By now you have likely read about the FBI warning issued this month, regarding global ATM cashout schemes.

“The FBI has obtained unspecified reporting indicating cybercriminals are planning to conduct a global automated teller machine cashout scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation,’ ” the advisory read.

This scheme is a choreographed ATM cashout involving organized cybercrime gangs and is done by hacking into the ATM network through malware (circumventing fraud controls) and then withdrawing substantial amounts of money.

“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores,” the FBI warned. “At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”

As part of the alert, the FBI provided some guidance on how to better protect your institution. They encouraged a review of how your current security is being handled and to implement strong password requirements. Additionally, the FBI suggested the use of two-factor authentication by a physical or digital token for administrators and business-critical roles.

FBI Guidance on Protecting ATMs

  1. Implement separation of duties/dual authentication procedures for account balance or withdrawal increases above a specified threshold.
  2. Implement application whitelisting to block the execution of malware.
  3. Monitor, audit & limit administrator, and business-critical accounts with the authority to modify the account attributes.
  4. Monitor for the presence of remote network protocols & administration tools used to pivot back into the network and conduct post-exploitation of a network, such as PowerShell, Cobalt Strike & TeamViewer.
  5. Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports and network traffic to regions where you would not expect to see outbound connections from the financial institution.



For more information, as well as an update on how an ATM cashout scheme was executed against Cosmos bank in India shortly after the FBI warning was issued, read this article by KrebsOnSecurity: