FBI Warning of ATM Cash Out Attack Proves True
A Federal Bureau of Investigation (FBI) warning of a Cash Out attack which involves the use of ATMs, proved all too credible. According to multiple news sources, the warning is very likely related to a massive attack on the Cosmos Cooperative Bank in Pune, India. First reported by the website Krebs on Security, the FBI’s August 10 alert to financial institutions, which included few specifics, provided 24-hour notice of the attack.
The Cash Out blitz on Cosmos used cloned payment cards, specifically Visa and RuPay debit card, and involved a coordinated use of ATMs in 28 countries. Early estimates indicate the thieves made off with approximately $13.5 Million in cash and untraceable transfers. In speaking with reporters, Cosmos Bank chairman Milind Kale indicated the initial malware attack originated in Canada and took place between August 11-13. Known as an “unlimited attack,” the tightly coordinated operation conducted upwards of 14,800 illicit transactions. Initial reports indicate the majority of the transactions, some 12,000, took placed across 28 countries with the remainder traced back to India.
Although technical specifics of the robbery are still forthcoming, it appears the thieves breached the payment provider’s network and established a proxy server running parallel to the bank’s server that approved the fraudulent withdrawal requests of cloned cards and disabled fraud controls, such as maximum withdrawal amounts and limits on the number of daily customer transactions.
Why Outsource ATMs are Safe from this Type of Attack
- Outsource ATM operates all terminals in a setting where the ATM is not directly connected to any financial institution’s network. Therefore, there is no way for the ATM to be used to infiltrate a Host Processing system.
- The communication system connects to the Acquiring Processor via multiple encrypted paths using the most current Transport Layer Security protocol [currently TLS 1.2]. This industry-standard protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged.
How to Protect Your ATMs from Unlimited Operation Schemes
- The primary focus should be on limiting access to the card authorization platforms by doing the following:
- Implement strong password requirements.
- Separate duties authorized to set/modify account-level thresholds.
- Monitor and audit administrator and business-level access.
- Monitor presence/usage of remote network access and network administrative tools.
- Monitor use of encrypted messaging across all network ports.
- Monitor use of unusual outbound connections.
- Utilize rules-based monitoring and reporting to review authorization patterns on the cardbase. This may uncover fraudulent attempts to identify weaknesses in the card authorization process and potential data compromises. Examples include:
- Card authorizations, more than 100 miles from Primary Zip Code, with no Completed Transaction.
- High volume of Automated Fuel Dispenser Authorizations, with no Completed Transaction.
- High volume of EMV Fallback transactions [approved or declined] at an ATM in 24-hour period.
- Review authorization policy on all EMV Fallback transactions. Greater than 90% of the US ATM base is EMV enabled. While it may be an inconvenience to the consumer, this will stop the criminal from withdrawing cash, while using a counterfeit EMV card.
Whether you are an Outsource ATM client or not, should you need assistance please contact Paul Albright, EVP, Sales & Marketing, by email at PAlbright@OutsourceATM.com or at 832.721.1235. For more tips on protecting your ATMs, visit our Blog.