On Sunday, Aug. 12, KrebsOnSecurity carried an exclusive: The FBI was warning banks about an imminent “ATM cashout” scheme about to unfold across the globe, thanks to a data breach at an unknown financial institution. On Aug. 14, a bank in India disclosed hackers had broken into its servers, stealing nearly $2 million in fraudulent bank transfers and $11.5 million unauthorized ATM withdrawals from cash machines in more than two dozen countries.
The FBI put out its alert on Friday, Aug. 10. The criminals who hacked into Pune, India-based Cosmos Bank executed their two-pronged heist the following day, sending co-conspirators to fan out and withdraw a total of about $11.5 million from ATMs in 28 countries.
The FBI warned it had intelligence indicating that criminals had breached an unknown payment provider’s network with malware to access bank customer card information and exploit network access, enabling large scale theft of funds from ATMs.
Organized cybercrime gangs that coordinate these so-called “unlimited attacks” typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing on ATM cashouts, the intruders will remove many fraud controls at the financial institution, such as maximum withdrawal amounts and any limits on the number of customer ATM transactions daily.
The perpetrators alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM.
My story about the FBI alert was breaking news on Sunday, but it was just a day short of useful to financial institutions impacted by the breach and associated ATM cashout blitz.
But according to Indian news outlet Dailypionneer.com, there was a second attack carried out on August 13, when the Cosmos Bank hackers transferred nearly $2 million to the account of ALM Trading Limited at Hang Seng Bank in Hong Kong.
“The bank came to know about the malware attack on its debit card payment system on August 11, when it was observed that unusually repeated transactions were taking place through ATM VISA and Rupay Card for nearly two hours,” writes TN Raghunatha for the Daily Pioneer.
Cosmos Bank was quick to point out that the attackers did not access systems tied to customer accounts, and that the money taken was from the bank’s operating accounts. The 112-year-old bank blamed the attack on “a switch which is operative for the payment gateway of VISA/Rupay Debit card and not on the core banking system of the bank, the customers’ accounts and the balances are not at all affected.”
Visa issued a statement saying it was aware of the compromise affecting a client financial institution in India.
“Our systems were able to identify the issue quickly, enabling the financial institution to take appropriate action,” the company said. “Visa is working closely with the client in supporting their ongoing investigations on the matter.”
The FBI said these types of ATM cashouts are most common at smaller financial institutions that may not have sufficient resources dedicated to staying up to date with the latest security measures for handling payment card data.
“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” the alert read. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
In July 2018, KrebsOnSecurity broke the news of two separate cyber break-ins at tiny National Bank of Blacksburg in Virginia in a span of just eight months that led to ATM cashouts netting thieves more than $2.4 million. The Blacksburg bank is now suing its insurance provider for refusing to fully cover the loss.
As reported by Reuters, Cosmos Bank said in a press statement that its main banking software receives debit card payment requests via a “switching system” that was bypassed in the attack. “During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system,” the bank said.
Translation: If a financial institution is not fully encrypting its payment processing network, this can allow intruders with access to the network to divert and/or alter the response that gets sent when an ATM transaction is requested. In one such scenario, the network might say a given transaction should be declined, but thieves could still switch the signal for that ATM transaction from “declined” to “approved.”
One final note: Several news outlets have confused the attack that hit Cosmos Bank with another ATM crime called “jackpotting,” which requires thieves to have physical access to the inside of the cash machine and the ability to install malicious software that makes the ATM spit out large chunks of cash at once. Like ATM cashouts/unlimited operations, jackpotting attacks do not directly affect customer accounts but instead drain ATMs of currency.
Update, 8:10 p.m. ET: An earlier version of this story incorrectly stated that there were only 25 ATMs used in the cashout against Cosmos. The figure was meant to represent the number of countries with ATMs that were used in the heist, not ATMs, and that number is 28 at last count.
Good article, very informative
25 ATMs for $11.5M?
Right? ATMs don’t hold that much cash.
I don’t know too many people loading an atm with more than 100K let alone 460K (11.5MM / 25).
Having worked extensively with ATM ink and dye protection systems in the UK back in the early 2000’s – ATM’s in the UK in variably use banknote holding cassettes to store the actual cash notes. In the UK each cassette holds 2,000 individual bank notes of either £5, £10 or £20 notes. So a cassette full of £5 notes is worth £10,000 ($12,903), a cassette of £10 is worth £20,000 ($25,806)and a cassette of £20 notes is worth £40,000 ($38,709).
How many cassettes are loaded into an ATM depends on the size and placement of the ATM – in a college campus in the UK a typical stand alone free ATM will only hold 4 cassettes each cassette only holding £5 notes – for use by low income students and it may have a cash out limit of ten notes (£50) – probably not worth hitting given the risk/reward factor.
However a busy block of ATM’s located outside an ASDA/Walmart Supermarket will typically have four or five ATM’s operated by multiple UK Banks – each ATM having eight or ten cassettes – ten cassettes say typically containing (when full) 4 x of £10 notes = £80,000 ($103,249) and 6 x of £20 notes = £240,000 ($309,747). So one single ATM at a big site can hold (when full) £320,000 ($412,969). These machines are often filled up on the Thursday/Friday of a Holiday Weekend – hitting one of these sites with a “jackpotting” attack at 2 am on a Saturday morning can result in a very very substantial payout for the crooks. Say a bank of five ATM’s hit simultaneously dispensing a couple of £20 cassettes each = £80,000 x 5 = £400,000. Not bad for a couple of hours work ???
