August 15, 2018 By Charles Henderson 2 min read

A new ATM fraud scheme has surfaced, and it’s more sophisticated than any other ATM attack we’ve seen.

First reported by Krebs on Security, the fraud scheme, known as an “ATM cash-out,” goes well beyond the typical threat of attackers planting physical skimmers on ATM machines. The criminals have upped their game, compromising ATMs and their surrounding infrastructure virtually — and they are reaping an exponential increase in revenue.

Why This Is Not Your Typical ATM Attack

Until now, criminals have mainly compromised ATMs using physical methods. They might plant skimmers on the front of machines to capture payment card data as customers insert their cards, for example, or install a piece of hardware that manipulates the ATM to spit out money (aka jackpotting). This newly discovered attack is mainly virtual. It is also twofold: Criminals compromise both the front and back ends of the ATM infrastructure.

On the front end, criminals are compromising financial organizations’ people, processes and technologies to collect customer payment card data in bulk and create fraudulent cards. They use various methods, such as socially engineering an employee who manages the ATM network or exploiting an infrastructure vulnerability to plant malware. However they get in, they are using high-efficiency card collection techniques and gathering thousands of customers’ payment card information in one swoop.

On the back end, they’re manipulating components of the ATM network to change the maximum amount of money a customer can withdraw. With an endless amount of cash at their disposal, they could potentially drain a customer’s entire bank account.

The pairing of these attacks — coupled with the fact that they are virtual and much more efficient than previous ones — makes this scheme more dangerous than the typical ATM compromise.

https://youtu.be/b2UAeSBV7zo

How Can Organizations Protect Themselves Against ATM Fraud?

To protect themselves from this attack, organizations should monitor customer withdrawal limits. It’s not unusual for customers to change their withdrawal limits. However, if they see a few customers a day skyrocket to 500 customers a day changing their limits, that should raise a red flag.

Companies should also test their infrastructure vigorously and frequently. Security teams can stay one step ahead of fraudsters by conducting penetration tests against employees, searching for holes in organizational practices and implementing technology to uncover security vulnerabilities. By finding and fixing vulnerabilities within their ATMs and surrounding infrastructure quickly, organizations can minimize attackers’ opportunity to exploit them.

From 2017 to 2018, X-Force Red, IBM Security’s team of veteran hackers, saw a 300 percent increase in banks requesting ATM testing. The team is hired by financial organizations globally to hack into their applications, hardware, devices, personnel, ATMs and surrounding infrastructure using the same methods and tools criminals use. Once X-Force Red discovers these weaknesses, the team helps the organization to remediate them before criminals have a chance to compromise its systems.

When it comes specifically to ATM cash-out attacks, X-Force Red can test ATMs and their ecosystem, meaning the people, processes and technologies that connect to those ATMs. The team can also identify vulnerabilities that criminals would exploit in order to steal card data and manipulate the ATM’s network so that larger sums of money can be withdrawn. Finally, and most importantly, X-Force Red can help organizations remediate those vulnerabilities before criminals are able to exploit them.

Learn more about the newly announced X-Force Red ATM Testing Practice

Source: Krebs on Security

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today