Focus on ATM Fraud
Despite the widespread adoption of online and mobile banking, consumer use of ATMs not only remains steady but has actually increased. The number of consumers using their institution's ATM network has doubled in the past five years, and more than twice as many consumers hit a foreign ATM in 2017 versus 2012. In light of the exponential increase in ATM use, in this column we are focusing on the emerging risks targeting ATMs.
While bank branches and ATMs have long been lucrative targets for criminals, the industry has seen an increase in physical and remote attacks as thieves have more sophisticated tools and methods at their disposal. And today's ingenious criminals are still following the pragmatic advice the infamous Willie Sutton penned in his 1976 memoir, "Go where the money is...and go there often."
In the wake of the FBI's private industry notification sent to cybersecurity professionals and system administrators at select banks, financial institutions across the country have been on high alert for global large-scale ATM cash-out attacks. Investigative journalist Brian Krebs referred to the attacks as "highly choreographed" with the intent to withdraw millions of dollars from ATMs around the world in just a few hours. Just days after the FBI's warning went public, Indian co-operative Cosmos Bank was hit with a sophisticated malware and ATM cash-out attack that resulted in $13.4 million in losses for the bank. The attackers infiltrated the bank's ATM switch system, passing and approving transactions from cloned Visa and Rupay debit cards through a proxy switch. The money was withdrawn from ATM machines across 28 countries in around 12,000 international transactions and around 2,849 domestic transactions that were carried out using fake debit cards, according to a statement released by the bank.
In July, a Virginia bank disclosed that hackers made off with more than $2.4 million by using emails to launch two separate cyber intrusions over an eight-month period. In the first heist, a malicious-laden email allowed the intruders to install malware on the victim's PC and to compromise a second computer at the bank that had access to the bank's STAR Network and the ability to manage the bank's customer accounts and their use of ATMs and bank cards. Armed with this access, the hackers disabled and altered anti-theft and anti-fraud protections (i.e., PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections. The thieves then used hundreds of ATMs to dispense more than $569,000 from customer accounts. Eight months later, hackers struck the Virginia bank second time, gaining access to the financial institution's systems via a phishing email once again. The intruders not only regained access to the bank's STAR Network, they also managed to compromise a workstation that had access to Navigator software used to manage credits and debits to customer accounts, using that system to fraudulently credit more than $2 million to various accounts. The perpetrators then modified or removed critical security controls and withdrew the fraudulent credits totaling $1,833,984 from hundreds of ATMs They subsequently used their access to delete evidence of the fraudulent debits from customer accounts. Both heists were pulled off over weekends when transactions are not as closely monitored by banks or consumers as they are during business days.
The European Association for Secure Transactions (EAST) published its second European Fraud Update for 2018 in July. ATM-related highlights from the report included nine countries reporting ATM malware and logical attacks, fourteen countries reported card skimming at ATMs, and eight countries reported physical ATM attacks that included ram raids and ATM burglaries, and six countries reported explosive gas attacks. The report highlights the growing incidence of physical ATM attacks.
This article is being featured in the August issue of the Bankers' Hotline Newsletter being published today (subscription required).
With persistent criminals continuing to come up with new ways to circumvent advanced protections installed at ATMs and on bank networks, and the rise in sophisticated criminal gangs, a multi-layered approach to ATM security is critical to mitigating today's evolving logical and physical threats. Risk assessments and site surveys are a critical component of ATM security. Join us at the 2018 Bank Security Conference (in person in Philadelphia or via Live Remote streaming) September 12-13, 2018 for the Bank Security Conference when Mike Ross and Mary Gates from GMR Security reveal the methods you should use to identify threats, risks, and vulnerabilities during their presentation on Day One titled "Minimizing Liability through Risk Assessment and Site Surveys"
* The 2-day conference has been approved by the ABA for 12.5 CFSSP credits
(Earn an additional 7.5 credits when you attend the optional pre-conference)
|Questions & Answers|
How common are takeover-style bank robberies?
Answer: Approximately 60 percent of bank branches in the United States participate in the ABA Bank Capture system (www.ababankcaptureportal.com) The ABA Bank Capture system provides a platform for banks to report, share and analyze data specific to robberies and other bank crime. The ABA reports that robbery rates have generally been trending downwards across the country over the last ten years. However, the ABA has witnessed an upward trend in the number of takeover style robberies.
The Statistics Portal at www.statista.com, an online market research and business intelligence portal reports that there were 7,681 bank robberies in the United States in 2016. Their research suggests that weapons or explosive devices were either threatened or used in 40% of the bank robberies and that weapons or explosive devices were actually used by perpetrators 9.5% of the time. Takeover robberies represent only 4% of the total number of robberies.
Armed takeover robberies, according to Dane Schiller with the Houston Chronicle, are "particularly violent and terrifying, just a sneeze or a flinch away from turning tragic. Attackers put guns to the back of the heads of bank managers or other employees, with hammers cocked as motivation to obey commands." This type of robbery is uncharacteristically traumatic, swift and successful.
One of the most effective strategies to prevent takeover robberies can be the presence of bullet resistant barriers. According to the Center for Investigative Reporting's independent analysis of four years of FBI data, only 10% of the banks targeted for robbery had bullet resistant barriers in place. Of the barrier-enhanced banks that were robbed, only about 3% of those robberies turned violent.
Appeared in: Bankers' Hotline Newsletter, Volume 28, Number 6, June 27, 2018