|Wednesday, the Federal Financial Institutions Examination Council (FFIEC) released a warning to U.S. banks and credit unions that a new type of heist enacted through cyber attacks on ATMs is on the rise.
These thefts, which the U.S. Secret Service is calling “unlimited operations,” are perpetrated by installing malware in a bank or credit union’s network. This alters the settings of an ATM, allowing attackers to “withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to ATM withdrawals,” according to the report.
Unlimited Operations Have Already Costed Banks Millions
Unlimited operations attacks make use of stolen account information for debit, prepaid or ATM cards to steal funds — but because of the unique ability to bypass ATMs’ usual limits on withdrawals, these types of attacks have the potential to be particularly damaging for financial institutions.
While typically stolen account information would only allow an identity thief to steal from its victim, the unlimited operations cyber attacks on ATMs make stolen information the key to an even bigger payout from financial institutions.
The FFIEC reports that fraudsters stole over $40 million with only 12 stolen debit card accounts in a recent unlimited operations attack.
ATMs might be even more vulnerable to cyber attacks as of April 8, when Microsoft will discontinue tech support for Windows XP, the operating system 95% of ATMs rely on.
Feds Warn Banks and Credit Unions to Take Preventive Steps Against Cyber Attacks
The FFIEC, which includes officials from the Federal Reserve and FDIC, among others, warns banks and credit unions to take necessary steps to prevent such cyber attacks on ATMs. Not doing so opens financial institutions to a range of risk, such as “operational risks, fraud losses, liquidity and capital risks … and reputation risks.”
The preventive action the FFIEC recommends to banks includes ongoing monitoring of network security, identifying and addressing existing security risks, and limiting access privileges among employees.