I first wrote about ATM cash-outs back in 2013 when these attacks were escalating. But the frequency of the attacks quickly declined when card issuers and their processors and networks hardened their defenses. So why am I writing about it again? There were some major attacks in mid-2018. A bank in India, for example, lost approximately US$13 million from more than 12,000 fraudulent transactions at ATMs located in Canada, India, and Hong Kong. The United States has seen isolated attacks in recent years, but law enforcement is concerned that these attacks will grow because perpetrators stand to obtain a large amount of money. It's critical that financial institutions and other transaction processors remain vigilant, so I'd like to bring some attention back to this especially costly crime.

These attacks require careful planning and a synchronized effort, but the payoff for the criminals can make it worth all the work. First, the criminal gains remote access to an issuer's card management system and transaction controls. Next, the criminal uses a money mule network to open new accounts with a chip card or distributes debit or prepaid cards with cloned magnetic stripes and compromised PINs to the money mules spread across the globe. In a carefully synchronized operation, the money mules begin making withdrawals at numerous ATMs. With access to the card management system, the criminal keeps resetting balances and transaction counters to get around amount and transaction limits, and withdrawals continue to be authorized. The mules continue to make withdrawals until the cash supply in the ATM is exhausted. This is how such attacks can result in a loss to issuers in the millions of dollars worldwide in just a couple of hours. Most networks have now implemented transaction monitoring capabilities that can detect abnormal transaction traffic both at the account and the financial institution levels. If the networks identify abnormalities, they contact the issuer or processor to examine the transactions more closely. Some networks, if they can't contact the financial institution or processor, are authorized to block the activity right away to prevent additional transactions until the situation can be evaluated. Some criminals have responded by increasing the number of targeted accounts so the activity is spread across more accounts and the detection thresholds are not crossed as quickly.

Here are some steps that issuers and processors can take to defend against cash-out attacks:

  • Follow standard cybersecurity protocols related to password strength and management of system access controls to prevent compromise of system access credentials.
  • Evaluate adding further layers of authentication/approval for remote changes to card management data fields such as account balances and transaction counters.
  • Discuss with processors and networks any additional monitoring capabilities they may have to mitigate such attacks.

As the ATM celebrates its golden anniversary, cash-out attacks remind us of the constant efforts by criminals to defraud financial institutions and other stakeholders in the payments industry. Cash-out attacks are not new, but they can still result in huge losses, so the industry needs to remain vigilant and continue to look for ways to defeat them.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed