By the tone of its joint statement released last month, the Federal Financial Institutions Examination Council (FFIEC) makes it clear that so-called Unlimited Operations cyber fraud attacks on ATM networks may be inevitable for financial institutions if they do not act—quickly. It expressed particular concern about small- and medium-sized financial institutions, those which can least afford the large-dollar losses and high risks associated with this fraud scheme. Whether an attack is inevitable at your institution is largely dependent upon how it reacts and responds to the FFIEC’s warning and advice. Arming your institution, its board, and its employees with information, and implementing some sophisticated cyber savvy of your own, will do far more than help your institution brace for an attack. It will help you fight back.
The Genesis of Unlimited Operations
The April 2 FFIEC press release garnered headlines for the Unlimited Operations scheme, but it wasn’t the first. One year ago this month, the United States Attorney’s Office for the Eastern District of New York announced it had indicted eight members of an international cybercrime organization for its part in perpetrating a $45 million global ATM heist. The scheme used for pulling off the heist was dubbed Unlimited Operations, and was described as follows: the cybercriminals hacked into the financial institution systems, stole prepaid debit card data and removed their withdrawal limits, after which cashers fanned out to withdraw money, basically at will, with the stolen cards. Shockingly, the New York-based group withdrew $2.8 million from New York City ATMs in just a few hours.
In its press release about the indictment, the Justice Department identified three ominous characteristics of the Unlimited Operations scheme:
- The hackers’ surgical precision in carrying out cyberattacks
- The global nature of the cybercrime organization
- The speed and coordination with which the organization executes its operations on the groundi
A Quickly Evolving Fraud Scheme
Those three characteristics ascribed to Unlimited Operations hold true today, however, there is a new twist. The May 2013 indictment spoke of sophisticated intrusion techniques being used for the hacking portion of the scheme—news that obviously put financial institution information security personnel on alert. If there is one thing we know for certain about cybercriminals, it is their willingness and ability to adapt to the current environment. Block one entry, they will seek another.
Enter the current iteration of Unlimited Operations. Finding previous intrusion techniques less permeable, the cybercriminals sought another less sophisticated, but no less effective, means of initial access—through financial institution employees. This isn’t about employee embezzlement or insider crime. It’s about financial institution employees inadvertently helping the cybercriminals gain access to systems when they respond to social engineering tactics.
In the case of Unlimited Operations, the criminals have evolved the scheme to begin with phishing, a tactic where emails—appearing to be from an authentic and legitimate source—contain malicious software, better known as malware, that is activated when the employee opens a link or attachment within the phony email. The FFIEC describes the broad and concerning consequences of this tactic in explicit detail: “once installed, criminals use the malware to monitor the institution’s network to determine how the institution accesses ATM control panels and obtain employee login credentials. These control panels, often web-based, manage the amount of money customers may withdraw within a set time frame, the geographic limitations of withdrawals, the types and frequency of fraud reports that its service provider sends to the financial institution, the designated employee that receives these reports, and other management functions related to card security and internal controls.”ii
Just one such successful phishing email can provide the cybercriminals with the keys to the kingdom, because they gain far more capability to remove withdrawal limits than the techniques used in the 2013 New York case. In response to the FFIEC’s April statement, ATM Marketplace warned of the exponential impact of this evolution by discussing how it makes Unlimited Operations more lethal than the methods referenced in the May 2013 indictment. “In this notorious case, cashers were still subject to ATM limits. It took hundreds of thousands of cards and more than 4,500 individual transactions to steal $45 million. As today’s statement made clear, the removal of ATM withdrawal limits dramatically reduces the number of counterfeit cards and transactions and exponentially escalates the danger to financial institutions, whose ATMs can be emptied with as little as a single transaction.”iii
According to the FFIEC’s statement, they’ve already witnessed one such successful phishing scheme. It yielded an almost unbelievable $40 million for the cybercriminals, who only needed 12 debit cards to carry out the heist thanks to the manipulation of ATM control panels and the subsequent removal of withdrawal limits that the phishing allowed.
