Btech has recently learned about
warnings of ATM cashouts issued by the Federal Bureau of Investigation (FBI).
What is an "ATM Cashout"?
According to reports, "cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an 'ATM cashout,' in which crooks hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently
withdraw millions of dollars in just a few hours.
Financial institution are compromised with malware allowing cybercriminals access to the
network and customer card information. Small to medium size institutions are targeted, "likely due to less robust implementation of cuber security controls, budgets, or third party vendor vulnerabilities."
After gaining access to a network via phishing or hacking, the intruders will remove fraud controls, alter security measures and bank balances before using copies of legitimate cards to withdraw accounts funds simultaneously.
Cashout operations are usually launched on weekends, just after closing procedures are started. This allows criminals more time to withdraw funds.
How can you protect your network?
The FBI provided the following tips to help keep your institution secure:
"The FBI is urging banks to review how they're handling security, such as implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles.
Other tips in the FBI advisory suggested that banks:
- Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.
- Implement application whitelisting to block the execution of malware.
- Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
- Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer.
- Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.
- Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution."
Several news sources have confirmed that Cosmos cooperative bank in India was targeted this week. Using cloned cards and 25 ATMs located in Canada, Hong Kong and India, the cybercriminals made around 12,000 transactions. They stole approximately $13.5 million.
This is another reminder that excellent IT security is a must for your credit union. As identified above, multiple layers of security are necessary to identify, correct, and protect your environment.
Please feel free to contact me at
or 626-397-1045 if you have any questions, or if we can help in any way.