Consumer Card Controls Could Have Prevented $11.5m ATM Heist

Gordon McKenzie,EMEA MD at Ondot Systems explores how consumer card controls can tackle the challenge of ATM cashouts

Wherever there are users and money there will be cybercrime and fraud. So it is that financial institutions and their customers are increasingly being targeted by global attackers. Most recently, Indian lender Cosmos Bank lost $11.5m after an international criminal network fraudulently withdrew funds from ATMs in 28 countries around the world. That’s despite a warning from the FBI that an “ATM cashout” operation was imminent.

In our 24×7, digital-first society customers increasingly expect to be empowered with greater control over card management.

It’s a move that could have saved this financial institution, and many more like it, millions in losses and brand damage.

Out of control

ATM cashouts typically happen at smaller banks where security controls are less rigorously implemented, there’s less budget to throw at the problem and third-party vulnerabilities may be more obvious, according to the FBI’s warning. Global gangs usually phish or hack their way into back-end systems. Just before the allotted hour, they’ll often remove internal fraud controls such as maximum ATM withdrawal amounts and limits on volume of daily withdrawals, and may also artificially increase customer balances. Forged magstripe cards are then used around the world to withdraw funds in a highly co-ordinated campaign.

This is certainly not the first ATM-based cyber-attack: in 2013 cyber-criminals stole $45m from ATMs, and in 2016 over $12m was taken from cashpoints in Japan using cards cloned from a South African bank. However, the bad news, according to the FBI, is that it “expects the ubiquity of this activity to continue or possibly increase in the near future.” ATMs — unmanned and usually loaded with cash — are also particularly vulnerable to external tampering. Attackers can quite easily attach “skimmers” to the front of the card reader slot to read card info as it’s pushed into the machine, and overlay pads which record the card’s PIN, or motion-activated cameras to record the same information. That provides everything they need to create a clone. It’s no surprise that ATM-maker Diebold Nixdorf has described skimming as a $2bn+ problem globally.

These ATM attacks are also part of a wider pattern of soaring global card fraud. In the UK alone, an estimated £2bn+ was stolen from the bank accounts of cardholders last year, a 38% rise from the previous 12 months. Other figures pointed to steep rises in e-commerce fraud (24%) and fraudulent applications for cards (12%). The bottom line is that as financial institutions and organisations undergo digital transformation to become more competitive, agile and innovative, they’re also exposing their systems to increasingly well resourced and determined cyber-criminals. The vast underground cybercrime economy has effectively democratised access to customer account data, PII, and hacking tools while the anonymising power of the dark web and crypto-currencies have significantly reduced the risk of getting caught. The result? A thriving threat landscape.

Time for change

So what’s the answer? Thousands of financial institutions around the world have already woken up to the possibilities of card control applications. Offering granular control to cardholders through a simple mobile app interface can —amongst other things — empower them to restrict usage of certain transactions. That means in the event of an ATM cashout warning, accounts could be locked down so that even spoofed cards won’t work. If a user needs emergency cash, they can temporarily enable ATM withdrawals, get the money and then disable ATM transactions again. And, while ATM withdrawals are blocked, a user could still enable in-person, e-commerce or other types of transaction.

This granularity extends across a range of scenarios, allowing cardholders to decide where in the world their cards can be used, as well as spending limits, time frames and even merchant categories. It’s all about providing maximum visibility and control over how cards are used, with transaction alerts provide peace of mind when consumers need it most.

Financial institutions can not only reduce fraud rates in this way but also lower call centre costs, improve false decline rates, drive greater use of cards and build closer bonds with their customers. In our always-on, 24×7 world there are opportunities round-the-clock for the bad guys to expose gaps in protection. By handing more control back to the consumer to self-serve, financial institutions are already adding value and supporting digital transformation whilst protecting them and their customers from an escalating fraud epidemic.

The fraud and threat landscape is constantly evolving. That’s why, in order to succeed, our response must be just as innovative.