I can only comment on the UK’s ATM systems as they are the only ones I have worked with.
Yeah, it makes no sense, came here to say this. I don’t know what incentive a bank would have for telling reporters that more was stolen than actually was, or for saying fewer ATMs were hit than actually were. It might be a currency conversion issue since the outlet is Indian and they count in lakhs/crores.
It was ATMs across 25 countries, and not 25 ATMs as mentioned in the article.
I read about the 25 ATMs giving up $11.5M and also wondered how this was possible? Did they’d need wheelbarrows to cart off the loot at each ATM? What are we missing here?
The local ATM’s in my area sometimes “run out” of cash on weekends and sometimes this happens even on weekdays. These are ATM inside of banks, I never use stand alone ATM’s, especially at gas stations.
I guess some banks want to limit the damage if someone illegally accesses their ATM’s. These thieves used ATM’s in Canada, Hong Kong and India. Is this because of better cash outs or that the networks of these bad guys exist primarily in Europe and Asia?
More info needed on this type of crime Brian. I feel safe overall, FDIC will reimburse me but how long before money disappearing, at this rate, will cause banks to take drastic measures like 2 factor ID just to withdraw $50 from an ATM
In the movies the FBI or bank managers typically overstate the amount stolen to create confusion/conflict among the thieves. Could the same be happening here?
Perhaps at the time of the report cited, they had only identified 25 ATMs.
A plurality of ATMs in 25/28 countries??? How can an organisation ever recruit so many mules, distribute material, and collect and process the cash, and still make this a profitable and safe proposition? (That is, safe and profitable for the people at the top, of course.)
The breadth, scope, and capacity of organized crime is horrifying.
in theory, you do this way:
1-“send the word” to the groups you already worked with in the past, and are somehow “reliable” in giving you a cut of the profit, that there is work to be done. via well know forums and via well know contacts, tell them to prepare the blank cards and machines to encode the magstripe. but dont send nothing.
2-in the given date, send the magstripe to the groups.
3-collect your cut via bitcoin, western union, or bags of cash
4-cut ties with the groups that didnt gave your cut. the groups that are “reliable” shall increase their workforce for the next operation.
but thats just theory…
I see a movie coming…
It wasn’t 25 ATM but 25 countries…28 countries on lastest update.
One moral to this tale is certainly this — ignore one of BK’s warnings about imminent miscreant action at your own peril!
The article says 25, then 28 countries, with ATM’s that were compromised.
I never use a ATM ever. Whatever man creates man can undo.There is no way to protect people. Do it at your own risk. Go into bank and do your business,I always keep money out in case of emergencies. I have a little hidden stash.
… and “op-sec” is a total mystery to you..
Nice article Brian. When the investigation is finally completed – it would be interesting to know just how many ATM’S had to be used for the perp’s to acquire that much cash.
Very good, interesting read. I wonder what we missed. ATMs connected to an internet circuit? A visa breach? A bank side breach? But we found out, the whole transmission is not encrypted, there are identifiers, like to who and where and what for. Very interestingly, there was an advance warning. So one of the players was identified. I hope the good guys are looking for any upstream bosses.
The article plainly says the theft of millions only occurred when the thieves changed something which then allowed access to the bank accounts not the individuals.
@Phil, I cannot understand your wording. Thieves do not have access to people?
So, who is ALM Trading Ltd., and what happened to the money transferred to their account? I see some stuff on the internet that they’re run out of a shop in Birmingham, UK. You can’t trace ATM cash (unless they know the serial numbers, which seems unlikely) but you can track bank transfers.
Death penalty needs to be put in use for all these types of criminals. Criminal hackers…card fraudsters…etc. Ya I know its harsh but the havoc they wreak on society and innocent hard working people calls for it.
or at least cut all their fingers off, then shove them up their …
What was the flaw that led to only the Cosmos bank card details to leak?
” that criminals had breached an unknown payment provider’s network with malware to access bank customer card information”
The ATM is not the weak link here. It’s the card, it’s always the card. The ATM is only the repository of the cash.
Its big money, besides luxury cars and fancy holidays how else criminals spend their money?? For drugs and hookers?
90% cases law enforcement taking money away from criminals.
I wish they would release technical details. I really want to know exactly what happened and if it was preventable.
They hacked a router or switch which sits between the ATM’s and the local small bank, bypassed it and so gave ok to every transaction. They most probably didn’t have physical access.
It literally says ” that criminals had breached an unknown payment provider’s network with malware to access bank customer card information”. No where did the article point out that an ATM router/switch was hacked (and how would that even be coordinated across 28 countries)?
The crooks use malware to access a system, get card details, make counterfeit cards, then up the card limits, and coordinate a mass ATM withdrawal effort using the counterfeit cards….
“The FBI expects the ubiquity of this activity to continue or possibly increase … Grammar Nazi hates excessive or incorrect use of buzzwords. “Ubiquity” means present everywhere. You cannot increase everywhere.
On Sept 5th, I had conversation with a local branch manager of a regional bank (US) who expressed concern about a major attack coming. Not sure if she was referring to this older post by Brian or whether something else is in the wind. Brian, are there any later updates to this subject?