FBI Warns of 'Unlimited' ATM Cashout Scheme

The FBI is warning banks about a global fraud scheme known as an "ATM cash-out," in which criminals hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours. "The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an 'unlimited operation,'" reads a confidential alert the FBI shared with banks privately on Friday. Krebs on Security reports: The FBI said unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs. "Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities," the alert continues. "The FBI expects the ubiquity of this activity to continue or possibly increase in the near future."

Organized cybercrime gangs that coordinate unlimited attacks typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily. The perpetrators also alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM.

howto?

[ls671]

I am a security researcher and I would like to know if there is a howto or a proof of concept available somewhere?

Please provide links if you have them. This sounds like a really serious threat that I definitely need to look into.

Thanks in advance! :)

Re:howto?

It's a complex scheme involving moving around cryptocurrency, trading it for cash on the screen, then cashing out at ATMs. Hahahahah. :-) Lambos!

Re:howto?

Since the FBI has never convicted a single spammer, and the only "cybercriminals" they've prosecuted were grossly incompetent and tracked by good old police work, I've been convinced that their "cybercrime" isn't. It's a domestic espionage unit, not criminal investigators, because they *refuse to pursue verifiable criminal activity", such as spammers, phishers, the real estate fraud constantly occurring on housing websites, businesses that inflate their client base with fraudulent bots, or any other actual cyber crime.

The FBI is not trustworthy, as proven by their history of manipulation by their own confidential informants and their complete lack of convictions for cybercrime.

Re:howto?

[antdude]

Sure. http://127.0.0.1/ and ftp://127.0.0.1.

Re: howto?

WTF, these guys have all my files already!!

Re:howto?

Since the FBI has never convicted a single spammer

Okay, stop right there...

A US man who sent more than 27 million spam emails to Facebook users has been sentenced to two and a half years in prison. An FBI investigation resulted in Wallace's prosecution after he turned himself in, in 2011.

Since you start with an outright fabrication, I'm going to ignore the rest of your crazy ranting.

Anne A. Log

[Mr+D+from+63]

Seems like they could use an analog cash counter on each teller machine that shuts it down if more than allowed is withdrawn on a single transaction.

Re:Anne A. Log

The amount of work required to implement and test that (it itself may introduce vulnerabilities) is not that different from just checking and fixing their damn system if it has been compromised.

Re:Anne A. Log

[fisted]

You can't fix the damn system because it's closed source and named Windows XP POS, where the 'POS' part is oddly appropriate.

Re:Anne A. Log

[Bert64]

The ATMs themselves have physical limits on how much cash they will dispense (ie number of bills) in a single transaction...
But that's not the problem here.

Someone hacked a company which issues cards, and then issues fraudulent cards with an infinite balance on them. The ATM reads the card, queries the hacked provider via the card payment network (eg visa, mastercard etc) to see if the card issuer will allow the withdrawal.
Since the provider has been hacked, they will respond to allow the withdrawal and the local ATM will dispense cash as it's designed to do.

As the provider is compromised, the attackers can generate as many accounts with as much balance as they want, and keep drawing out cash. The banks owning the ATMs will demand settlement from the hacked merchant, who will probably go bankrupt if the attackers extort enough cash.

Re:Anne A. Log

Not much help. The maximum amount need to be sufficiently high, as people want to withdraw cash to buy a used car or airplane tickets or other somewhat expensive one-offs.

So perhaps you cap it at a few thousand dollars? Criminals can then commit their fraud by doing a series of transactions. Work their way through a pile of cards - extracting the maximum from each. Then do the pile again, hoping that their inside hacker managed to lift the "maximum from a single account per day limit."

And at every other lonely ATM in town and in other towns, other bandits works with other piles of cards.