Gordon McKenzie,EMEA MD at Ondot Systems explores how consumer card controls can tackle the challenge of ATM cashouts

Wherever there are users and money there will be cybercrime and fraud. So it is that financial institutions and their customers are increasingly being targeted by global attackers. Most recently, Indian lender Cosmos Bank lost $11.5m after an international criminal network fraudulently withdrew funds from ATMs in 28 countries around the world. That’s despite a warning from the FBI that an “ATM cashout” operation was imminent.

In our 24×7, digital-first society customers increasingly expect to be empowered with greater control over card management.

It’s a move that could have saved this financial institution, and many more like it, millions in losses and brand damage.

Out of control

ATM cashouts typically happen at smaller banks where security controls are less rigorously implemented, there’s less budget to throw at the problem and third-party vulnerabilities may be more obvious, according to the FBI’s warning. Global gangs usually phish or hack their way into back-end systems. Just before the allotted hour, they’ll often remove internal fraud controls such as maximum ATM withdrawal amounts and limits on volume of daily withdrawals, and may also artificially increase customer balances. Forged magstripe cards are then used around the world to withdraw funds in a highly co-ordinated campaign.

This is certainly not the first ATM-based cyber-attack: in 2013 cyber-criminals stole $45m from ATMs, and in 2016 over $12m was taken from cashpoints in Japan using cards cloned from a South African bank. However, the bad news, according to the FBI, is that it “expects the ubiquity of this activity to continue or possibly increase in the near future.” ATMs — unmanned and usually loaded with cash — are also particularly vulnerable to external tampering. Attackers can quite easily attach “skimmers” to the front of the card reader slot to read card info as it’s pushed into the machine, and overlay pads which record the card’s PIN, or motion-activated cameras to record the same information. That provides everything they need to create a clone. It’s no surprise that ATM-maker Diebold Nixdorf has described skimming as a $2bn+ problem globally.

These ATM attacks are also part of a wider pattern of soaring global card fraud. In the UK alone, an estimated £2bn+ was stolen from the bank accounts of cardholders last year, a 38% rise from the previous 12 months. Other figures pointed to steep rises in e-commerce fraud (24%) and fraudulent applications for cards (12%). The bottom line is that as financial institutions and organisations undergo digital transformation to become more competitive, agile and innovative, they’re also exposing their systems to increasingly well resourced and determined cyber-criminals. The vast underground cybercrime economy has effectively democratised access to customer account data, PII, and hacking tools while the anonymising power of the dark web and crypto-currencies have significantly reduced the risk of getting caught. The result? A thriving threat landscape.

Time for change

So what’s the answer? Thousands of financial institutions around the world have already woken up to the possibilities of card control applications. Offering granular control to cardholders through a simple mobile app interface can —amongst other things — empower them to restrict usage of certain transactions. That means in the event of an ATM cashout warning, accounts could be locked down so that even spoofed cards won’t work. If a user needs emergency cash, they can temporarily enable ATM withdrawals, get the money and then disable ATM transactions again. And, while ATM withdrawals are blocked, a user could still enable in-person, e-commerce or other types of transaction.

This granularity extends across a range of scenarios, allowing cardholders to decide where in the world their cards can be used, as well as spending limits, time frames and even merchant categories. It’s all about providing maximum visibility and control over how cards are used, with transaction alerts provide peace of mind when consumers need it most.

Financial institutions can not only reduce fraud rates in this way but also lower call centre costs, improve false decline rates, drive greater use of cards and build closer bonds with their customers. In our always-on, 24×7 world there are opportunities round-the-clock for the bad guys to expose gaps in protection. By handing more control back to the consumer to self-serve, financial institutions are already adding value and supporting digital transformation whilst protecting them and their customers from an escalating fraud epidemic.

The fraud and threat landscape is constantly evolving. That’s why, in order to succeed, our response must be just as innovative.