Banks warned over ATM sting targeting savings

Banks are on alert for a co-ordinated cyber attack plan to target their ATMs.

ATM machine

The Federal Bureau of Investigation (FBI) has told banks around the world to prepare for an “ATM cash-out” sting that could see millions stolen from savings accounts in a matter of hours.

A spokesman for the Australian Banking Association (ABA) confirmed to YourLifeChoices that local banks had also been made aware of the FBI warning.

“Members of the ABA take cyber security very seriously and have dedicated significant resources to the constant protection of both IT infrastructure and the private data of customers,” an ABA spokesman said.

“Banks always encourage customers to be vigilant about protecting their personal and financial data and should they have any concern they should immediately contact their bank who will be able to assist.”

YourLifeChoices has approached the Australian Federal Police for comment.

Meanwhile, CBS News quoted respected security blog Krebs on Security saying the FBI was flagging a highly co-ordinated sting using fake credit cards to withdraw money from smaller banks and financial institutions, whose cyber security was not up to scratch.

The site reports that the agency had shared a confidential alert with banks that read: “The FBI has obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’,” reads a confidential alert the FBI shared with banks privately on Friday.

“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets or third-party vendor vulnerabilities,” the alert continues. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

The agency said the heist would compromise financial institutions or payment card processors with malware to access bank customer card information and exploit network access, enabling large-scale theft of funds from ATMs.

Krebs on Security said that the cyber criminals would remove fraud controls at the financial institution, such as maximum ATM withdrawal amounts and any limits on the number of customer ATM transactions daily, just before launching a massive withdrawal.

The perpetrators would also alter account balances and security measures to make an unlimited amount of money available at the time of the transactions, allowing for large amounts of cash to be quickly removed from the ATM, the site said.

“The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores,” the FBI warned. “At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards.”

To counter future threats of cyber theft, the FBI has advised banks to:

  • implement strong password requirements and two-factor authentication using a physical or digital token
  • implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold
  • monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes
  • monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network
  • monitor for encrypted traffic (SSL or TLS) travelling over non-standard ports.

Do you believe your savings accounts are secure? Have your cards ever been subject to fraudulent purchases or withdrawals? If so, what was the outcome? Do you have any tips on how banks could better safeguard your savings?



    To make a comment, please register or login
    16th Aug 2018
    Australian banks have for years refused to implement 2 factor authentication despite this being an extremely cheap way to ensure integrity and keep the crooks out. My bank, a smaller regional player, did this a couple of years ago and we are happy to have this system despite it requiring more time to log on. Our overseas bank, a major, also has a card with a grid of 7 letters across and 10 digits down with users required to enter 3 characters from the card. Pretty well foolproof. Just don't ask our banks to do something so simple. They are more than happy to allow customers to be defrauded and then pass the pain and costs onto them.
    I bet this was never given to the RC into banks!
    16th Aug 2018
    Banks don't pass on the costs to consumers, they always refund the money and if they don't get it back from the fraudster it's a cost to them. They allow for that each year in their balance sheets.
    16th Aug 2018
    Yes Greg, banks are required by law to refund any fraudulent withdrawals immediately.

    MICK, you have got it wrong. Facts trump fiction every time.
    16th Aug 2018
    Hey Old Man, MICK knows everything about everything, did you not know?
    16th Aug 2018
    Judging by what’s coming out of the Royal Commission banks are far more likely to steal our money than cyber scams.
    16th Aug 2018
    One of the problems with this issue is the difficulty knowing where to go to ask for assistance if you think you've been scammed. I have accounts with two of the big four banks and there's nothing on their logon screens which tells me what to do if I think I've been scammed. When I searched in the website I still could not find a phone number or email address where I can report that I think I have been scammed. I don't even know what I should search for.
    16th Aug 2018
    V1K1 why is that a problem? A bit of common sense would suggest to most people that an unauthorised withdrawal from your account would dictate you contact your bank first.

    It cannot be reported as a scam until you have verified whether the transaction was authorised by you or other signatory to the account.

    Once that has been ascertained it would be referred to the bank's legal department for investigation and you would then be free to go to the police and/or the ACCC report a scam portal.

    The real problem is that people do not check their accounts regularly or in detail so don't notice transactions they didn't make.
    16th Aug 2018
    KSS. That's the problem I'm talking about "contact your bank". I can't find the phone number or email address to contact my bank on their website.

    I check my bank balances every morning and reconcile my cash and credit balance every morning. The problem is that if I see a discrepancy there is no phone number or email address that I can find easily to report the discrepancy. I can't find a contact on the login page or balance of transaction pages. I tried a couple of different search phrases in the search bar and none of them understood what I was asking.

    They should provide an easy to find phone number or email address on their main screen that you can use to report a discrepancy in your account.
    16th Aug 2018
    You just start at the usual 13 or 1300 number and go from there. Those numbers are usually quite prominent on websites and also bank statements.
    16th Aug 2018
    You can't find the phone number??? Come on, if you're able to access online banking surely you have the ability to find the phone number.

