Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Warns of 'Unlimited' ATM Cashout Scheme (krebsonsecurity.com)

Posted by BeauHD on from the cash-back dept.

The FBI is warning banks about a global fraud scheme known as an "ATM cash-out," in which criminals hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours. "The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an 'unlimited operation,'" reads a confidential alert the FBI shared with banks privately on Friday. Krebs on Security reports: The FBI said unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs. "Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities," the alert continues. "The FBI expects the ubiquity of this activity to continue or possibly increase in the near future."

Organized cybercrime gangs that coordinate unlimited attacks typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily. The perpetrators also alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM.

8 of 71 comments (clear)

  1. howto? by ls671 · · Score: 4, Funny

    I am a security researcher and I would like to know if there is a howto or a proof of concept available somewhere?

    Please provide links if you have them. This sounds like a really serious threat that I definitely need to look into.

    Thanks in advance! :)

    --
    Everything I write is lies, read between the lines.
  2. Anne A. Log by Mr+D+from+63 · · Score: 2

    Seems like they could use an analog cash counter on each teller machine that shuts it down if more than allowed is withdrawn on a single transaction.

    1. Re:Anne A. Log by fisted · · Score: 4, Funny

      You can't fix the damn system because it's closed source and named Windows XP POS, where the 'POS' part is oddly appropriate.

      --
      CLI paste? paste.pr0.tips!
    2. Re:Anne A. Log by Bert64 · · Score: 2

      The ATMs themselves have physical limits on how much cash they will dispense (ie number of bills) in a single transaction...
      But that's not the problem here.

      Someone hacked a company which issues cards, and then issues fraudulent cards with an infinite balance on them. The ATM reads the card, queries the hacked provider via the card payment network (eg visa, mastercard etc) to see if the card issuer will allow the withdrawal.
      Since the provider has been hacked, they will respond to allow the withdrawal and the local ATM will dispense cash as it's designed to do.

      As the provider is compromised, the attackers can generate as many accounts with as much balance as they want, and keep drawing out cash. The banks owning the ATMs will demand settlement from the hacked merchant, who will probably go bankrupt if the attackers extort enough cash.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  3. Go to the Well by Spamalope · · Score: 2

    So, how much mortgage fraud will it take Wells Fargo to make up for the losses...

  4. Bummer by DogDude · · Score: 3, Interesting

    Yeah, that's a real bummer for the banks. Maybe they should get serious about security?

    --
    I don't respond to AC's.
    1. Re:Bummer by nonBORG · · Score: 3, Interesting

      Banks are pretty serious about security with a high budget. But it is the markets/stock exchanges etc that have an unlimited budget. However at present it is not about the budget but rather about what they can do to stop them at this point. Can they patch every money machine in the world in the next day? Can they find the source cards and shut down the accounts? Can they change the system to real time so that in any country in the world they support real time balance of account to limit possible funds withdrawal?

      Possibly they can look into all of these things but there are a lot of issues. The problem of security has moved, however banks are stuck. They have to work with other banks all across the world and integrate with their systems, so if you are in Shenzhen China you can use you card to get cash, this is a feature requirement. The opposite side is the security requirement. However credit card companies don't take risk they just force the bank to take the risk so the bank (the smaller entity of the two) has to manage the security risk.

      If they are serious about security (which they are) how should they move forward? They want to solve the issues but they really have to have answers. I suggest that a card is not highly secure and becomes a weak point in the system, is there another option that is highly secure? Anyone have some serious options rather than just lament that banks have issues?

      --
      You can't handle the truth! - Because I don't post left all my comments get modded down, bye bye Karma.
  5. Cannot clone cards outside the USA by aberglas · · Score: 2

    The rest of the world puts a chip on the cards with a secret that never leave it. Almost impossible to clone.

    I visited California recently and found my credit card being used to take out cash. Bank will deal with it, but I am without a card for a week. Only possible due to use of magnetic stripe.