The FBI has issued a confidential warning to banks around the world to prepare for an imminent, co-ordinated cyberattack on ATMs, which may be vulnerable to hacking.
In the confidential warning issued last week, the FBI warned it had found evidence that cybercriminals around the world are plotting an imminent, co-ordinated cyberattack on ATMs which could take place at any time in the next few days.
Such an attack could specifically impact smaller banks with less sophisticated security systems, but would take advantage of common vulnerabilities among ATMs, meaning that millions of dollars could be withdrawn illegitimately from cash machines around the world by cybercriminals working in tandem. The warning was initially obtained by the UK’s Daily Telegraph.
How would such a co-ordinated attack take place?
According to the warning issued by the intelligence service, the FBI ‘has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach’.
These schemes are known as ‘jackpotting’, and involve cybercriminals illegally access a bank or payment card processor to harvest customer card data. This data can then be installed onto blank cards to create clones of the original cards, which allow these criminals to withdraw funds from cash machines. In many cases, such data breaches among card issuers, financial institutions and other companies which store large amounts of customer data can often go undetected for months, meaning that these attacks can be hard to predict or prevent.
Such an imminent, co-ordinated cyberattack on ATMs is typically done by any number of individuals around the world simultaneously, to minimise the opportunities for law enforcement agencies to identify and intercept withdrawals from cloned cards. The FBI warns that small and medium-sized financial institutions, because they often rely on third-party vendors to provide security equipment, and do not have the resources to enforce cybersecurity controls to the extent that they are required.