The Federal Financial Institutions Examination Council (FFIEC), an interagency regulatory body in the financial services sector in the US, said hackers have developed new ways to break in to bank IT systems (4-page / 279KB PDF) and alter settings that otherwise control how much consumers can withdraw from automatic teller machines (ATMs). It said a recent attack saw criminals steal more than $40 million from 12 debit card accounts.
"Criminals may begin the attack by sending phishing emails to employees of financial institutions as a means to install malicious software (malware) onto the institution’s network," the FFIEC said in a new statement outlining the risk. "Once installed, criminals use the malware to monitor the institution’s network to determine how the institution accesses ATM control panels and obtain employee login credentials."
"These control panels, often web-based, manage the amount of money customers may withdraw within a set time frame, the geographic limitations of withdrawals, the types and frequency of fraud reports that its service provider sends to the financial institution, the designated employee that receives these reports, and other management functions related to card security and internal controls," it said.
"When criminals obtain this information, they may use an employee’s login credentials to gain access to the control panel and change the settings to permit greater or unlimited cash disbursements at ATM machines, and to change other fraud and security related controls," the FFIEC added.
The FFIEC said that criminals are able to fully exploit their access to this information by combining it with account and PIN details stolen from individuals. This allows the criminals to withdraw large amounts of cash over a short period of time, it said.
Banks are being urged to check their "risk management processes", conduct ongoing risk assessments, ensure security software is up-to-date to try and mitigate against the risk of fraud.
Banks should also "consider updating all credentials and monitoring logs for use of old credentials" and "establishing authentication rules, such as time-of-day controls, or implementing multifactor authentication protocols for web-based control panels", the FFIEC recommended. It also advocates security testing and training, creating and testing incident response plans and sharing threat information with "other financial institutions and service providers".
"The [FFIEC] members expect financial institutions to take steps to address this threat by reviewing the adequacy of their controls over information technology networks, card issuer authorisation systems, ATM usage parameters, and fraud detection processes," the FFIEC said. "In addition, the members expect financial institutions to have effective response programs to manage this type of incident."
The FFIEC also released a separate notice warning about the risk of 'distributed denial-of-service' (DDoS) attacks on bank systems (3-page / 298KB PDF) and made a number of similar recommendations to mitigate against the risks those attacks present.