Re: Anne A. Log

[datavirtue]

This comment is correct in every way. Card issuers have next to zero controls on trusted employees..who can do as they please often without being tracked. At my last company I could have easily perpetrated a scheme like this and I had the access/power to cover my tracks and I would have been a key person they depended on to mitigate the attack after it was discovered. Your money is not safe. Perhaps the fdic would kick in but not guaranteed since issuers use an aggregate account that is in their name. The account in no way belongs to the cardholders. The bank reconciles down to the cardholder but that is a manual-ish process that lags far behind potential losses. The one good thing is that the aggregate account balance is tracked closely and the issuer would get a frantic call from the bank...the next day.

Re: Anne A. Log

[Ocker3]

Interesting information, and I really like your signature :)

Re: Anne A. Log

[ceoyoyo]

So sad. Big company that makes lots of money doesnâ(TM)t bother with proper security, gets hacked, goes bankrupt.

Maybe it will finally happen. Losing banksâ(TM) money is sure to be taken more seriously than screwing with peopleâ(TM)s lives.

it r d haxx0rz wif de haxxz, haxx0rin!

The usual vague crap from krebs, wasting everyone's time. Thanks, beauhd.

Re: it r d haxx0rz wif de haxxz, haxx0rin!

He has some good stuff but yeah, he tends to oversell things

Re: it r d haxx0rz wif de haxxz, haxx0rin!

Didnâ(TM)t finish my thought. He is actually doing a favor for the most likely to be compromised institutions. This probably came from a classified briefing or ISAC threat report, which those wonâ(TM)t have access to. And he laid out exactly what indicators of compromise to look for. Whether anyone listens is the real issues.

Re: it r d haxx0rz wif de haxxz, haxx0rin!

Why would a financial institution not have access to the FS-ISAC and the details? Of course their vetted members will.

Mo money, Mo money, Money

Mo money, Mo money, Mo money

Go to the Well

[Spamalope]

So, how much mortgage fraud will it take Wells Fargo to make up for the losses...

Bummer

[DogDude]

Yeah, that's a real bummer for the banks. Maybe they should get serious about security?

Re:Bummer

[nonBORG]

Banks are pretty serious about security with a high budget. But it is the markets/stock exchanges etc that have an unlimited budget. However at present it is not about the budget but rather about what they can do to stop them at this point. Can they patch every money machine in the world in the next day? Can they find the source cards and shut down the accounts? Can they change the system to real time so that in any country in the world they support real time balance of account to limit possible funds withdrawal?

Possibly they can look into all of these things but there are a lot of issues. The problem of security has moved, however banks are stuck. They have to work with other banks all across the world and integrate with their systems, so if you are in Shenzhen China you can use you card to get cash, this is a feature requirement. The opposite side is the security requirement. However credit card companies don't take risk they just force the bank to take the risk so the bank (the smaller entity of the two) has to manage the security risk.

If they are serious about security (which they are) how should they move forward? They want to solve the issues but they really have to have answers. I suggest that a card is not highly secure and becomes a weak point in the system, is there another option that is highly secure? Anyone have some serious options rather than just lament that banks have issues?

Re:Bummer

They are so cereal serious they put music majors in charge of IT security. Because its all merit based not inherited, we don't have a class system, not at all.

Re:Bummer

When they don't have a camera at every ATM, no, they are not serious, lol. (I guess most people are kind of confused too. Because - a lot of ATMs are run by third party operators. That's one of the main reasons they don't have a camera at every ATM. It's extra cost / maintenance.)

Re: Bummer

Except that was not a bank.

Re:Bummer

Insurance pays. No one loses, because insurance makes far more from financial investments than from premiums.

Re: Bummer

I had a card cloned recently, but upon asking the bank how to prevent in future, their advice is only using ATMs in banks. Pretty weak solution. Two factor authorization for all withdrawals on my account, automatically giving customers hot/cold accounts so the card linked account only has funds needed (where balance transfers online instant). Easy solutions but they don't seem to care. I can add the linked account, but it's a hassle, why aren't they doing this by default to encourage good practices?
  Even special withdrawal rules I can set, e.g. I will only withdraw amounts in a specific user defined range.

Re: Bummer

[phantomfive]

This is not a problem of "working with other banks," though, it's a problem of issuers getting hacked and losing money the way they deserve to have happen to them.

