Financial regulators warned financial institutions on Wednesday that cyberattackers have recently targeted ATMs and card networks to gain access to funds and urged banks and credit unions to review security protocols to address the growing risks.
The Federal Financial Institutions Examination Council, which includes the OCC, Federal Reserve, FDIC, CFPB, National Credit Union Administration and the Massachusetts Commissioner of Banks, pointed to a rise in the number of recent attacks on financial institutions’ systems.
The cash-out fraud scheme, dubbed Unlimited Operations by the U.S. Secret Service, involves the unlimited withdrawal of funds beyond the available balance and other control limits generally applied to ATM withdrawals.
Criminals often gain access to a financial institution’s network by sending phishing emails to bank and credit union employees, encouraging them to install software with malicious elements.
Cyberattackers then may obtain employee login credentials to make changes to ATM control panel settings to allow for greater or unlimited cash disbursements at numerous ATMs across a short time period.
According to the release, cyberattackers recently used the scheme to steal $40 million using just 12 stolen debit card accounts.
Regulators said financial institutions that outsource card issuing may initially be liable for losses, even if the compromise occurs with the processor. The council urged financial institutions to ensure their risk management practices address the risks associated with the fraud scheme.