FBI Warns of ATM Cash-Out Attacks: Be Ready


On August 10th when the FBI warned that a global ATM cash-out scheme was about to occur, many banks, IADs and payments processors went into high alert. While this did not stop criminals from making off with over $13.5 million USD, across 28 countries from an Indian bank, it did bring up the importance of early warning fraud systems and layered defense mechanisms.

According to cyber security blogger Brian Krebs, a day before the ATM cash-out attack, the FBI released a confidential alert to banks that, “…criminals had breached an unknown payment provider’s network with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs.”

This is of course exactly what happened. Cyber criminals were able to install malware on the bank’s debit card payment system, access card information, remove fraud controls such as maximum withdrawal amounts, and exploit unlimited network access. In a statement to Reuters, Cosmos Bank admitted that, “During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system.”

malware diagram
Figure 1: An example of how malware authorizes transactions without talking to the back-end.


Of course, this bank is not the only one at risk of fraudulent bank transfers and unauthorized ATM withdrawals. Faced with increasingly sophisticated fraud techniques and information security risks, banks, IADs and payment processors must adopt early warning fraud detection strategies that give them the ability to detect debit card and ATM fraud as it is unfolding – not after the damage is done. This includes:

  • Identifying ‘Fake’ processing due to switch malware and card compromise
  • Isolating terminals used in a coordinated ATM cash-out attacks
  • Knowing when a concentration of transactions were occurring on a particular terminal or area
  • Picking up on an unusually high number of unexpected fall-back transactions
  • Creating visibility into implausible transacting scenarios (multiple devices / countries in a limited period)

The good news is that a real-time, transaction-level monitoring and alerting solution such as INETCO Insight will help you immediately detect these kinds of attacks, and layer your defense against malware installed on the host switch.

traditional monitoring
Figure 2: An example of how traditional risk monitoring is provided at the back-end.


inetco solution diagram
Figure 3: The INETCO solution monitors the entire transaction path to detect anomalies in real-time.


With continuous, end-to-end visibility into every transaction across omni-channel banking and payments environments, FIs can mitigate risk of undetected front-end attacks. As anomalous behavior occurs – such as rogue switches approving fraudulent transactions, INETCO detects the suspicious activity and sends real-time alerts, such as:

  • X number of international transactions within Y hours
  • X number of transaction by international cards in the last Y hours
  • X or more bank cards carrying out withdrawals on the same foreign terminal within U minutes
  • X number of consecutive magnetic stripe transactions (instead of chip) from a specific ATM
  • Cash withdrawal observed on an ISO link with no matching DB transaction

If you would like to learn more about how to prevent an unlimited ATM cash-out attack, please join us on September 6th at 11:30am EDT for an upcoming webinar titled, “Preventing ‘Unlimited’ ATM Cash-Out Attacks: How you can add a new layer of defense against switch malware.”

We would also be happy to show you how to configure specific alerts that detect this kind of activity and help you spot it the second it begins. Just reach out to us for a quick 30 minute demo at .