Don’t say the FBI didn’t warn you. Earlier this month, the federal agency delivered an alert to banks warning of a global cyber attack targeting ATMs. Less than three days later, a malware attack on Cosmos Bank of India’s ATM server resulted in hackers withdrawing millions of dollars from cash machines in countries all over the world. It’s good to have a heads-up, but when it comes that close to the event, there’s not a lot you can do to prepare for the fallout. It’s like getting a hurricane warning and rushing out to stock up on water and plywood, only to find that it’s too late to do any good.
That’s what this post is all about—the need to have a comprehensive omnichannel strategy in place to deal with digital fraud, long before an attack takes place. It may not be possible to stop a cybercrime event from happening, but the chances of surviving and limiting the damage are far better if measures are taken in anticipation of the worst. It also may not be possible to know precisely what kind of attack is coming (although in the case of the ATM cashout fraud that hit Cosmos Bank, there had been precedents, including the infamous Carbanak and Cobalt malware attacks of 2013-2017). But regardless of how digital attacks evolve, it’s always possible to take steps to minimize the impact of whatever threat comes next.
10 Precautions for Financial Institutions (FIs) and Customers
To reduce their exposure to digital fraud, FIs should:
1. Evaluate current fraud strategy from an omnichannel perspective. Effective fraud prevention today must extend to all digital channels your customers engage including card-not-present transactions, the call center, ATM, mobile and cloud environments where customers are increasingly banking and shopping. That includes visibility across channels as cybercriminals will game one channel to manipulate another. This is why you must have a full cross-channel correlation of fraud patterns to achieve a real omnichannel strategy.
2. Monitor, monitor, monitor. The FBI recommends stepping up monitoring for ATM. At RSA, we recommend taking it a step further to combine monitoring of all digital channels. Specific to ATM security, FIs should start by constantly monitoring for:
- The presence of remote network protocols and administrative tools that can be used to pivot back into the network
- Encrypted traffic traveling over non-standard ports
- Network traffic to regions where you would not expect to see outbound connections
3. Keep informed, making sure to be aware of:
- Potential indications of fraud such as spikes in withdrawals (as indicated by a change in the velocity of transactions in ATM networks)
- The FI’s ATM withdrawal limits for cards issued by other organizations
- Network traffic that includes known intelligence threats
4. Disable PIN change functions at ATMs, and monitor call centers for PIN changes and other non-financial-event changes such as customer phone number or address.
5. Upgrade ATM operating systems. Technically, banks don’t have to upgrade to Microsoft Windows 10 until Windows 7 reaches end-of-life status in 2020. But waiting until the last minute creates a risk of not completing the process before the cutoff and having to keep out-of-date software in place. The ensuing lack of regular security updates and patches from running unsupported software will increase the risk of exposure to malware-driven threats.
6. Deploy EMV terminals for chip-only transactions. ATM cashout fraud has long relied on using stolen data and magnetic stripes to create fraudulent cards; it’s much harder to clone a chip-based card. The ATM Industry Association calls EMV technology the industry’s primary protection against counterfeit cards.
On the customer side, FIs should educate card users to:
7. Sign up for transaction alerts for immediate awareness of activity the customer didn’t initiate.
8. Watch for changes to daily withdrawal limits that they didn’t request themselves.
9. Check online accounts and statements often for unfamiliar or suspicious transactions.
10. Change passwords and PINs often to limit losses if an ATM card (or card data) is stolen.
Remember, the financial fraud ecosystem continues to grow in size and sophistication every day, with cybercriminals selling card credentials and personal information online and criminal transactions increasingly happening in plain sight. Whatever the next big wave of bank fraud turns out to be—whether it’s yet another kind of card fraud or a new breed of attack that hasn’t yet emerged—the precautions above will serve FIs and their customers well.
# # #
In a time when digital threats pose such a clear danger for FIs, it’s easy to see digital transformation through the lens of the risk it creates. But it’s also critical to remember that the transformation presents as much opportunity as it does risk in areas ranging from FinTech to the internet of things. Whether FIs seize these opportunities will depend largely on how successful they are at managing their exposure. Learn more in the RSA white paper Banking’s Digital Transformation: The Confident Pursuit of Opportunity in the Face of Rising Risk.
Author: Angel Grant, CISSP
Category: RSA Point of View, Blog Post
Keywords: ATM, ATM Malware, Card Not Present Fraud, Carding, Fraud Prevention, Payments, RSA Fraud & Risk Intelligence Suite, ATM Cashout, ATM Hack, Payments Fraud