In tandem with the ATM Industry Association (ATMIA), The PCI Security Standards Council has issued a bulletin bringing to light a recent threat that warrants immediate attention and awareness.
Understanding the threat –
An elaborate and choreographed attack the ATM cash-out attack is a kind of crime where cybercriminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.
It is noticed that often these criminals, manipulate balance and withdrawal limits to run the ATM machines dry.
How does the ATM cash-out Attack work?
This attack requires careful planning and execution. Often, remote access is gained by the cybercriminals to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts.
This move can be commonly executed by introducing a malware into a financial institution or payment processor’s systems via phishing or social engineering methods.
Threat actors can then create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner.
Criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until the ATMs are empty of cash with the help of the card management system.
Vulnerabilities in the ATM are not exploited by the ATM. The ATM is used to withdraw cash after vulnerabilities in the card issuers’ authorization system have been exploited.
Who is at Risk?
these large-scale, coordinated attacks could be aimed at financial institutions, and payment processors as they potentially stand to lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.
What are some of the best practices of detention?
- Velocity monitoring of underlying accounts and volume
- Round the clock monitoring capabilities including File Integrity Monitoring Systems (FIMs)
- Reporting system that sounds the alarm immediately when suspicious activity is identified
- Development and practice of an incident response management system
- Check for unexpected traffic sources (e.g. IP addresses)
- Look for unauthorized execution of network tools.
Some prevention best practices are –
- Strong access controls to your systems and identification of third-party risks
- Employee monitoring systems to guard against an “inside job”
- Continuous phishing training for employees
- Multi-factor authentication
- Strong password management
- Require layers of authentication/approval for remote changes to account balances and transaction limits
- Implementation of required security patches promptly (ASAP)
- Regular penetration testing
- Frequent reviews of access control mechanisms and access privileges
- Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
- Installation of file integrity monitoring software that can also serve as a detection mechanism
- Strict adherence to the entire PCI DSS.
To read more, please check eScan Blog