Banks Beef Up Security After FBI Warning on ATM ‘Jackpotting’

(Bloomberg) -- Banks are on alert for new attacks targeting cash in ATMs after the Federal Bureau of Investigation warned U.S. lenders last week of a potential threat.

“The FBI routinely advises private industry of various cyber-threat indicators observed during the course of our investigations,” Lauren Hagee, an FBI spokeswoman, said in an emailed statement. “This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals.”

The scheme involves breaching software to alter how much cash can be withdrawn from ATM machines. A cash withdrawal breach can occur in a bank’s system, known as a “cash-out,” or in an ATM’s system, known as “jackpotting.” Cybercrime journalist Brian Krebs reported earlier on the FBI’s warning on his website, Krebs on Security, citing an FBI alert calling the plan a cash-out scheme.

In what may have been the FBI’s warning coming to fruition, India’s Cosmos Co-operative Bank lost $13.5 million across 28 countries over the weekend, Reuters reported Tuesday.

The FBI’s warning is the latest challenge for banks as they work to protect themselves against physical and cyber attacks. Bank executives have been boosting cybersecurity budgets as the business gets increasingly digital, and consumer data becomes more vulnerable to new types of attacks.

“Protecting Citi and our clients from cyber-security threats is a critical priority for us,” Elizabeth Fogarty, a spokeswoman for New York-based Citigroup Inc., said in an emailed statement. “We are aware of the threat and are working with authorities to take preventive action to safeguard our clients.”

Cashouts require a software breach at the bank level, and then the use of fake debit cards to withdraw cash. ATM jackpotting, by contrast, requires scammers to install malware on the computer that governs the cash dispenser to tell it to release all its cash. This usually means physically breaking into the machine. Both methods differ from most cybercrime in that they require in-person access.

American debit cards are now on the same chip-and-PIN system as the rest of the world, a game changer for criminals trying to gain unauthorized access to the cash locked in ATMs in the U.S. Until recently, scammers could attach a fake card reader to the machines and steal the card and PIN numbers from anyone who swiped.

Consumers in the U.S. are protected by “zero liability” policies covering losses from fraud. Banks typically have insurance against cyberattacks and build some loss from fraud into their reserves.

©2018 Bloomberg L.P.