The FBI is warning financial institutions that cybercriminals are preparing to execute a hack that could siphon a virtually unlimited amount of money from ATMs around the world.
The “ATM cash-out” scheme or “unlimited operation” is likely to happen in the near future, the FBI said in a confidential alert on Friday, made public by cybersecurity journalist Brian Krebs.
“The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach,” the alert read, according to Krebs.
These kinds of attacks have been used to steal millions of dollars from individuals and banks around the world.
What is different about this case is the FBI learned about it before it happened, said Mark Rasch, a cyber lawyer and former federal prosecutor who has handled similar cases.
The advanced warning means banks and consumers can take extra precautions that could prevent or mitigate the damage from an attack.
Here’s what you should know and how you can protect yourself.
How do ATM cash-outs work?
There are two main steps to this kind of cybercrime.
First, hackers must obtain users’ information. One of the most common ways to do this is a phishing attack that uses emails or phone calls that appear to come from a reputable or familiar source.
If a person clicks on a link in a phishing email, it could compromise banking passwords. A phone call from someone posing as the IRS or a bank could convince someone to give up the answers to their security questions.
Criminals can also buy a person’s information off the black market from other hackers.
Based on the FBI memo, it appears the hackers already have that personal data. Now, they are waiting to use it.
That’s where the second phase of the scheme begins.
If hackers have your debit card information, they can “clone” the card using hardware that duplicates the bank information onto another card. That “clone” can then be used at any number of ATMs.
Once they do that, they get hundreds of people, likely recruited off the dark web, to go to ATMs at the same time, using the debit card clones to withdraw stacks of cash from the machines.
There is one last step.
Because banks set up limits on how much can be withdrawn from an ATM, the hackers also break into the system that processes the payments to trick it into not recording what is being debited from an account.
That means the amount that can be withdrawn is not restricted by how much a person has in his or her account. The only limit is how much money is in the ATM, or how much money the thieves can carry.
In most ATM attacks, hackers steal a small amount of money from a lot of people, or a lot of money from a few people, Rasch said.
What makes this case so dangerous is that hackers are plotting to steal a lot of money from a lot of people.
In this video, the BBC looks at how criminals clone your card.
Where has the scheme been used before?
Despite the complexity of an unlimited operation attack, it has been pulled off several times.
In 2011, an international cybercrime group stole $14 million from ATMs across the world within 48 hours. In 2012 and 2013, cybercriminals in 26 countries carried out a pair of attacks, taking $45 million from ATMs.
In 2016 and 2017, two smaller break-ins involved The National Bank of Blacksburg in Virginia. An employee there was targeted by a phishing email and hackers subsequently stole $2.4 million, according to lawsuit filings.
These kinds of attacks are becoming more common because hackers can easily coordinate with each other on the internet, said Adam Levin, the founder of CyberScout.
He likens the way hackers and cyberthieves are operating to the movie “The Italian Job,” in which an ensemble of crooks scheme to carry off a major heist (take your pick between the 1969 original and 2003 remake).
“They do a job and then go their separate ways,” Levin said. “This is organized cyber crime at its best.”
How to defend yourself
Levin, who has written a book on how people can protect themselves from scammers, recommends the “three M’s”– minimize, monitor and manage.
Minimize your risk by being alert about phishing scams, including ones that might appear to be your bank warning you of a security breach.
Instead of answering the caller’s questions, hang up and call your bank back to make sure the person you were speaking to was really one of their representatives.
Other tips: create strong passwords, use two-factor authentication when possible and don’t use real facts on your security questions.
“When security questions pop up, all that matters is your answers are consistent,” Levin said.
In the case of this potential attack, your information may have already been stolen, so it’s on to step number two: monitor.
Levin said people should always keep a close eye on their accounts and sign up for account monitoring services that banks often provide for free.
Then, mitigate your damages. Again, banks often have programs in place to help reduce the harm to their customers, but customers often have to take the lead and ask about what their options are for getting their money back and resecuring their accounts.
Customers “shouldn’t be on the hook, but that doesn’t mean it won’t be a huge hassle,” Rasch said.
What banks can do
When it comes to financial institutions, they need to train their employees to be mindful of attempted attacks.
“This has to be an ongoing discussion, every minute of every day,” Levin said.
They should keep software up to date, patch any vulnerabilities as soon as possible and test their systems often.
“In cybersecurity, you can never take a victory lap,” Levin said.