The Federal Bureau of Investigation (FBI) is warning banks that cybercriminals are preparing to carry out a highly choreographed, global fraud scheme known as an “ATM Cash-Out,” in which they hack a bank or payment card processor and use cloned cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.
This type of attack is not new!
*** We have seen this type of attack before; your ATM is NOT doing anything wrong, it is an attack against the host processor and/or the bank, NOT the ATM. ***
Organized cybercrime gangs that coordinate ‘Cash Out’ attacks typically do so by hacking or phishing their way into a bank or payment card processor. Just prior to executing an ATM ‘Cash Out’, the intruders will remove many fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily. The perpetrators also alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM. These cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores, states FBI sources; “At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards”.
What can I do to protect myself?
- If you are not EMV upgraded, you're potentially more susceptible to this attack. The money mules may seek out non-EMV ATMs in an effort to maximize their success.
- Even if you are upgraded, there is a cause for concern. There have been fraudulent attacks where cybercriminals will use an EMV card with a bad chip to force a fallback transaction. The latest versions of software from GENMEGA and Hyosung, available at www.atmpartner.com; allow you to disable fallback at the ATM. Enabling this feature could possibly safeguard the operator from fraudulent losses.
There has recently been a lot of discussion in the industry surrounding the discontinuation of SSL and early TLS protocols. Basically, security and encryption upgrades set forth by the PCI Security Standards Council are requiring the use of TLS version 1.2 on all ATM transactions moving forward.
WHAT IS REALLY GOING TO HAPPEN?
If your ATM is using SSL or early TLS versions as of the effective discontinuation dates, your ATM will no longer complete any transactions. For some processors, this may have already happened.
HOW DO I KNOW IF I NEED TO UPDATE MY ATM?
We would like to take an opportunity here to give you some direction if you are unsure if your ATMs will go dark:
Wireless - If your ATM is communicating via our Wireless ATM Store wireless device AND your ATM is programmed per our recommended settings, you have nothing to worry about. We sent out updates to all of our devices months ago making sure they are TLS 1.2 compliant.
TCP/IP (Local Internet) - If you process with ATM Partner, you should have received numerous notifications about the status of your ATMs. If you process elsewhere, please reach out to your processor to find out if your ATMs need to be updated.
Phone Line - Does not apply
EMV compliance is an issue that seemingly never ends, even after you upgrade. Simply updating your ATM with an EMV card reader may not keep the networks from reaching into your pocket. Are you aware that EMV ATM card readers need to be cleaned more regularly than mag-stripe card readers? EMV card readers contain landing pins that the card chip engages with, and these should be cleaned on a weekly basis. Did you also know that a dirty EMV reader can lead to EMV card transactions being converted to a FALLBACK transaction? Fallback Transactions are those transactions where an EMV chip card is used at an EMV enabled ATM and the ATM failed to read the card using the chip data. Along with a few other possible factors, a dirty reader is often the cause.
Several ATM networks have intimated that they will be issuing a PER TRANSACTION fine PER TERMINAL for any EMV ready terminal that exceeds said networks threshold for excessive fallback transactions. To avoid fines and fees, ATM Partner is dedicated to helping you make EMV migration a smooth and simple process. ATM Partner offers EMV card readers, EMV card reader cleaners, and the most current version of manufacturer’s software and AID lists to keep you compliant with network requirements. Cleaning your EMV reader regularly, along with keeping ATM software and AID list up to date will lower maintenance costs tied to EMV and save you time and money.
Meta has confirmed with the State of Illinois that effective June 30, 2017, the requirement for non-bank ATM owners to register terminals with the Illinois Department of Financial and Professional Regulation, Division of Banking has been repealed.
If you remember, Meta negotiated with the State of IL to provide quarterly reporting to the state of every Meta-deployed terminal in the State of Illinois. Meta’s reporting was in lieu of each ISO submitting terminal registrations to the state. Beginning with 2Q 2017, Meta has been advised by the State this reporting is no longer required.
Updates to Illinois H.B. 1783 do require each terminal deployed in the State of Illinois to display a sticker on the terminal containing the Department of Financial and Professional Regulation telephone number. That number is 217-785-2900.
Meta suggests ISOs with terminals deployed in the State of Illinois have a small sticker created with the Department phone number that is affixed to the terminal near the network-required Operational Problems or Suspicious Activity and network logos signage.
As every U.S. ATM operator should know by now, the deadlines for EMV compliance are quickly approaching. The date for MASTERCARD EMV compliance is October 2016, while VISA, along with any remaining networks not included in 2016 deadline; require EMV compliance by October 2017. These dates are set in stone so do not expect any delays or extensions. Doing so will only put you at further risk for monetary loss due to liability shift. Research worldwide has shown that non-EMV terminals are more susceptible to fraudulent transactions from both individuals and organized groups once liability is placed squarely on the ATM operator. The time to act is now if you want to avoid loss of funds due to fraudulent claims, potential fines or fees networks may charge for non-compliance.
In order to be compliant with EMV regulations, all ATMs will require an EMV card reader, as well as the latest version of manufacturer software. ATM Partner carries a variety of EMV kits along with the latest manufacturer software for upgrading your ATM. Depending on the age and ATM type, upgrading the reader may not be possible, and new equipment is the only option. As an ATM Partner, you have the ability to purchase an EMV ready terminal to assure compliance with new requirements. With EMV migration deadlines looming, and with criminals always looking for an easy target, ATM Partner encourages you to act now so that your money remains your money.