The ATM Cash-Out Scheme and Countering Financial Cybercrime

On August 10, 2018, the FBI warned financial institutions of a global ATM cash-out scheme they believed would occur within the next few days. Despite this advanced warning and additional details shared—the cybercriminals were able to launch a seven-hour attack on August 11, cashing out $11.5 million from ATMs located in 29 countries. Two days later, the criminals were able to move an additional $2 million out via the SWIFT payment network. Reportedly, malware was installed at Cosmos Bank in India that authenticated the fraudulent withdrawal requests.

The National Bank of Blacksburg was breached in 2016 by a malware attack that enabled over $500,000 to be extracted via ATMs. In 2017, after implementing new fraud rules to prevent a repeated attack, they suffered a similar attack that went a step further and credited accounts to inflate balances before cashing out nearly $2 million through hundreds of ATMs.

Cybercriminals using increasingly sophisticated hacking methods for theft, money laundering and other illicit purposes is a troubling new normal for banks. Even when banks know these attacks are coming, they at times seem helpless to stop determined criminals.

Why are these types of hacks occurring with such success? The short answer is that too many financial institutions still use detection technology that relies on old models and rules that can easily be sidestepped by new attacks. These protections do an adequate job of defending against attacks that are already well-known but leave banks completely vulnerable to new schemes. Furthermore, banks work with so much data that it is near impossible to efficiently analyze all of it for irregularities indicative of risk. Cybercriminals are finding the gaps and developing ways to infiltrate systems through vulnerable areas. Banks are always a few steps behind and scrambling to catch up.

What is the ATM cash-out scheme?

ATMs are frequently the most convenient way for bank customers to withdraw cash funds from their bank accounts. Similarly, criminals use ATMs as a convenient way to finalize increasingly complex schemes to steal funds from banks and their customers. Since ATMs are limited in the amount of funds available for withdrawal at any time, typical schemes involve multiple ATMs and hired hands, or “money mules,” then retrieve the money on behalf of the frequently organized hacker groups.

There are two classes of ATM cash-out schemes occurring in recent years: those that are initiated with a physical hack of the ATMs and those that target the backend systems and payment networks, enabling fraudulent withdrawals to occur. Both typically result in large single-day loss events at the banks.

Physical ATM hacks are frequently referred to as logical attacks as they involve a direct physical break-in to install malware that enables direct control of each ATM. These ATMs can then be controlled via remote software that simply instructs the machine to dispense cash at a predetermined cash-out time. Logical attacks are considered “limited” in nature but have been able to extract millions in a single day, earning the nickname “jackpotting” attacks. While these attacks have been occurring for years in Europe and Asia, early 2018 saw a warning from the FBI as they now began to appear within the U.S. as well.

This type of attack works because it is fast and efficient, extremely well-coordinated and does not leave any trace of electronic evidence behind. As such, the bank does not recognize what is happening until the money is gone and it is too late. There is nothing to watch for or keep track of, because no customer accounts are used, and no official financial transactions take place.

The second class of ATM cash-out scheme is considered “unlimited” as the core compromise occurs in the backend systems of the bank. Typically, this will involve a centrally deployed malware that is capable of fraudulently inflating account balances, disabling withdrawal limits or authenticating any withdrawal request. The theft payout is only limited by how many ATM withdrawal requests the criminal organization can make in a day across many ATMs and the available funds in each. As seen in the recent Cosmos breach, criminals may use ATMs alongside other methods of extracting funds, like SWIFT. However, ATM cash-outs are often viewed as the least traceable and hardest to recover.

The ATM cash-out scheme is only one of the countless threats now faced by financial institutions. With the rise of digital channels, criminals are using whatever tools they have at their disposal to exploit weaknesses and bypass protection layers. Modern technology advances and the proliferation of artificial intelligence (AI) have only made it easier for them. Banks that cannot keep up technologically are essentially bringing a knife to a gunfight.

What can be done?

Fortunately, there are signals in all the systems that cybercriminals are interacting with, including unexplainable anomalies in system access, device logs, web traffic, communication from ATM to the host, machine data, sensor data. The challenge for financial institutions is to figure out how to identify it efficiently in their sea of big data without knowing what to look for in advance. Both the recent Cosmos attack and the National Bank of Blacksburg had warnings that an attack may be coming. However, traditional detection systems used by the majority of financial institutions today were incapable of distinguishing legitimate activity from indicators of fraud.

Logical rules, such as velocity rules, are effective on straightforward attacks that show up clearly in the transactional activity; sophisticated ATM cash-out schemes leave no transactional trace. Advanced analytics, like neural networks and supervised machine learning, are also limited by explicit past events they have been trained to look for within very specific data sets. Cybercriminals love all rules equally— whether they are written in SQL statements or built using advanced analytics—because it means they know exactly what to avoid to trick and exploit the system.

Moving Beyond AI

Intuitive intelligence is how game-changing financial institutions are beginning to turn the tide in the arms race against cybercriminals. Intuitive intelligence is built on an AI foundation of unsupervised machine learning and technology that enables complete data awareness; the machine can sense the signals from unusual events as they occur. Intuitive intelligence is based on the same concept that leads a human to sense that they may be getting sick—it is a combination of vast accumulated life experience and the real-time sensing of signals they previously may not have known for which to look.

Unfortunately, any ATM cash-out scheme is not at the end of a criminal activity chain. The fraudulently obtained “dirty” funds must find their way back to the organized criminals, thus encouraging more money laundering activity to occur and to be tracked.

ATM cash-out schemes will continue to occur as long as there is money for criminals to steal. It will be up to the financial institutions to put effective countermeasures in place—and intuitive intelligence is a critical component to any forward-looking strategy. Only by being proactive and implementing the best systems will financial institutions have a genuine chance to defeat cybercrime once and for all.

James Heinzman, EVP of financial services solutions, ThetaRay, New York, NY, USA,

Leave a Reply