As fraudsters come back to banks, ATM attacks rise
With so many data breaches targeting merchants, banks should not assume they are in the clear. Banks are, after all, where the money is.
Visa is already witnessing this shift in fraudsters' attention. The card network reported that it has notified 97 different institutions in recent years of an active ATM cash out fraud event or anomalous activity that led it to believe an attack was imminent.
The term “ATM cash out fraud” refers to a scheme in which a payment card has been cloned from a legitimate account and is used to withdraw cash at an ATM. Oftentimes the withdrawals will exceed the amount of money held in the account, as criminals will use technology to raise a card’s withdrawal limit.
“Five years ago, we saw a lot of breaches at merchants. Now we are starting to see a resurgence of financial institution attacks and a key method for these bad actors to monetize their work is to use an ATM cash out theft,” said Tia Ilori, senior director of fraud and breach investigations at Visa.
That Asia Pacific and CEMEA (Central Europe, Middle East and Africa) regions are currently the epicenters of these attacks, and the size and sophistication of the fraud is increasing, according to Visa.
Ilori outlined three main steps that fraudsters use to set up an ATM cash out theft. First, they gain access into an institution’s network through either collusive employees or simply ones that are phished into compliance. The next step is that fraudsters will identify legitimate accounts and increase their withdrawal limits to $1 million per day, which effectively makes the card limitless. The final step is to use a team of money mules in a number of countries that will simultaneously withdraw cash from various ATMs across the globe.
By leveraging its Vital Signs capability, Visa is able to identify in real-time when a debit card is withdrawing cash from several different ATMs in multiple countries at the same time.
“The greatest losses from ATM fraud are always perpetuated from within the bank because fraudsters can impact a greater number of accounts at once,” said Richard Crone, principal of Crone Consulting LLC.
Earlier this year it was reported that hackers gained access to the Chilean ATM network Redbanc by phishing an employee. Hackers pretending to screen a Chilean ATM network staffer for a new job, and instead slipped malware onto his work computer, leading to a broader attack.
The Redbanc IT employee responded to a developer position posted on LinkedIn. Then he was contacted by hackers called the Lazarus Group, which has ties to the North Korean dictatorship.
The cash out fraud trend is not the only challenge that has befallen the ATM industry in recent years. The U.S. Secret Service has been warning banks and ATM manufacturers since 2017 to adopt new security measures to prevent thieves from “Jackpotting” an ATM. Jackpotting manipulates a machine to dispense all of its money in a single transaction.
To gain a better perspective of how Visa’s Vital Signs capability is monitoring global ATM traffic, Visa required that all off its worldwide bank and credit union clients participate in it, so there is no need to opt-in. This traffic is monitored in its Northern Virginia risk operations center, or ROC.
“It’s from our ROC that we can keep tabs on global ATM traffic and monitor potential threats," said Ilori. "Once we believe there is an imminent threat or when something is actually occurring, our risk team picks up the phone to alert the affected issuer so we can stop fraud in its tracks.”
Hackers tend to target IT staff or bank network administrators, because once they have been either bribed or phished they can provide privileged access. This includes administrator’s credentials, which allow a hacker to legitimately change parts of the networks including withdrawal limits.
If the hacker is careful enough the bank will not be a position to uncover the fraud until it is cashed out by the money mules or identified by Visa’s Vital Signs.
“This type of fraud, unfortunately, will not go away until ATMs add multi-factor authentication such as facial recognition or even adopt something as simple as reaching out to a cell phone for a one-time password,” said Crone.