Banking regulators' latest alert about emerging ATM cash-out risks comes just as two leading defendants in an international cash-out scheme pleaded guilty for roles they played in defrauding consumers and leading institutions of more than $15 million (see 2 Guilty Pleas in Huge Cash-out Scheme).

In that case, the two suspects helped to manage the U.S.-based operations for a global cash-out scheme that involved hijacking funds from online bank accounts and prepaid cards, which were opened with stolen identities. The scheme was linked to an international cybercrime ring that hacked customer accounts at more than a dozen banks, brokerage firms, payroll processing companies and government agencies.

Two days after the guilty pleas were entered, the Federal Financial Institutions Examination Council issued a statement warning banking institutions of the risks associated with cyber-attacks on ATM and card authorization systems.

And fraud experts say the timing is no coincidence. Concerns about ATM cash-outs have reached new heights, as fraudsters hone their efforts to exploit the inherent vulnerabilities of magnetic-stripe payment cards before the U.S. completes its migration to chip and PIN.

"The evolution that's going on is an increase in attack sophistication and intensity, where fraudsters are analyzing the whole payments ecosystem, finding the weak points, and exploiting those," says financial fraud expert Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation. "The FFIEC press release talks about cyber-attacks against the ATM. That's one big one; and the other is cyber-attacks against the payment platform itself, which can also result in 'unlimited operations.'"

FFIEC Warning

"Unlimited operations," as defined in the FFIEC's April 2 statement, refer to ATM cash withdrawals for monetary amounts that exceed daily-limit controls or even the cash balance in a customer's account.

The FFIEC notes a recent so-called unlimited-operations attack that netted more than $40 million with only 12 debit cards.

"Criminals may begin the attack by sending phishing e-mails to employees of financial institutions as a means to install malicious software onto the institution's network," the FFIEC notes. "Once installed, criminals use the malware to monitor the institution's network to determine how the institution accesses ATM control panels and obtain employee login credentials."

The ATM controls, which are often Web-based, manage how customers can withdraw cash - either by setting limits on the amounts or the time periods during which withdrawals can be made. The controls also usually manage other functions, such as fraud reports sent by service providers; which employees are designated to receive fraud reports; and other functions related to card security and internal controls.

When these controls are compromised, a hacker can use an employee's login credentials to gain access to the control panel and change settings to permit higher or even unlimited cash disbursements at ATMs, and the hacker change fraud and security-related controls, regulators warn.

From there, the standard fraud protocol is followed - using a fake or white ATM card that is encoded with stolen card numbers and an intercepted PIN to make fraudulent withdrawals.

"The end of security patches for ATM XP system as well as cyber-attacks on ATM and card authorization systems are the major ATM vulnerabilities that concern NCUA and other FFIEC agencies," a spokesman for the National Credit Union Administration told Information Security Media Group on April 4.