FBI Issues ATM "Cash Out" Warning
The FBI has issued a warning of an imminent "cash out" attacks against ATMs in the U.S. The wording of the alert, along with past history of "cash out" attacks, indicates this threat is primarily focused on FI/Bank ATM providers, not retail ATM ISOs/IADs. However, NAC is still awaiting specific feedback from the FBI on whether/to what extent this threat extends to Independent ATM providers' terminals. As such, for now caution and a watchful eye are appropriate. Retail ATM operators/merchants with larger ATM fleets and/or a degree of networking of their terminals, similar to FI ATM system architecture, should be especially vigilant during this time.
The so called "cash out" attacks involve use of large numbers of compromised/stolen/cloned debit cards to fraudulently withdraw large sums of cash from ATMs in a coordinated/widespread manner. Prior large scale such attacks have involved significant numbers of simultaneous fraudulent withdrawals at numerous geographically disbursed bank ATMs - netting a large sum in a single massive hit. To the extent there is a large-scale plan underway to hit ATMs in the U.S. with a similar strategy - and that plan possibly includes Independent/Retail ATMs - this should be on everyone's radar, especially for those ATM owners/operators with non-EMV terminals where the ATM owner bears the risk for fraud. Again, NAC has reached out to law enforcement for clarification on whether this alert advisement is limited to bank ATMs or also includes Independent/Retail ATMs.
We will provide updates as they become available. In the interim, caution is advised. We would encourage all ATM deployers to inform their premise owners/staff of this threat and to maintain a heightened level of awareness for any suspicious activity in the coming weeks. Suspicious behavior would include customers seen using multiple cards in rapid succession.
This type of heightened threat provides another reason to complete your EMV upgrades and make sure your terminals are properly handling EMV transactions - to protect yourself from chargeback liability in the event the expected crime wave should turn out to include the U.S. retail ATM base.