“Unlimited Operations”: FFIEC Guidance against a 21st Century Bank Heist
Banks should evaluate their security protocols and mechanisms for protecting their ATMs and customer accounts that are linked to prepaid and debit cards against a new type of bank heist. This direction comes from a joint statement by the members of the Federal Financial Institutions Examination Council (“FFIEC”). The U.S. Secret Service has developed the moniker, “Unlimited Operations,” for the fraudulent cybercrime involved.
The crime has proliferated in recent months. Last month, the U.S. Attorney’s Office for the Eastern District of New York issued a press release describing an international organization of criminals that fraudulently withdrew $45 million in losses for two banks. Seven defendants have been arrested and charged, but the organization comprised many more co-conspirators. In New York City alone, filings detailed allegations that criminals withdrew $2.8 million in a matter of hours—approximately $400,000 on December 22, 2012, and $2.4 million through the afternoon of February 19 and into the early hours of February 20 in 2013. The fraudulent transactions in New York City occurred through nearly 3,750 ATM withdrawals.
“Unlimited Operations” are an increasingly common type of ATM cash-out fraud for large dollar values. The operations can occur over a long period of time and require a high level of cyber sophistication. Criminal operatives first infiltrate a financial institution’s network using tactics like phishing emails to install malware for monitoring and collecting institutional access methods and login credentials for ATM control panels. These control panels are often web-based and set limits to card transactions, such as constraints on the geographic area and frequency of withdrawals allowed. Control panel access enables the criminals to change these security settings to permit unlimited (or increased) cash disbursements at ATMs. The criminals then steal card account information and PINs through POS malware or skimming, ATM malware or skimming, or other compromising action against the card issuer’s operations. The criminal operatives use this information to produce fraudulent debit, prepaid or ATM cards. For the cash-out phase, the criminals make organized and rapid withdrawals of large cash amounts from multiple ATMs using the fraudulent and unlimited cards. Finally, the teams of “cashers” will launder the proceeds, often by purchasing luxury goods and sending money back up the cybercrime organization.
The FFIEC’s joint statement included guidance on risk mitigation for financial institutions vulnerable to Unlimited Operations. The statement generally advises institutions to follow PCI DSS on PIN Security Requirements and to conduct ongoing information security risk assessments. Behind the general advice are more specific potential action items, such as multifactor authentication protocols for web-based control panels, which can impede one of the critical stages of the Unlimited Operations when criminals try to log in and modify control panel settings. This advice can be paired with the suggestion to regularly train employees on information security awareness, with an emphasis on the importance of exercising caution and care with authentication protocols. The joint statement encourages financial institutions to use monitors for and consistently track third-party processors and ATM transaction activity. These monitors become valuable after a cybercriminal may have already breached other preventative layers, but catching fraudulent activity early is always better than finding it later.
This new cyber heist is a serious threat to banks and financial institutions that issue debit, prepaid or ATM-only cards. Risks include endangerment of liquidity, fraud losses and reputational damage. Outsourced card issuance is not a safe harbor either; financial institutions that outsource issuance activities may remain liable for losses.
The size and scale of the attacks that prompted FFIEC guidance demonstrates the significant hazard Unlimited Operations pose, whether the financial institution is small or large. Proactive assessment and improvements to security protocols and systems are a continuing must for financial institutions with debit, prepaid or ATM card accounts.