A recent surge in major cash-out fraud at ATMs has federal authorities on alert.
The country’s top bank regulators are warning of an increase in cyberattacks on the Web-based control panels of automated teller machines used by small to midsize financial institutions. In this particular strain of attacks, thieves withdraw money with stolen card information beyond the cash balances that customers have in their accounts, or beyond other typical ATM limits.
In one recent attack, crooks hauled off more than $40 million using just 12 debit card accounts.
The Federal Financial Institutions Examination Council (FFIEC) issued a joint statement about the attacks Wednesday, instructing credit unions and banks to check all their systems involved with ATM transactions, including fraud detection software, and make sure employees are trained to identify phishing attempts. The U.S. Secret Service calls the fraud “Unlimited Operations,” according to the statement.
The FFIEC includes the Office of the Comptroller of the Currency and the Board of Governors of the Federal Reserve System, among other regulators.
The four-page statement doesn’t provide information about specific attacks. Reporters were instructed to direct questions to the Office of the Comptroller of the Currency, but no one was available to discuss the alert late Wednesday.
Tess Rice, general counsel for the Minnesota Bankers Association, said the organization’s IT consultant had not heard of any Minnesota banks being hit by this type of ATM cash-out scheme. The consultant interpreted the group’s statement “as a reminder to smaller banks to remain vigilant,” Rice said in an e-mail.
“His impression is that this is not a new threat, but rather something that banks are prepared for as part of their standard security procedures,” Rice said.
The statement says the attacks sometimes start with phishing e-mails to bank and credit union employees, allowing crooks to install malicious software on the company’s network. The malware enables thieves to case the network for how ATM control panels are accessed, and to get login credentials to alter settings so they can withdraw more, or sometimes unlimited amounts of cash. They can also change fraud alerts and security settings.
The setup enables thieves to take card information they have stolen in other attacks to withdraw cash, frequently during on holidays and weekends when there is more cash in the ATMs and less monitoring, according to the alert.