April 3, 2014 - US regulators have warned banks to protect their automated teller machines and card authorisation systems from a fresh wave of cyber-attacks that seek to exploit ATM control weaknesses to spew out millions of dollars in fraudulent withdrawals.
The Federal Financial Institutions Examination Council is alerting banks to an alarming rise in ATM fraud dubbed 'Unlimited Operations' by the Secret Service, where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to cash machine withdrawals.
Criminals perpetrate the fraud by initiating cyber-attacks to gain access to Web-based ATM control panels, which enables them to withdraw customer funds from ATMs using stolen customer debit, prepaid, or ATM card account information.
The FFIEC says a recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts.
"Unlimited Operations may cause financial institutions to incur large dollar losses," says the watchdog. "Therefore, the (FFIEC) members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorisation systems, systems that manage ATM parameters, and fraud detection and response processes."
The FFIEC is also calling on banks to step up their readiness to repel Distributed Denial of Service Attacks that aim to cripple public-facing Websites.
Says the regulator: "Each institution is expected to monitor incoming traffic to its public Website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate."