The FBI is warning of an “imminent” global cyberattack on ATM machines that could result in millions of dollars withdrawn from bank accounts far and wide, in a similar “cash-out” attack to one in 2009 which hit ATMs worldwide to the tune of $9 million.
“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” according to an FBI alert to banks that was obtained by noted cybersecurity expert Brian Krebs.
Krebs describes it as a “highly choreographed, global fraud scheme known as an “ATM cash-out,” in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.”
“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities. The FBI expects the ubiquity of this activity to continue or possibly increase in the near future,” the FBI statement reads.
In other words, financial institutions which haven’t upgraded to the latest and greatest in security measures are vulnerable to attack. And since banks will likely reimburse anyone affected by the breach, the FBI’s warning should particularly interest small-to-mid sized banks using outdated technology.
In July, two similar “unlimited operation” attacks resulted in losses of $2.4 million from the National Bank of Blacksburg according to Krebs, who broke the story.
In both cases, the attackers managed to phish someone working at the Blacksburg, Virginia-based small bank. From there, the intruders compromised systems the bank used to manage credits and debits to customer accounts.
The 2016 unlimited operation against National Bank began Saturday, May 28, 2016 and continued through the following Monday. That particular Monday was Memorial Day, a federal holiday in the United States, meaning bank branches were closed for more than two days after the heist began. All told, the attackers managed to siphon almost $570,000 in the 2016 attack.
The Blacksburg bank hackers struck again on Saturday, January 7, and by Monday Jan 9 had succeeded in withdrawing almost $2 million in another unlimited ATM cashout operation. –Krebs On Security
Meanwhile, the FBI is advising banks on best security practices, such as two-factor authentication using physical or digital tokens, as well as beefed up password requirements.
The FBI issued a similar alert in 2009, after a “wave of thieves fanned out across the globe nearly simultaneously. With cloned or stolen debit cards in hand—and the PINs to go with them—they hit more than 2,100 money machines in at least 280 cities on three continents, in such countries as the U.S., Canada, Italy, Hong Kong, Japan, Estonia, Russia, and the Ukraine.”
When it was all over—incredibly within 12 hours—the thieves walked off with a total of more than $9 million in cash. And that figure would’ve been more had the targeted ATMs not been drained of all their money.
The alleged masterminds of this slick scheme—prosecutors charged earlier this month following an extensive FBI investigation assisted by other federal agencies and our partners around the globe—were three 20-something Eastern Europeans and an unnamed person called simply “Hacker 3.” –FBI (via archive.is)
We’re sure the establishment’s cashless society will fix all these annoying vulnerabilities.