WASHINGTON (Circa) — On Friday, the FBI sent an alert to U.S. banks warning of a plot by cyber-criminals to fraudulently withdraw some untold millions of dollars from ATM machines in a coordinated, global cyber heist.
It would make for a compelling Hollywood movie but for the fact that cyber-enabled bank robbery is a daily threat for financial institutions and growing concern for federal law enforcement.
The alert was obtained by computer security researcher Brian Krebs and read, in part, "The FBI has obtained unspecified reporting indicating cyber-criminals are planning to conduct a global Automated Teller Machine (ATM) cash out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an 'unlimited operation.'"
Typically, an "unlimited operation" is a multi-phase hacking exploit where cyber-criminals are able to access virtually "unlimited" criminal proceeds. According to the FBI's description, these operations are highly orchestrated, global in nature and carried out with sophistication, speed and surgical precision.
In most cases, it begins when the cyber-criminals hack into the computer system of a credit or debit card processing company, sometimes through a simple phishing attack against employees or vendors. Once the system is breached, the criminals dramatically increase certain account balances and disable security features that limit the amount of money that can be withdrawn.
In the next phase, the criminal organization turns to trusted associates around the world who are provided with prepaid debit card numbers encoded with the compromised account data and PIN numbers. The next step is a race to cash out. Globally deployed teams of so-called "cashers" go to ATM machines and withdraw as much cash as possible.
The FBI did not comment on this specific ATM "cash out" scheme but told Circa it routinely advises partners in the private sector of various cyber threat indicators. The Bureau shares that information during the course of its investigations to help partners guard against the actions of persistent cyber-criminals.
These types of attacks have been orchestrated in the past and according to it's alert, the FBI "expects the ubiquity of this activity to continue or possibly increase in the near future."
James A. Lewis, who leads the Technology Policy Program at the Center for Strategic and International Studies (CSIS), noted that pulling off this kind of heist on a global scale is not without its difficulties.
"There's a very clever set of criminals out there, some are state-supported. They have resources, they're dynamic, they're inventive and they're going to look for weak links," he explained. "That said, monetizing has always been a problem for cyber-criminals."
It's relatively easy to make fraudulent debit cards, but someone has to go to the ATM to withdraw the cash. "In the United States, that's a good way to find yourself in jail," Lewis said, noting cash out "mules" almost always get caught. To avoid this snag, cyber-criminals have turned increasingly to cryptocurrencies and anonymizing services like Tor, making it less risky to "cash out."
WHO IS MOST VULNERABLE?
In the United States, cyber-criminals are generally small and medium-sized regional, community banks or credit unions. Those are less likely to have the robust defenses of large banks like Bank of America, Citibank, Wells Fargo or J.P. Morgan, each of which pours hundreds of millions of dollars into cybersecurity every year. Small banks are also likely to insure deposits for losses caused by cybercrime.
If the FBI's latest warning comes to pass, experts suggest Labor Day weekend would be the most likely target date for the cyber-criminals.
"Virtually all ATM cashout operations are launched on the weekend, often just after financial institutions begin closing for business on Saturday," Krebs reported.
Small banks that may not be closely monitoring their networks during a bank holiday would be an ideal target for cyber-criminals. Some cybersecurity analysts have suggested that may be the reason the FBI sent the notice ahead of Labor Day, to remind smaller banks that are probably still vulnerable to look at their defenses.
Though cyber-criminals typically target banks in less developed economies, American banks are not impervious to these cash out schemes.
One of the most recent ATM heists in the United States involved hackers spear phishing an employee at the National Bank of Blacksburg in Virginia, accessing the bank's network and making off with more than $2.4 million during an eight-month operation.
In one of the largest withdrawals, hackers used hundreds of ATMs across North America to dispense more than $569,000. That incident took place on Memorial Day weekend 2016, a federal bank holiday.
Overseas, these attacks have proven even more lucrative for cyber-criminal groups.
One of the largest ATM heists involved a European-based criminal gang stealing more than $1 billion over five years before the ringleader was reportedly caught in March. The group operated by sending phishing emails to bank employees, infecting networks with malware and at predetermined times ordered fraudulent money transfers that had ATMs around the world spewing cash. The cybercrime group was able to net up to $11 million per heist.
Just this weekend, cyber-criminals stole $13.5 million from India's Cosmos Bank in a series of simultaneous account withdrawal across 28 countries.
IS MY MONEY SAFE?
The FBI urged banks to conduct thorough reviews of their security, implement strong password requirements, two-factor authentification and carefully monitor administrator accounts and unusual network traffic.
Customers worried their bank could be the target of the cyber heist should take precautions to protect passwords, monitor accounts and consider who has access to their account information.
If cyber-criminals gain access to a customer's personal credit or debit card information, and it is not the fault of the customer, the bank typically covers losses, according to the FDIC. Business accounts compromised by cybercrime could be more vulnerable. Customers are encouraged to regularly monitor their accounts and quickly report any unauthorized activity.
For banks, many have liability insurance to cover theft, but that may not necessarily apply to cyber incidents. Earlier this year, federal bank regulators issued a joint statement to raise awareness among banks and financial institutions that they may not be insured against cyber theft. The regulators advised that even some cyber risk insurance may not cover incident caused by third-party vendors, like a credit card processing company. There is no federal backstop insuring against cybertheft losses.
HOW WIDESPREAD IS THE PROBLEM?
According to a joint report by CSIS and the computer security firm McAfee, cybercrime ranks as the third most costly crime on the global economy with a cumulative cost of roughly $600 billion in 2017. That marks a significant 34 percent increase in cost since 2014 when CSIS and McAfee published its first estimate.
"This is growing at an amazing rate," said Lewis who authored the report, noting the actual costs are likely even higher.
Less conservative estimates have put cybercrime costs in the trillions. In its most recent forecast, Cybersecurity Ventures predicted the global costs of cybercrime could surge to $6 trillion annually by 2021.
More than any other target, however, banks remain the favorite — as the saying goes, criminals rob banks because that's where the money is. In 2016, financial institutions had the most reported security breaches of any other sector of the economy and report daily attempts to breach network security.
Over just the past five years, the average number of security breaches per financial services company has more than tripled, according to a 2017 report by Accenture and the Ponemon Institute.
The cost of cybercrime to banks and financial institutions is also rising. In 2017 financial institutions worldwide lost $18.24 million, up 40 percent from 2014.
Most large banks have invested heavily in security, network monitoring and a growing number have cybertheft insurance. That is not necessarily the case with smaller regional and community banks or credit unions, making them a prime target of opportunity for sophisticated criminals.