Re: Bummer

Solution is to get a savings-only account and link your checking account to be able to put funds into it, but not allow the savings access to checking. I have this with my credit union. I use their app to transfer funds just before i access the ATM. I keep $40 in the savings-only just in case cell/internet is down, so that is the most someone is getting from me.

Re:Bummer

[G00F]

banks are not concerned with high security. They are concerned with risk, but more importantly, with their internal rules, policies and such.

They make policies that actually go against security and PCI. And getting them to fix it takes years.

You know, it took one bank a year to fix the fact they listed ciphers in the wrong order, they went from weakest to strongest and it took a year to fix that.

That's minor compared to crypting passwords and salting them, rather than plain text.

Or removing a policy that ever computer have an account with xyz password, that's never changed in 10+ years(and its a simple password). Never mind that those in charge of it's use don't know a thing about Nix.

Security preventing AD/ldap authentication because it increases attack vector, so that people use local shared accounts instead across 1000's of servers.

Also, if banks were really interested in security, rather than a chip you would have a password/pin with your credit card.

Banks don't care about security.

Re: Bummer

[ceoyoyo]

I have a password (internet) and pin (RL) with my credit card. Have for more than a decade. I donâ(TM)t live in the US.

Thereâ(TM)s something weird about banks and the US market.

Why does John Q. Public care?

Okay so the banks have to deal with some criminal activity... but this seems like something they need to do anyway.

Am I supposed to feel bad for the bankers? For the shareholders?

Re:Why does John Q. Public care?

[Fly+Swatter]

The costs of these problems is passed on to YOU in the form of higher interest rates on debt, lower rates on savings, and increased service fees. But hey, using cash is such a hassle (although ironically in this case you get cash with the atm card they are hacking). And who cares about a little more debt on that big pile that already can't be payed off.

Re:Why does John Q. Public care?

The banks already factor in insurance to everything you named. Insurance pays for fraud losses. The insurance pays today based on future promises which themselves are insured against default. Long story short: new money is created to cover fraud like this. No one loses. Free lunches abound in finance.

Re:Why does John Q. Public care?

[gravewax]

How about feeling sorry for the poor bastards whose accounts are compromised with this. Even if they don't individually lose money their cards will be cancelled and they will have massive inconvenience at a minimum. regardless all the insurance costs and the cleanup costs simply get passed on to the customers anyway.

Re:Why does John Q. Public care?

complete bullshit. insurance premiums and expenses are NOT a fixed cost, large scale incidents means next years industry premiums will go up significantly and those costs will be passed on through interest rates or fees.

Re:Why does John Q. Public care?

The banks already factor in insurance to everything you named. Insurance pays for fraud losses. The insurance pays today based on future promises which themselves are insured against default. Long story short: new money is created to cover fraud like this. No one loses. Free lunches abound in finance.

Not always.

Re: Why does John Q. Public care?

[datavirtue]

This would potentially bankrupt most issuers and would defintely keep you from getting your money for weeks or more.

Re: Why does John Q. Public care?

[datavirtue]

If they can remain solvent long enough. This can happen to any card issuer, many of which teeter on the brink of running out of cash in these situations.

Re: Why does John Q. Public care?

[vap0rtranz]

Even if the bank fails, depositors would be insured up to $250k if you chose an FDIC backed bank. If you chose a non-FDIC bank, well shame on you. Also, the FTC has liability protections: "If someone makes unauthorized transactions with your debit card number, but your card is not lost, you are not liable for those transactions if you report them within 60 days of your statement being sent to you." https://www.consumer.ftc.gov/a...

Sounds like a banker's problem

fix ya shit, yo

worked for me

About a month ago I had a problem with my accout, it stopped working. I looked and someone (not me) withdrew $100 from my accout, probbably the most the ATM would allow. They tried to withdraw another 100 but my bank stopped it and locked my card. Most likely I used a gas pump or something with a scimmer. They caught it alomost right away and refunded the 100. All ATMs should have chip readers by now. They have had years of warning.

Re:worked for me

It was a US bank. Some are already prepared.

