Following a warning by the FBI that cyber-criminals are planning a highly choreographed global attack on cash machines to fraudulently withdraw millions of dollars from customer bank accounts, IT security experts commented below.
Sam Curry, Chief Security Officer at Cybereason:
“The FBI’s global warning about the potential ‘ATM cashout’ is only effective if:
(1) The defenders have a chance to set up telemetry/checking in time
(2) Timing is specific when manual controls or alarm responses are being used
(3) The telemetry about the timing is not communicated back to the criminals. Keep in mind as well that cyber criminals are playing a cat and mouse game with the defenders and they often times find new ways to disguise behaviour if they know the anti-money laundering policies used in defence.
To that end, these are not new style attacks and are quite frequent. In-and-of-themselves, this is not a concern for most banking users except in jurisdictions that don’t limit customer liability to acceptable levels. It’s regrettable that these sorts of attacks are so effective, but they can be mitigated with fairly simple policies that don’t make banking services onerous. Banks who have experienced this form of attack, and are prepared, should still be vigilant. Those that aren’t prepared should be brushing up on best practices and should be on guard -this is a wakeup call for these organisations. Globally, banks complying with the Bank Secrecy Act are regularly improving the detection and reporting of suspicious activity including terrorist financing, security fraud and market manipulation.”
Andrew Ellis, Senior Researcher at Cyxtera Threat Analytics Team:
“There is great insight provided by the FBI to the financial sector on ways to mitigate against these types of attacks. The list provided includes many common defence-in-depth or general security hygiene practices, such as two-factor authentication, role-based access controls, network and system monitoring. By ensuring robust security controls are in place, financial institutions can protect themselves against cash out attacks, as well as many other common attacks.
“When looking at cash out attacks in general, it’s important to remember that they are not typically comprised of unique or advanced techniques. Instead, attackers are able to leverage tools and tactics common to many other forms of cyberattacks. For organisations looking to protect themselves against cash out attacks, it may be more useful to focus on the ‘how’ rather than the ‘why’ or ‘what.’