Danger of ATM Cash-Outs – PCI SSC Blog

By | October 15, 2020
ATM Cashout

Beware of ATM Cash-Outs

PCI Participating Organization Logo

The Kiosk Association (KMA) is a participating organization with the PCI Security Standards Council. Initiatives include suggesting SIG group for unattended self-service transactions as well as beginning to note considerations for ADA and accessibility as well as unattended transactions.

PCI SSC and ATMIA share guidance and information on protecting against ATM Cash-outs.

Why are you issuing this industry threat bulletin?

Troy Leach: We have heard from many of our stakeholders in the payment community that ATM “cash-outs” are a growing concern across the globe. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the ATMIA who’s industry is well aware of these daily threats.

What are ATM Cash-outs? How do they work?

Mike Lee: Basically an ATM “cash-out” attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time. Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

So how exactly do these attacks work?

Mike Lee: An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems. The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner. With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash. These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.

What businesses are at risk of this devious attack?

Troy Leach: Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.

What are some detection best practices to detect these threats before they can cause damage?

Troy Leach: Since ATM “cash-out” attacks can happen quickly and drain millions of dollars in a short period of time, the ability to detect these threats before they can cause damage is critical. Some ways to detect this type of attack are:

Velocity monitoring of underlying accounts and volume
24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
Reporting system that sounds the alarm immediately when suspicious activity is identified
Development and practice of an incident response management system
Check for unexpected traffic sources (e.g. IP addresses)
Look for unauthorized execution of network tools

What are some prevention best practices to stop this attack from happening in the first place?

Troy Leach: The best protection to mitigate against ATM “cash-outs” is to adopt a layered defense that includes people, processes, and technology. Some recommendations to prevent ATM “cash-outs” include:

Strong access controls to your systems and identification of third-party risks
Employee monitoring systems to guard against an “inside job”
Continuous phishing training for employees
Multi-factor authentication
Strong password management
Require layers of authentication/approval for remote changes to account balances and transaction limits
Implementation of required security patches in a timely manner (ASAP)
Regular penetration testing
Frequent reviews of access control mechanisms and access privileges
Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
Installation of file integrity monitoring software that can also serve as a detection mechanism
Strict adherence to the entire PCI DSS
For more information about best practices for detection and prevention, people should review our full bulletin.

How can people learn more about these type of attacks?

Mike Lee: ATMIA has published a detailed alert report on the topic of ATM Cash-outs. I would also encourage stakeholders interested in this topic to read our joint bulletin in its entirety. A link to those helpful resources is included in this blog.

Resources to help you:

Read our bulletin
View the press release
See the ATMIA Study