Re: worked for me

My account had no less than six consecutive smallish withdrawals minutes apart, from another country :(. a country I had visited 2 months earlier. Hitting the daily withdrawal limit is what stopped them. it was refunded, but defies belief their fraud system didn't block it sooner.

This and the Equifax breach

[Rick+Schumann]

If this is not just FUD or clickbait, is a Real Thing, then I'll bet this is where the Equifax data breach is going to bite us all in the ass, as our banking and idenitity information is used to access our accounts to facilitate this 'cash-out' scheme. Guess we'll know soon enough, won't we?

Not even going to bother worrying about it. Horse has left the barn a long time ago now.

time for OS2 to reloaded on ATM's?

[Joe_Dragon]

time for OS2 to reloaded on ATM's?

The joke is on the criminals

There isn't anything left in the accounts to take; the banks already took it all.

Cannot clone cards outside the USA

[aberglas]

The rest of the world puts a chip on the cards with a secret that never leave it. Almost impossible to clone.

I visited California recently and found my credit card being used to take out cash. Bank will deal with it, but I am without a card for a week. Only possible due to use of magnetic stripe.

Re:Cannot clone cards outside the USA

[Antique+Geekmeister]

If I may say, "nonsense". See the many articles on the whilesale replication of "pin" cards, such as https://www.scmagazine.com/evo... .

Re:Cannot clone cards outside the USA

"Only possible due to use of magnetic stripe."

Or you're too stupid to realize many terminals have a built-in camera, so your shit could have been hijacked that way via skimmer.

Re:Cannot clone cards outside the USA

If I may say, "nonsense". See the many articles on the whilesale replication of "pin" cards, such as https://www.scmagazine.com/evo... .

If I may say, "nonsense". There is no known flaw in the EMV cards (commonly known as chip cards) that allows them to be replicated. The single article that you refer to, if you had cared to read it, was a faulty implementation of chip processing software on POS terminals in Brazil and had nothing to do with the EMV cards themselves.

If an issuer's database is compromised and security keys stolen, then obviously duplicate cards can easily be created.

Re: Cannot clone cards outside the USA

If cryptographic cards are used, you cannot extract and copy the private key used to sign the transactions. Cards however have a backup mechanism, which is the same as the magnetic stripe, you can extract this data and replicate it on other cards. However, you are not replicating the signature, therefore the transaction has not been digitally signed.

Re:Cannot clone cards outside the USA

They actually can't replicate the secrets on the chips. They make cards that skip the validations the card is required to do based on those secrets and the scheme only works because some payment operators don't perform all the validations they are required to do by the EVM standard. Wholesale replication of pin cards isn't the problem, because that is not what is happening, the problem is with payment operators who fail to implement a standard that is perfectly capable of blocking this fraud.

Re: Cannot clone cards outside the USA

My card has a chip and was still cloned. In fact having the chip made me slightly less cautious, as I thought it impossible to clone. What I've since been told, is your chip card also has magnetic fall back, which many ATMs still use/require. So the magnetic part gets cloned, and account get a drained anyway. You can manually damage the magnetic strip to make it unreadable (e.g. powerful magnet), but then some ATMs won't work.

Re:Cannot clone cards outside the USA

[hankwang]

From.your link: "...faulty implementation of the EMV standard, whereby payment operators fail to perform all of the required validations on data before approving a transaction."

The cards themselves are fine. The PoS terminals in Brazil were apparently pieces of s.

Re:Cannot clone cards outside the USA

[Antique+Geekmeister]

Yes, that _particular_ card was cloned wholesale due to that implementation. Others are also being cloned. Look at http://www.digitaljournal.com/... .

I'm afraid it's unrealistic to say they're "almost impossible to clone". The Prilex malware seems to be this year's most broadly supported cloning technology, and it may be reparable. But I don't think you can point to a single year since the development of "chip and pin" technology that didn't have a widespread cloning story.

And a paper audit trail on every voting machine?

