cards, and then serving as money mules cruising ATM machines to withdraw cash, he said.
Groups from Eastern Europe have been particularly prolific in the financial sector.
Visa's advisory doesn't specifically say U.S. companies have been subject to the more serious ATM attacks. Larry Ponemon, chairman and founder of the Ponemon Institute, an independent research group in Michigan focused on data protection and security, said it's probably already happening in this country.
FICO's confidential advisory, which the Star Tribune found posted elsewhere online, is focused specially on the potential risk for fraudulent ATM withdrawls in "certain north eastern U.S. cities."
It cites the Jan. 13 arrest of four men in Nassau County, N.Y., and Englewood, N.J., for making illegal ATM withdrawals. The U.S. Secret Service and Homeland Security were involved in those arrests, it said.
The special agent in charge of the U.S. Secret Service Newark Field office said the Englewood case is an ongoing investigation.
"We have not seen any issues," said U.S. Bank spokesman Tom Joyce.
John Buzzard, who manages FICO's Card Alert Service, said there's been a heightened amount of fraudulent ATM withdrawals in the Northeast in the past couple of years. But there is no evidence of any new spike of ATM frauds, he said.
Buzzard said his understanding is that FICO's advisory is related to Visa's alert and that the concerns stemmed from "multiple malware-type attacks" targeting unspecified data held by retailers. The cyberthieves "may have accessed or penetrated the point-of-sale systems for a couple of merchants in the U.S.," he said.
Buzzard urged concerned consumers to take the obvious steps, such as signing up for the electronic account alerts that banks offer, checking their accounts online daily if possible and making sure the companies where they have financial accounts know how to contact them on a moment's notice.
"It's not that consumers should be in a tailspin, because I don't think they should be at all," Buzzard said. "It's preparedness."
Jerry Silva, an ATM fraud expert and founder of Sherborn, Mass.-based PG Silva Consulting, said he thinks the general level of fraud in the United States may have reached a point where financial companies seriously contemplate moving to the type of card system used in Europe, where cards are embedded with a microchip that corresponds to a PIN, making them more difficult to clone. The industry hasn't wanted to make the switch because of the enormous cost.
"This is no longer being done by the 14-year-old hacker," Silva said.
Kellermann, at Trend Micro, said he still doesn't see fraud levels lighting any fires in this country. "As long as the fraud stays below 2 percent (of revenue) they're not going to change," he said.
Kellermann's prediction is that the security issues will worsen as banking-by-smartphone takes off: "In 2013, you're going to see massive cash-out schemes involving mobile devices."
Jennifer Bjorhus • 612-673-4683