Payments executives are starting to go public with concerns about a growing type of ATM fraud called the cash-out attack. Unlike the well-known, single-machine attack known as jackpotting, cash-out frauds allow criminals to gain access to multiple machines simultaneously at the network level. They then employ accomplices to visit these machines to draw out the cash.
“Once they gain control of the bank’s system, they need to monetize that access. Therein lies the ATM cash-out,” says Tia Ilori, senior director for fraud and breach investigations at Visa Inc. Ilori says Visa has detected cash-out attacks—some successful, some thwarted—at 97 financial institutions in the past year. Visa will not disclose how much has been stolen in these attacks.
So far, the fraud has mainly affected institutions in the Asia-Pacific and Central Europe, Middle East, and Africa (CEMEA) regions. One example in the summer of 2018 involved a financial institution in India, Cosmos Bank, which lost $13.4 million as a result of an attack that included some 14,000 ATM transactions across machines in 29 countries.
But Ilori warns networks anywhere could be vulnerable. “Financial institutions should assume they’re a target. We haven’t seen it in North America as we have [elsewhere], but anyone who has weak security can be a target.”
Those targets could ultimately be close to home for U.S. banks. “We’re seeing it more in other countries, but it could happen here,” says Todd Clark, chief executive at Co-Op Financial Services, a Rancho Cucamonga, Calif.-based network operator for nearly 30,000 credit union ATMs.
One reason for concern is that these attacks start with phishing emails—cleverly constructed messages to network or bank officials with knowledge of key access credentials. The emails, which can originate from anywhere but are written as if they come from a top executive, express urgency and can gull receiving managers into handing over passwords or other critical information. In other cases, clicking a link in one of these messages might allow senders to install malicious code. The phishing schemes behind cash-out attacks “are really good,” says Ilori. “They’re more tailored and curated today.”
Once the cyberthieves have the necessary codes, they can instruct machines across a network to override withdrawal caps and dispense their cash. Accomplices hired to visit the machines at an appointed time—persons known as money mules—collect the funds.
Ilori says the rise in cash-out attacks reflects a shift in attention among cyberthieves from retailer breaches to the places where the money ultimately winds up. “The trend is changing,” she says, adding that the attitude among these criminals now is, “let’s just breach the bank.” Adds Co-Op’s Clark: “The Internet has always been dangerous, but it’s getting more dangerous.”