The Federal Financial Institutions Examination Council (FFIEC), which regulates banks in the United States, has issued a guidance addressing a recent wave of ATM cash-out attacks that have been dubbed “Unlimited Operations” by the US Secret Service. In this kind of attack, criminals gain access to and change the settings on the web-based control panels used to run ATM machines belonging to small and medium-sized financial institutions, which then allows them to withdraw customer funds from those ATMs using cards or account information stolen in other attacks.


These attacks have caused large losses, with one recent attack allowing criminals to steal over US$40 million using only 12 debit card accounts. Now, FFIEC members are expected to address this threat by reviewing the adequacy of their controls over their infrastructure as well as their fraud detection and response processes.


How ATM Cash-Out Attacks Work

Criminals begin the process for carrying out this kind of fraud by stealing debit card information and PIN numbers, often through skimming or malware attacks aimed directly at customers. Then they initiate phishing and other social engineering attacks that seek to install malware on the computers of a financial institution’s employees. Criminals then used the malware to monitor the institution’s network and figure out how the institution regulates access to web-based ATM control panels. Once the criminals have deciphered how to manipulate that control panel, they can begin to change the limits on how much money customers are allowed to withdraw in a single transaction, take away any geographical restrictions on where money can be withdrawn, and modify the parameters for the generation of fraud reports when atypical transactions are processed.


With fewer constraints on withdrawals, criminals are then able to take out a lot of money unhindered using fraudulent debit or prepaid cards with the card information they previously stole. Then they cash out: the criminals organize simultaneous withdrawals of large amounts of cash from multiple ATMs over a short period of several hours to two days. Sometimes these attacks are scheduled to happen during holidays and weekends to take advantage of higher cash amounts in ATMs and the comparatively limited monitoring by financial institutions outside of business hours.


The Benefits of Multi-Layered Protection

Security and fraud analysts agree that multiple layers of fraud protection are the only way to ensure robust electronic security. Easy Solutions’ Total Fraud Protection is a one-stop shop for end-to-end fraud protection, leveraging data and intelligence across its layers to guarantee reliable risk management in a fraud environment that is always changing. Total Fraud Protection can help your organization implement the advice given by the FFIEC for avoiding ATM cash-out fraud, as shown in the table below:


FFIEC Advice to Mitigate Cash-Out Attacks Easy Solutions Product or Service That Can Help Prevent ATM Cash-Out Attacks
Conduct ongoing information security risk assessments.

Detect Professional Services can help your organization to identify, prioritize and assess any risks to critical systems.
Perform security monitoring, prevention and risk mitigation. Detect monitoring Service can proactively identify when attacks are occurring on your websites and network. DetectTA can monitor transactional activity on ATMs and all other electronic channels.
Protect against unauthorized access. DetectID can give your organization a strong multi-factor authentication protocol for preventing unauthorized access to sensitive data. Detect Safe Browsing can find and block malware that gives cybercriminals access to your critical infrastructure.
Implement and test controls around critical systems regularly. DetectID can limit sign-on attempts and lock out unauthorized users who exceed the limit.
Conduct information security awareness and training programs. Detect Professional Services can help your organization conduct regular information security awareness training, including penetration and phishing identification tests.
Test incident response plans. Detect Professional Services can help your organization to conduct exercises that simulate security incidents to test the effectiveness of incident response plans.


For more information contact us at This email address is being protected from spambots. You need JavaScript enabled to view it.

©2020 AppGate    I    Privacy Policy    I   Cookie Policy    I   Legal Terms