A recent warning from the FBI, and reported via Krebs on Security, put Financial Institutions on notice to prepare for a large-scale ATM fraud scheme. The notice provides a warning about a malware attack that will allow cloned cards at cash machines around the world to withdraw millions of dollars in a few hours. This will be achieved by manipulation of fraud controls, security measures, account balances and daily balances to facilitate large withdraws from ATMs for each transaction.
The FBI is asking Financial Institutions to review current security and controls to ensure protection of the cash within ATMs, as well as the overall financial sector. There are a few suggestions to bolster security and risk management against such a threat, which may help reduce exposure to loss or reduce overall loss should a Financial Institution be exposed to the attack.
- Start with security around passwords, multi-factor authentication protocols and tokenization. Work with your vendor to enable these protections.
- Ensure if you’re working with a provider that they have strong security and procedures.
- If any fraudulent activity is suspected, shut the ATM off and keep it off until verification can be completed.
- Replace all locks and master keys on the upper hood of the ATM and do not consider using the manufacturer defaults.
- Change the default BIOS password.
- Install an alarm and ensure it is in working order.
Recommendations Within the FBI Alert!
The following was recommended within the FBI alert:
- Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.
- Implement application whitelisting to block the execution of malware.
- Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes mentioned above.
- Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, Colbalt Strike and TeamViewer.
- Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.
- Monitor for network traffic to regions wherein the FI would not expect to see outbound connections from the Financial Institution.
Make Sure Your Financial Institution Clients Have the Right Coverage!
Contact any one of the FI insurance experts below for help in making sure your FI customers have the right coverage from a strong, stable company!
|VP Sales and Distribution/Great Plains Region
|Great Lake Regions