The Federal Financial Institutions Examination Council (FFIEC) issued a warning in April to financial institutions about criminals continuing to launch attacks against ATM and web-based card management systems, especially those of small- to medium-size financial institutions (FI). Dubbed “unlimited operation” by the U. S. Secret Service, this type of attack can saddle a financial institution with fraud losses in the millions of dollars. As we highlighted in a postfrom last May, a bank in Oman experienced this type of attack in late 2012, which resulted in a loss to the bank of almost $40 million. Imagine the impact of a loss of that magnitude to a small to midsized FI.
These attacks are especially concerning for a number of reasons. First, the criminal organizations that carry them out are highly sophisticated and well-organized, and they have an international reach. The Oman attack included a money mule network across 26 countries—including the United States—performing more than 36,000 withdrawals in a 12-hour period.
Second, unlike typical counterfeit card fraud attacks that involve a large number of accounts, the criminals behind the card management system frauds need to compromise only a small number of card accounts. The attack that resulted in the $40 million loss involved only 12 accounts. Early in this type of operation, the criminals generally obtain the PINs of the cards for these accounts by conducting some sort of covert surveillance (pinhole camera or shoulder surfing). They then counterfeit the cards using those PINs.
Third, the attacks are generally timed to take place around holidays, when bank, IT, and fraud monitoring staff levels are low.
Fourth, the criminals get remote access to the financial institutions’ card management systems to reset account balances and card withdrawal parameters. They can then use the counterfeit cards over their pre-established transaction limits or balances and drain the ATMs of all cash. The criminals usually obtain access to FIs’ networks using e-mail phishing schemes that target processor or network employees. Through gullible employees, malware is loaded onto the network that later gives the criminals access to the FIs’ card management systems.
Major online networks now have transaction velocity monitoring capability, which detects a high number of transactions on an individual account. This approach is necessarily only a secondary and reactive measure, not a preventive measure.
FIs should immediately address the risk mitigation steps that the new FFIEC warning outlines. Because the vast majority of small to midsized FIs depend on third-party processors to run their card management systems, it is imperative all FIs verify that their processors have the controls and safeguards in place to prevent such attacks, and they should insist on seeing validation of those controls.
Dave Lott is a Retail Payments Expert with the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta and has more than 35 years of experience in the Retail Banking and Payments industries. As part of the team at the Retail Payments Risk Forum, Dave works with payments stakeholders in researching payment systems and products, focusing on risks and mitigating strategies. A key area of focus for his present work is customer, transaction and data security issues. As such, Dave has done considerable work with the wide range of card and payment technologies including card; mobile devices including tablets, phones; other payment form factors, and their various delivery channels. As part of that work, he has evaluated technologies such as chip cards incorporating EMV, 2D bar code (QR) and cloud authentication/ processing as to their operation and impact on payment risks. Dave works with representatives from the Federal Reserve Bank in Boston in facilitating the meetings of the Mobile Payments Industry Workgroup. He is a member of the BITS Payment Card Fraud Sub-Group as well as a representative of the Federal Reserve Bank of Atlanta in other inter-agency and intra-Federal Reserve System working groups.