    Which bank is it?
    16th Aug 2018
    Commonwealth and Westpac
    16th Aug 2018
    Go in a different way, V1K1. I just googled both those banks and there are “contact us” for both of them.
    16th Aug 2018
    Thanks Triss.
    16th Aug 2018
    V1K1 Wowowowowo better get a passbook he he he he and go to the counter for withdraw .... I do not use the ATM unless is an absolutely necessary I go to the counter and manage my transactions ..... just get the money you need for the weekend on Friday then no worries.

    Use the ATM on extreme emergencies worries then
    16th Aug 2018
    As long as we have paywave we can be fleeced to the tune of $1000 a day.
    Start there!
    16th Aug 2018
    Why $1000 a day?
    16th Aug 2018
    $100 max a withdrawal, max daily withdrawal $1000. That is it Greg.
    16th Aug 2018
    That's bank dependent - my bank allows you to go to $2000 per day.
    16th Aug 2018
    I'm not concerned about fraudulent activity - my banks have reasonable security measures in place.
    I had three transactions on my MasterCard years ago that the bank contacted me that day (within minutes of the transactions) which were frauds. That was on a Monday, on the Wednesday the bank had refunded my account with the full amount and new cards received on the Thursday.
    This is the world we live in now, it's not like people never stolen money before, they just did it in different ways.
    16th Aug 2018
    I had an overseas account when I worked in UK and decided to leave some money for any subsequent return. Some years ago, I noticed approximately £200 used. I had not touched it, trying to contact HSBC using overseas phone which was expensive then and waiting for a long time several times.
    I suspect that a renewed card had been intercepted. Their security was pathetic not noticing my signature was completely different to what was used.
    I am out of pocket.
    It was pointless going to HSBC Sydney as they don't talk to HSBC UK.
    16th Aug 2018
    In your situation have a new card sent to your bank here or do get a post office box. Every week walking down the road I see letters sticking out of street letter boxes ready for anyone to pick up. I know it costs about $120 a year to have a box, possibly more in a capital city but believe me it is worth the dough. Problem is also that banks want to send the stuff to a street address, so you might have to get a divert in place as well and guess what - more costs.
    16th Aug 2018
    For at least 6 months I have been getting my m money over the counter to avoid any extra charges especially if you are overseas not use the ATM',s get your money over the counter and save local fees and any chance of getting your passwords.
    16th Aug 2018
    How do you get the money over the counter overseas with an ordinary account?. You cannot avoid charges really but then you can teach us all something.
    16th Aug 2018
    I haven't paid any bank account fees for 37 years - winning!
    16th Aug 2018
    Cowboy Jim ....All deepens on the country you are for example Vietnam I go to the counter and no local fees just a normal exchange rates like anywhere else same in Bali and Thailand but not in China

    And if you are in Spain you can also get train tickets with your Australian pension card at their pensioners rates and also do not pay any fees on the bank counter just the normal exchange rates charges.

    So is question to try and research the banks I use local small branches in Thailand, Bali and Vietnam when I am around there
    17th Aug 2018
    Thanks Aussie. Interesting about Spain and the train discounts.
    I've never had trouble in Asia either even with money changers in the streets back in the 80s.
    16th Aug 2018
    Well well, the fans have just hit many soft objects!
    Sadly all the cyber warnings by experts for the last 15 years have been studiously ignored by governments around the world, who on the whole are much keener of whole population surveillance (In the guise of providing security. Ha!) then providing us with good secure computers and computer networks.
    So dear people do keep your eyes on your bank accounts but not more often than every few days in case your frequent opening your accounts provides even more access to your details by cyber criminals.
    Send a long rant to the PM and your MP and especially to your bank(s) if your are hit by this.

    16th Aug 2018
    Australian banks have done a very good job preventing hacking

    Where fraud is perpetrated on customers, the banks all all quick to refund customers the full amount.

    Our banks have invested heavily in software to detect credit card fraud and block suspect payments, all at considerable cost to the banks which are not passed on to the customer
    Ted Wards
    17th Aug 2018
    Don't have the bulk of your savings in your account attached to your atm card. Have very little money in there and put your savings in a different account that cant be accessed through an atm. SO if you only have several hundred dollars or less in that account they cant take out much at all. The old saying of don't put your eggs in one basket is very true.
    19th Aug 2018
    You are so right Ted

    Join YOURLifeChoices, it’s free

    • Receive our daily enewsletter
    • Enter competitions
    • Comment on articles
    you might also be interested in...

    Retirement Planning

    When retirement planning becomes life planning it is a challenging, fun and fulfilling task.

    Age pension explained

    Anne explains whether you will qualify for an Age Pension and simplifies some of the more complex scenarios you may encounter dealing with Centrelink.


    Got the travel bug or need a break? Take a look at our latest Seniors travel discounts and deals.

    Meal Ideas

    Be inspired by our easy meal ideas. Search through hundreds of recipes to find the perfect one for any occasion.


    Have some fun and keep your mind active with our Daily Crossword, Trivia, Word Search and Sudoku Games.