Skip to main content

Criminals Try to Cash in with "Unlimited Operation" ATM Cash-Out Schemes

ATMs are everywhere, and that may make them attractive targets for criminals seeking fast cash. But financial institutions can take steps to help shore up security and potentially thwart these bad guys.

In fact, it's a good idea to review your ATM security now in light of a new fraud warning from the Federal Bureau of Investigation (FBI), made public by cybersecurity journalist Brian Krebs. The FBI sent alerts recently of a planned global plot to steal millions of dollars in a coordinated "unlimited operation" ATM cash-out scheme—here's what you need to know.

Operation Types

Over the past two years, ATM cash-out schemes, whereby thieves use a variety of methods to withdraw money from automatic teller machines, have resulted in losses of millions of dollars. The heists part of a general uptick in ATM fraud in recent years. In fact, a FICO fraud survey found a 500 percent jump in ATM fraud in 2015, a 70 percent increase in 2016, and a 10 percent rise last year.

In an unlimited operation attack, criminals compromise a financial institution or processor with malware to access customer card information and exploit network access, enabling large-scale theft of funds from ATMs. They tamper with security protocols to override withdrawal limits and even manipulate account balances.

Typically, the criminals may create counterfeit cards by using compromised card data and imprint the data on reusable magnetic-stripe cards. Working with co-conspirators, they quickly withdraw large amounts of cash from multiple ATMs at the same time. In two unlimited operation attacks in 2016, one U.S. bank lost almost $2.5 million.

Another common type of cash-out scheme is known as a jackpot attack. In this scheme, criminals physically install software or hardware that can cause terminals to spew cash like slot machines.

Small and medium-sized financial institutions and ATMs at offsite locations may be especially vulnerable to these type of cash-out attacks. In fact, most jackpot attacks occur at ATMs on the premises of retail shops and other merchants. Fortunately, there are steps you can take to that may protect your financial institution.

Plan of Attack

Based on the warning shared by the FBI and other best practices, here are the 10 options you can consider to help mitigate an unlimited operation and other cash-out scheme risks:

  1. Change the locks. Choose and install your own locks on your ATMs. Most jackpot attacks occur on ATMs that retain the default locks installed by the manufacturers.
  2. Keep current. Make sure all ATM software, systems and patches are up to date. Just as with personal computers and other devices, criminals can exploit loopholes in outdated software.
  3. Pay attention to passwords. Use strong ATM administrator passwords of at least 11 characters with a combination of letters, numbers, and special characters. This may stop criminals from using USB devices to facilitate jackpot attacks.
  4. Step up surveillance. Make sure all of your ATMs are protected by adequate lighting and security cameras. Implement a regular schedule for ATM monitoring. And check an ATM every time you receive an alert of a situation such as a cash-out event, loss of communication, or reboot.
  5. Keep an eye on ATM service. Check accreditation documents of service personnel before they inspect or work on an ATM. If you have ATMs hosted by a merchant, have them follow the same security protocol.
  6. Limit access to cash. Stock ATMs with only the amount of cash needed to last until the next scheduled refill. Also consider employing dual-factor authentication for all cash withdrawals over a set amount. This will limit losses from a cash-out attack.
  7. Tighten debit card security. Consider employing chip-and-PIN procedures for debit cards to prevent criminals from withdrawing cash with fake debit cards.
  8. Stop malware. Don't click on links or open attachments in unsolicited emails. Make sure to install and update anti-virus or anti-malware software on hosts.
  9. Enlist whitelist applications. Thwart malware that can be used in an unlimited operation by using application whitelisting, a procedure whereby only software applications that you OK are allowed on your system.
  10. Shore up weak spots. Use patches, a fix or modification to software, to address weaknesses in your systems. Make it a top priority to patch vulnerabilities in any systems that disarm alerts as well as in any software processing internet data, such as web browsers and plugins.

There may be additional, specific steps you can take to keep your financial institution secure, and PULSE is happy to assist by providing more detail. If you need further support, you can request to speak with a PULSE fraud analyst. Click here to give us your contact information and we'll get in touch right away.


The information provided herein is sponsored by Discover® Global Network. It is intended for informational purposes, and is not intended as a substitute for professional advice.