FBI Warns of 'Unlimited' ATM Cashout Scheme

The FBI is warning banks about a global fraud scheme known as an "ATM cash-out," in which criminals hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours. "The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an 'unlimited operation,'" reads a confidential alert the FBI shared with banks privately on Friday. Krebs on Security reports: The FBI said unlimited operations compromise a financial institution or payment card processor with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs. "Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities," the alert continues. "The FBI expects the ubiquity of this activity to continue or possibly increase in the near future."

Organized cybercrime gangs that coordinate unlimited attacks typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily. The perpetrators also alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM.

Re:

[Mats Svensson]

Just shave his head.
Then people will probably stop feeding him, and he'll die from trying to eat a stapler.

howto?

[ls671]

I am a security researcher and I would like to know if there is a howto or a proof of concept available somewhere?

Please provide links if you have them. This sounds like a really serious threat that I definitely need to look into.

Thanks in advance! :)

Re:

[Anonymous Coward]

Since the FBI has never convicted a single spammer, and the only "cybercriminals" they've prosecuted were grossly incompetent and tracked by good old police work, I've been convinced that their "cybercrime" isn't. It's a domestic espionage unit, not criminal investigators, because they *refuse to pursue verifiable criminal activity", such as spammers, phishers, the real estate fraud constantly occurring on housing websites, businesses that inflate their client base with fraudulent bots, or any other actual

Re:

[antdude]

Sure. http://127.0.0.1/ [127.0.0.1] and ftp://127.0.0.1 [127.0.0.1].

Anne A. Log

[Mr D from 63]

Seems like they could use an analog cash counter on each teller machine that shuts it down if more than allowed is withdrawn on a single transaction.

Re:Anne A. Log

[fisted]

You can't fix the damn system because it's closed source and named Windows XP POS, where the 'POS' part is oddly appropriate.

Re:

[Bert64]

The ATMs themselves have physical limits on how much cash they will dispense (ie number of bills) in a single transaction...
But that's not the problem here.

Someone hacked a company which issues cards, and then issues fraudulent cards with an infinite balance on them. The ATM reads the card, queries the hacked provider via the card payment network (eg visa, mastercard etc) to see if the card issuer will allow the withdrawal.
Since the provider has been hacked, they will respond to allow the withdrawal and the

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Ocker3]

Interesting information, and I really like your signature :)

Re: Anne A. Log

[ceoyoyo]

So sad. Big company that makes lots of money doesnâ(TM)t bother with proper security, gets hacked, goes bankrupt.

Maybe it will finally happen. Losing banksâ(TM) money is sure to be taken more seriously than screwing with peopleâ(TM)s lives.

Go to the Well

[Spamalope]

So, how much mortgage fraud will it take Wells Fargo to make up for the losses...

Bummer

[DogDude]

Yeah, that's a real bummer for the banks. Maybe they should get serious about security?

Re:

[nonBORG]

Banks are pretty serious about security with a high budget. But it is the markets/stock exchanges etc that have an unlimited budget. However at present it is not about the budget but rather about what they can do to stop them at this point. Can they patch every money machine in the world in the next day? Can they find the source cards and shut down the accounts? Can they change the system to real time so that in any country in the world they support real time balance of account to limit possible funds withd

Re: Bummer

[phantomfive]

This is not a problem of "working with other banks," though, it's a problem of issuers getting hacked and losing money the way they deserve to have happen to them.

Re:

[G00F]

banks are not concerned with high security. They are concerned with risk, but more importantly, with their internal rules, policies and such.

They make policies that actually go against security and PCI. And getting them to fix it takes years.

You know, it took one bank a year to fix the fact they listed ciphers in the wrong order, they went from weakest to strongest and it took a year to fix that.

That's minor compared to crypting passwords and salting them, rather than plain text.

Or removing a policy that ev

Re: Bummer

[ceoyoyo]

I have a password (internet) and pin (RL) with my credit card. Have for more than a decade. I donâ(TM)t live in the US.

Thereâ(TM)s something weird about banks and the US market.

time for OS2 to reloaded on ATM's?

[Joe_Dragon]

time for OS2 to reloaded on ATM's?

Re:

[Fly Swatter]

The costs of these problems is passed on to YOU in the form of higher interest rates on debt, lower rates on savings, and increased service fees. But hey, using cash is such a hassle (although ironically in this case you get cash with the atm card they are hacking). And who cares about a little more debt on that big pile that already can't be payed off.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Justin Obfuscate]

Even if the bank fails, depositors would be insured up to $250k if you chose an FDIC backed bank. If you chose a non-FDIC bank, well shame on you. Also, the FTC has liability protections: "If someone makes unauthorized transactions with your debit card number, but your card is not lost, you are not liable for those transactions if you report them within 60 days of your statement being sent to you." https://www.consumer.ftc.gov/a... [ftc.gov]

Re:

[gravewax]

How about feeling sorry for the poor bastards whose accounts are compromised with this. Even if they don't individually lose money their cards will be cancelled and they will have massive inconvenience at a minimum. regardless all the insurance costs and the cleanup costs simply get passed on to the customers anyway.

Re:

[account_deleted]

Comment removed based on user account deletion

This and the Equifax breach

[Rick Schumann]

If this is not just FUD or clickbait, is a Real Thing, then I'll bet this is where the Equifax data breach is going to bite us all in the ass, as our banking and idenitity information is used to access our accounts to facilitate this 'cash-out' scheme. Guess we'll know soon enough, won't we?

Not even going to bother worrying about it. Horse has left the barn a long time ago now.

Cannot clone cards outside the USA

[aberglas]

The rest of the world puts a chip on the cards with a secret that never leave it. Almost impossible to clone.

I visited California recently and found my credit card being used to take out cash. Bank will deal with it, but I am without a card for a week. Only possible due to use of magnetic stripe.

Re:

[Antique Geekmeister]

If I may say, "nonsense". See the many articles on the whilesale replication of "pin" cards, such as https://www.scmagazine.com/evo... [scmagazine.com] .

Re:

[hankwang]

From.your link: "...faulty implementation of the EMV standard, whereby payment operators fail to perform all of the required validations on data before approving a transaction."

The cards themselves are fine. The PoS terminals in Brazil were apparently pieces of s.

Re:

[Antique Geekmeister]

Yes, that _particular_ card was cloned wholesale due to that implementation. Others are also being cloned. Look at http://www.digitaljournal.com/... [digitaljournal.com] .

I'm afraid it's unrealistic to say they're "almost impossible to clone". The Prilex malware seems to be this year's most broadly supported cloning technology, and it may be reparable. But I don't think you can point to a single year since the development of "chip and pin" technology that didn't have a widespread cloning story.

Jackpotting?

[CODiNE]

If this is the ancient Jackpotting attack by Barnaby Jack they have no one to blame but themselves. This stuff has been well known since what 2014? They still have ATMs running ancient windows versions with auto run turned on. They still lock the ATM front case with cheap locks thinking the money is protected by the 2nd case, leaving the USB slot exposed. These attacks have been happening for years and they just never fix their stuff. "Won't happen to us" is their mantra. Just last year it starts showing u

Re:

[account_deleted]

Comment removed based on user account deletion

No Such Thing As ATM Machine

[JohnPerkins]

There are ATMs. There is no such thing as an ATM machine. That would be an automated teller machine machine.

Re:

[cellocgw]

There is no such thing as an ATM machine. That would be an automated teller machine machine.

which you can access with your PIN number to get money to buy a pizza pie after getting a consensus of opinion as to toppings.
So, what's your point?