It’s been raining retailer data breaches for quite some time now. Almost every month since December 2013, we’ve witnessed at least one retailer publicly admitting to a cyberassault that compromised the credit or debit card information of its consumers.
- December 18, 2013: Target admitted that hackers infested its payment management systems with a malware and stole payment card details of nearly 40 million shoppers.
- January 10, 2014: Neiman Marcus announced that it’s been a victim of a card data breach.
- February 3, 2014: White Lodging, a hotel franchise firm, declared that it is investigating card data breach incidents at some of the hotels it managed (including Marriott and Sheraton).
- March 17, 2014: Cosmetics retailer Sally Beauty admitted to a payment card data breach.
- April 15, 2014: Hardware retailer LaCie acknowledged a yearlong card data breach.
- April 17, 2014: Michaels, the arts and crafts retailer, confirmed that it could have been a card data breach victim.
- May 23, 2014: eBay announced that its website got hacked, which exposed the personal information of its consumers.
- June 10, 2014: Nationwide restaurant chain P.F. Chang's China Bistro declared that cyberassaults on some of its restaurants might have compromised customer payment card data.
The data breaches that have dominated the financial hacking weather will soon be joined by a new cyberscam. Now, the threat forecast is cloudy with a chance of fraudulent ATM cash-outs.
Recently, the Federal Financial Institutions Examination Council (FFIEC) warned banks all over the US of possible malware attacks, whereby cyber criminals can potentially hack into their Web-based ATM management software, increase or remove cash withdrawal limits, and make the ATMs spew wads of cash.
In its advisory to the banks, the FFIEC describes the modus operandi of the cyber criminals:
- Break into the banks’ IT networks and deploy malware. The FFIEC surmises that hackers might employ email phishing techniques to trick bank employees into installing malware in their banks’ networks.
- Monitor the network and steal credentials that can edit settings in ATM control panels. As soon as the malware is installed, it begins to monitor the network clandestinely to check how ATMs are managed and by whom. Then, using the malware, the crooks try to steal the login credentials of bank employees who have access to and control over ATM management software, where settings such as customers’ daily cash withdrawal limits are stored and managed.
- Change cash withdrawal settings on ATM control panels. Using the compromised user credentials, the hackers gain access to the ATM control panels and conveniently increase or remove the daily cash withdrawal limits.
- Use fake debit cards to steal cash from ATMs. Using the bank account or debit card details pilfered in other scams -- like the retailer data breaches mentioned above -- the hackers create fake ATM cards and use them to withdraw money.
If the hackers accomplish this, then a targeted bank’s ATMs are at their disposal, ready to disburse the amount that they wish to withdraw. The FFIEC cites an incident where a bank was robbed of $40 million using just 12 debit cards!
No stocking-masked hoodlums breaking in. No guns pointed at the teller. No car chases. No struggle whatsoever. Yet, the money is gone. That’s new-age robbery.
Luckily, the ATM attacks identified by the FFIEC are not a completely new or unknown class of threat. Essentially, this is yet another advanced persistent threat (APT) attack similar to those that afflicted retailers recently. Those earlier hacking incidents can help us counter this new ATM threat by teaching us valuable lessons about:
- How meticulously hackers plan the attacks, including their selection of targets
- The extensive research that hackers do about their targets’ IT infrastructure
- The relentless persistence of the hackers to get what they want
- Hackers’ improvisational skills in finding alternate routes to their prize
- How all attack strategies center on privileged accounts
- How hackers prey on our mistakes and negligence
In future blogs, we’ll analyze recent APT attacks and build a combat strategy drawing from the retail industry’s bitter experiences with such attacks.
Prasanna Kumar Singh is a marketing analyst for ManageEngine, the real-time IT management company. For more information on ManageEngine, a division of Zoho Corp., please visit www.manageengine.com; follow the company blog at http://blogs.manageengine.com; on Facebook at ... View Full Bio