U.S. regulators are warning banks this week about a recent rash of “large dollar value” ATM fraud and the ongoing risks distributed denial of service (DDoS) attacks that target public bank websites can pose.
Members of FFIEC, the Federal Financial Institutions Examination Council, an interagency sect of the U.S. government responsible for preparing banking standards and principles, issued the warnings in a statement yesterday.
FFIEC claims attackers have been able to gain access to and alter the settings on web-based ATM control panels belonging to small to medium sized institutions. The campaign, nicknamed “Unlimited Operations” by the U.S. Secret Service, is allowing attackers to withdraw money beyond controlled limits on ATMs, oftentimes more than the victim’s cash balance.
FFIEC’s warning describes how exactly the control panels figure into the ATMs:
“These control panels, often web-based, manage the amount of money customers may withdraw within a set time frame, the geographic limitations of withdrawals, the types and frequency of fraud reports that its service provider sends to the financial institutions, the designated employee that receives these reports, and other management functions related to card security and internal controls,”
Officials are claiming hackers used phishing attacks to secure legitimate employee log-ins to tweak these settings to carry out their attacks, including one that netted them $40 million with 12 debit card accounts.
FFIEC also used the announcement as an opportunity to remind banks about the continued sophistication surrounding DDoS attacks – pointing out a string of attacks that affected institutions in 2012 and warning that they can be used as a “diversionary tactic,” granting hackers the time to root around systems.
Naturally, FFIEC is encouraging banks to mitigate further risk by following standards already in place such as PCI-DSS and HSM when it comes to encrypting PINs.
The agency is also encouraging banks if they haven’t already, to formulate some sort of DDoS readiness plan with a program that prioritizes and assesses risks in its critical systems.
“The members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks,” the joint statement reads.
We first learned about “Unlimited Operations” last spring after eight members of the cybercrime ring were indicted in Brooklyn. Associates in at least 26 countries helped the crew cash out fake credit cards at 140 different ATMs to the tune of $45 million – $2.8 in NYC – in just shy of 24 hours.
According to a federal indictment unsealed last year the money was later spent on kickbacks such as luxury cars and Rolex watches.