ATM Admin Panels Hacked to Allow Unlimited Withdrawals, Warns FFIEC
The FFIEC has released an advisory on the latest attacks to hit small and medium-sized financial institutions, also known as Unlimited Operations, in which thieves are maxing out or even exceeding the limits on bank accounts after they gain access to the web-based ATM administrator panels. They’re launching attacks around holidays and weekends, when more ATM activity typically occurs.
The government’s paying more attention now, as the numbers aren’t small - an attack using 12 debit cards paid off in $40 million for criminals.
How do they do it? Typically, it goes like this, as the advisory states:
It all starts with a phishing attack sent to employees of financial institutions.
After someone falls for it and they get credentials, they access their network and install malware.
Attackers monitor networks via malware to figure out how to access the web-based ATM admin panel.
They use an employee’s login credentials to access and change administrator settings, allowing them to permit greater or unlimited cash disbursements at ATM machines.
Then they use fraudulent card with stolen pin and account numbers to make withdrawals at the ATMs.
In addition to following compliance regulations, the FFIEC advises financial organizations conduct information security risk assessments to identify threats, as well as the usual recommendations to monitor, update and check configurations on firewalls, antivirus and intrusion detection systems.
They also recommend protecting against unauthorized access by limiting elevated privileges across the company, including that of those with administrator accounts.
As a best practice, the FFIEC recommends implementing ‘multifactor authentication protocols’ to protect web-based admin panels. Check out Two-Factor for Web Applications, or Duo Web Documentation for administrators to find out how to integrate two-factor with your web-based application.
By leveraging Duo’s web SDK, you can easily add a second factor to your login process that requires a user to verify their identity with their own personal phone. That way, even if an attacker successfully steals credentials in a phishing attempt, they still won’t be able to access internal networks without an employee’s personal device.
The PCI Security Standards Council’s ATM Security Guidelines document requires financial institutions to:
Protect against the unauthorized remote control of the application. Strict access-control procedures should be put in place to allow remote access for service purposes.
While they don’t clarify what kind of specific access-control procedures should be used to protect against remote access to ATM apps, two-factor authentication is called out in the PCI DSS compliance standards for any organization that deals with credit cardholder data.
The PCI DSS standards require organizations to:
Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).
Another recommendation involves notifying multiple employees when controls are changed on critical systems. This likely includes logging administrator activity and setting up alerts for certain actions, such as including an alert whenever a greater or unlimited ATM withdrawal threshold is changed.
Conducting regular security training and testing incident response plans, including ones that involve third-party vendors, are a few of the other best practices recommended to protect against network intrusion and ATM unlimited withdrawal theft. However, guarding against the first initial point of entry, phishing emails, is one way to easily ensure financial networks are safe, as well as our ATMs.