Regulators Take a Stand
The FFIEC, which speaks for all of its member agencies—the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation ( FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB)—gets straight to the point. Unlimited Operations poses a serious threat to financial institutions, small- and medium-sized in particular, that could result in significant dollar losses. Those losses could then severely affect an institution’s operations, liquidity and capital positions, and of course, its reputation.
In order to avoid this risk, the FFIEC’s joint statement indicated that it “expects financial institutions to take steps to address this threat by reviewing the adequacy of their controls over Information Technology networks, card issue authorization systems, systems that manage ATM parameters, and fraud detection and response processes.”ii
The FFIEC goes on to provide its prescribed risk mitigation measures as outlined within its IT Examination Handbooks, specifically the booklets on Information Security, Outsourcing Technology Services and Retail Payment Systems. These mitigation measures fall into seven categories:
- Routine and ongoing information security risk assessments
- Security monitoring, prevention and mitigation
- Protection against unauthorized access
- Implementation and routine testing of controls for critical systems
- Information security awareness and training programs
- Testing of incident response plans
- Information sharing within the industry
The Antidote to Unlimited Operations
The dire tone of the FFIEC’s joint statement has left many financial institutions scrambling to figure out the best way to thwart such Unlimited Operations attacks before they become a target. Scrambling, however, is unnecessary. Since the latest twist on this scheme starts with phishing, so should your institution. Fortunately, there is a relatively quick and extremely effective antidote to the phishing associated with Unlimited Operations: the one-two punch of advanced social engineering testing and internal penetration testing. The former helps financial institutions determine their vulnerabilities related to the human elements that make phishing successful, while the latter helps determine the consequent impact to systems once human elements have yielded an entryway.
For those unfamiliar with advanced social engineering testing or internal penetration testing, consider the following:
- Advanced Social Engineering Testing: With the institution’s permission, a third-party consultant conducts thorough reconnaissance on the organization and its employees, then performs a safe yet precise strike that mimics the latest social engineering techniques used by cybercriminals to gain access to systems. Leveraging the access and information gained during recon and exploitation, the consultant performs such post-exploitation activities as acquiring administrative access for the entire network and compromising additional sensitive systems, so the full impact is shown. As recommended by the FFIEC, this method goes well beyond gathering statistics on clicks and downloads.
- Internal Penetration Testing: Again with permission, and without any interruption to day-to-day operations or systems, a third-party consultant simulates the activity of an attacker on an institution’s internal network and attempts to gain privileged access to sensitive systems. The results of the test provide insight into the attack chains and sequences necessary for a real-world attack’s success so they can be detected by the organization.
Fighting the Inevitable
Is it inevitable that another financial institution will be hit by Unlimited Operations? Most likely, yes. Does it have to be your institution? Absolutely not! But to ensure your ability to fight back, your institution must be even more willing and able to adapt to the current environment than are the cybercriminals. In other words, it has to acquire some cyber savvy of its own. The best way to fend off Unlimited Operations and other types of cyberattacks is allowing a trusted source to conduct the exercises necessary to determine your potential vulnerabilities. Implementing such testing also proves to regulators that your institution is determined not to be the next victim.
i http://www.justice.gov/usao/nye/pr/2013/2013may09.html; The United States Attorney’s Office, Eastern District of New York; Press Release, Eight Members of New York Cell of Cybercrime Organization Indicted in $45 Million Cybercrime Campaign; May 9, 2013.
ii https://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf; FFIEC Joint Statement, Cyber-attacks on Financial Institutions’ ATM and Card Authorization Systems; April 2, 2014.
iii http://www.atmmarketplace.com/article/230491/ATM-Networks-at-risk-of-cyber-attack-FFIEC-warns; ATM Marketplace; ATM Networks at Risk of Cyber Attack, FFIEC Warns; by Suzanne Cluckey; April 3, 2014.