The FBI is warning banks and other financial institutions about criminal plans for an “ATM cash out” that could steal millions of dollars in just a few hours.
There are two ways it can happen. A process called ATM jackpotting requires scammers to install malware on a computer that regulates and operates a bank’s cash dispenser. Typically, the hacker must physically break into the machine.
Another method is targeting bank customers directly. It begins by phishing, using emails or phone calls, to solicit banking passwords and other personal information. Hardware is then used to duplicate that information on a “clone” card, which can then be used at numerous ATMs. To make matters worse, some hackers have the ability to override ATM cash limits. That means they can not only exceed limits on a specific account, but also take as much cash as possible from a given machine. Personal information can also be bought or sold on the dark web or other forms of the black market.
In the past, hackers have typically stolen small amounts from a large amount of people or large amounts from a small amount of people. This time around, it appears criminals want to steal large amounts of money from large amounts of people, making the FBI’s warning even more pressing.
At least one cyberhack was already carried out when $13.5 million was stolen from India’s Cosmos Co-operative Bank across 28 countries over the weekend. It’s just the latest example of a successful criminal hack on banks. Back in 2012 and 2013, $45 million was stolen from ATMs in a pair of cyberattacks. In 2011, an international cybercrime group stole $14 million in just 48 hours from banks around the world. In 2016 and 2017, more than $2 million was stolen after an employee at the National Bank of Blacksburg was targeted in a phishing scam.
The FBI rarely gives a warning this specific before a cybercrime is carried out. Consumers in the United States are protected by “zero liability” policies that cover losses from fraud. Chip-and-PIN systems are fully in place and serve as another level of security for debit cards. Banks usually have insurance against cyberattacks and account for loss from fraud as an expense in their reserves.