Off topic, but related: 3 swing states still using machines from the early 2000s, some with WIFI vulnerabilities that don't require physical access and NO PAPER TRAIL: If we're adding analogue safeguards to devices, the paper voter verified audit trail added to voting machines should be top of the list.

https://www.theregister.co.uk/2017/07/29/us_voting_machines_hacking/

Quote: "The "security" of these WINvote machines is so bad. Running WinXP, autorun enabled and hard-coded WEP wifi password. "
And of course with an insider, all of this becomes trivial because the machines are all locally vulnerable to a technician running the vote rigging software.

On your suggestion, machines are already limited in the number of notes they can dispense, by the sound of this hack, they milk lots of ATM machines.

Re: Mueller warns : Trump may hang for treason

You Russian trolls are so obvious.
Real Americans don't care about treason. We know our country was founded by traitors. We stole an expedition to find a route to India and used those resources to defect and conquer new land for ourselves.

Real Americans only give a fuck about the bottom line. That's why we've elected so many businessman as presidents.

many fraud controls

... intruders will remove many fraud controls at the financial institution ...

If the crooks can control bank security, wire $10 million to an African country and convert it into uncut diamonds ASAP. Even better, bounce it through a bank in India/Turkey/Nigeria just before that country disconnects the internet.

Re:many fraud controls

Hey look at this Anonymous dupe over here! He apparently never heard that the price of diamonds are only artificially high, because De Beers and the South African cartels want everyone to think diamonds are rare when they actually aren't.

You poor Anonymous guy.

Re: Mueller warns : Trump may hang for treason

You're a faggot, not a real American. Real Americans don't make excuses for a traitor sucking Vlad Putin's cock on television for the world to see. Trump will hang.

warning: someone might do something

why do these end-of-world warnings only come out in august, the slowest news month? someone might do something, because we have vague unspecified information

Jackpotting?

[CODiNE]

If this is the ancient Jackpotting attack by Barnaby Jack they have no one to blame but themselves. This stuff has been well known since what 2014? They still have ATMs running ancient windows versions with auto run turned on. They still lock the ATM front case with cheap locks thinking the money is protected by the 2nd case, leaving the USB slot exposed. These attacks have been happening for years and they just never fix their stuff. "Won't happen to us" is their mantra. Just last year it starts showing up in the US. No more excuses. If this happens at your bank people must be fired, this goes beyond negligence.

Re: Jackpotting?

[datavirtue]

No one at a bank is going to fiddle with a Diebold Atm. They depend on large connected device manufacturers...the same ones who make our voting kiosks. All trust is placed in thier security.

No Such Thing As ATM Machine

[JohnPerkins]

There are ATMs. There is no such thing as an ATM machine. That would be an automated teller machine machine.

Re:No Such Thing As ATM Machine

[cellocgw]

There is no such thing as an ATM machine. That would be an automated teller machine machine.

which you can access with your PIN number to get money to buy a pizza pie after getting a consensus of opinion as to toppings.
So, what's your point?

FBI should do their job, enough blaming the public

Whenever I read these articles they seem to invariably end with some list of suggestions for people to protect themselves from the onslaught of criminal gangs that are targeting them... well what the hell are the FBI doing to actually stop the criminals? These are serious threats and:

1) We need actionable intelligence to be released publicly. Stop this generic... "Hey there are bad people out there that might do something bad. What do we actually know?

2) We need actionable intelligence to be released to companies that are facilitating these criminal activities so they can stop facilitating and provide more actionable information to the police. Banks and telecoms are all highly regulated and they track individual transactions.

3) We need the FBI to start catching more people involved in these criminal gangs or tell us why they can't.

Tin foil hats unite

I remember reading articles about governments wanting to abolish "untraceable cash".
This sounds like the perfect scenario which could actually make it happen, "for the good of everyone".
Ideal inside job if I ever heard of one.

Even if this isn't what is really happening, I smell the next best selling book from Cory Doctorow.

Re:Mueller warns : Trump may hang for treason

[Mats+Svensson]

Just shave his head.
Then people will probably stop feeding him, and he'll die from trying to eat a stapler.