Following a warning by the FBI that cyber-criminals are planning a highly choreographed global attack on cash machines to fraudulently withdraw millions of dollars from customer bank accounts, IT security experts commented below.
Sam Curry, Chief Security Officer at Cybereason:
(1) The defenders have a chance to set up telemetry/checking in time
(2) Timing is specific when manual controls or alarm responses are being used
(3) The telemetry about the timing is not communicated back to the criminals. Keep in mind as well that cyber criminals are playing a cat and mouse game with the defenders and they often times find new ways to disguise behaviour if they know the anti-money laundering policies used in defence.
To that end, these are not new style attacks and are quite frequent. In-and-of-themselves, this is not a concern for most banking users except in jurisdictions that don’t limit customer liability to acceptable levels. It’s regrettable that these sorts of attacks are so effective, but they can be mitigated with fairly simple policies that don’t make banking services onerous. Banks who have experienced this form of attack, and are prepared, should still be vigilant. Those that aren’t prepared should be brushing up on best practices and should be on guard -this is a wakeup call for these organisations. Globally, banks complying with the Bank Secrecy Act are regularly improving the detection and reporting of suspicious activity including terrorist financing, security fraud and market manipulation.”
Andrew Ellis, Senior Researcher at Cyxtera Threat Analytics Team:
“When looking at cash out attacks in general, it’s important to remember that they are not typically comprised of unique or advanced techniques. Instead, attackers are able to leverage tools and tactics common to many other forms of cyberattacks. For organisations looking to protect themselves against cash out attacks, it may be more useful to focus on the ‘how’ rather than the ‘why’ or ‘what.’
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.