FBI warns of imminent Global hack attack on ATMs

FBI warns of imminent hack attack on ATM machines worldwide
https://www.rt.com/business/435897-atm-mass-hacked-attack-fbi/

Published time: 14 Aug, 2018 09:39

Bank ATMs around the world are at risk of an "imminent" cyber attack with millions of dollars expected to disappear from accounts, according to a confidential alert by the US Federal Bureau of Investigation.

The warning issued by the FBI to international banks on Friday revealed that cyber criminals are planning a massive malware attack on ATMs across the globe in the next few days.

“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an 'unlimited operation',” the report obtained by cyber-security expert Brian Krebs reads.

The analyst warned global lenders of a highly choreographed, global fraud scheme known as an “ATM cash-out.” The criminals are reportedly planning to hack a bank or payment card processor and use cloned cards at cash machines around the world to withdraw millions of dollars in few hours. The similar fraud operation was carried out in 2009, when around $9 million was cleaned out from cash machines worldwide.   ---CONTINUED at link---

From the FDIC:
Federal Financial Institutions Examination Council

Joint Statement:  Cyber-attacks on Financial Institutions’ ATM and Card Authorization Systems
https://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf



PURPOSE
The Federal Financial Institutions Examination Council (FFIEC)members1(“members”) are issuing this statement to notify financial institutions of a type of large dollar value automatic teller machine (ATM) cash-out fraud characterized as Unlimited Operations by the U.S. Secret Service. The members are aware of a recent increase in cyber-attacks launched in connection with this fraud, to gain access to, and alter the settings on, ATM web-based control panels used by small-to medium-size financial institutions.

Unlimited Operations may cause financial institutions to incur large dollar losses. Therefore, the members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes.

BACKGROUND
Unlimited Operations are a category of ATM cash-out fraud where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to ATM withdrawals. Criminals perpetrate the fraud by initiating cyber-attacks to gain access to web-based ATM control panels, which enables them to withdraw customer funds from ATMs using stolen customer debit, prepaid, or ATM card account information. A recent Unlimited Operations attack netted over $40 million in fraud using only 12debit card accounts.

Criminals may begin the attack by sending phishing emails to employees of financial institutions as a means to install malicious software (malware) onto the institution’s network. Once installed, criminals use the malware to monitor the institution’s network to determine how the institution accesses ATM control panels and obtain employee login credentials. These control panels, often web-based, manage the amount of money customers may withdraw within a set timeframe, the geographic limitations of withdrawals, the types and frequency of fraud reports that its   service provider sends to the financial institution, the designated employee that receives these reports, and other management functions related to card security and internal controls. When    criminals obtain this information, they may use an employee’s login credentials to gain access to the control panel and change the settings to permit greater or unlimited cash disbursements at ATM machines, and to change other fraud and security related controls.

Following an attack on an institution’s ATM control panels, criminals use fraudulent debit, prepaid, or ATM cards they create with account information and personal identification numbers (PINs) stolen through separate attacks to withdraw funds from ATMs. Card account information and PINs typically are stolen in a number of ways including through point-of-sale (POS) malware or skimming, ATM malware or skimming, or compromise of the issuer’s card operations. The cash-out phase of the attack involves criminals organizing simultaneous withdrawals of large amounts of cash from multiple ATMs over a short time period, usually four hours to two days. Criminals may conduct their operations during holidays and weekends to take advantage of increased cash levels in ATMs and limited monitoring by financial institutions during non-work hours.

RISKS
Financial institutions that issue debit, prepaid, or ATM cards may face a variety of risks from Unlimited Operations including operational risks, fraud losses, liquidity and capital risks, depending on the size of the institution and the losses incurred, and reputation risks. Financial institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor.

RISK MITIGATION
Financial institutions should ensure that their risk management processes address the risk from these types of cyber-attacks consistent with the risk management guidance contained in the FFIEC Information Technology (IT) Examination Handbook2and specifically the Information Security,3Outsourcing Technology Services,4and the Retail Payment Systems5booklets.

Financial institutions and processors that create PINs for card holders should follow the Payment Card Industry Data Security Standards (PCI-DSS) on PIN Security Requirements,6September 2011, and Hardware Security Module (HSM) SecurityRequirements,7May 2012, to address key management practices and the use of HSMs for encrypting PINs.

In accordance with regulatory requirements8and FFIEC guidance, the members expect financial institutions to take the following steps, as appropriate:

• Conduct ongoing information security risk assessments.Maintain an ongoing information security risk assessment program that identifies, prioritizes and assesses the risk to critical systems, including threats to applications that control ATM parameters and other security and fraud prevention systems.•Perform security monitoring, prevention, and risk mitigation. Ensure intrusion detection systems and antivirus protection are up-to-date, and firewall rules are configured properly. Monitor system reports to identify when attacks are attempted or are occurring, when data may be inappropriately leaving thenetwork, and when anomalous behavior patterns occur inside the institution’s network (i.e., attempted simultaneous logins to control panels or login attempts during non-business hours). Monitor third-party processers as well as ATM transaction activity for unusual behavior or attempts to go beyond normal daily limits.
  
  
• Protect against unauthorized access. Limit the number of elevated privileges across the institution, including administrator accounts, and the ability to assign elevated privileges to critical systems such as the systems to manage the institution’s card issuer authorization and ATM management systems. Consider updating all credentials and monitoring logs for use of old credentials. Consider establishing authentication rules, such as time-of-day controls, or implementing multifactor authentication protocols for web-based control panels.
  
  
• Implement and test controls around critical systems regularly.  Ensure appropriate controls are implemented for systems based on risk. Ensure that sign-on attempts for critical systems are limited and result in locking the account once limits are exceeded. Implement alerts to notify multiple employees when controls are changed on critical systems. Test the effectiveness of controls periodically. Report test results along with recommended risk mitigation strategies and progress to remediate findings to senior management or a committee of the board of directors.
  
  
• Conduct information security awareness and training programs. Conduct regular information security awareness training across the financial institution, including how to identify and prevent successful phishing attempts.
  
  
• Test incident response plans. Test the effectiveness of incident response plans at the financial institution and with third-party processors to ensure that all employees understand their respective responsibilities and protocols, including individuals responsible for managing liquidity and reputation risk, information security, vendor management, fraud detection, and customer inquiries. Consider conducting an exercise at the financial institution that simulates this type of attack.
  
  
• Participate in industry information sharing forums. Incorporate information sharing with other financial institutions and service providers into risk mitigation strategies. Since threats and tactics can change rapidly, participating in information-sharing organizations, such as the Financial Services Information Sharing and Analysis Center(FS-ISAC), can facilitate more efficient information sharing. The FS-ISAC and the United States Computer Emergency Readiness Team (US-CERT) are good sources of information on the methods used to conduct attacks and on risk mitigation tactics to minimize their impact.