By Stacy Gorkoff

The ability to detect ATM cash-out attacks as they are unfolding—not after the damage is done—continues to be a priority for IT operations and payments security teams.

In today’s complex and ever-changing threat environment there remains no “silver bullet” that provides financial institutions blanket protection from fraud. In fact, according to the 2018 True Cost of Fraud study, published by LexisNexis Risk Solutions, every dollar of fraud now costs banks and credit unions roughly $2.92 in associated costs, a 9.3 per cent increase over 2017.

Early warning fraud detection is becoming more challenging due to:

  • High-risk visibility gaps. Many of today’s advanced persistent threats are designed to fly under the radar of traditional single-point monitoring payment fraud defences or bypass back-end fraud management systems entirely;
  • Increasing logical attack complexity and evolving criminal methodologies. New payments system vulnerabilities are being exploited through a combination of specially crafted malware, social engineering, siphoning and coordinated attacks; and
  • Increasing infrastructure costs and resources. Many small to medium-sized financial institutions often have less sophisticated cybersecurity controls, fewer resources and smaller budgets, but face more third-party vendor liabilities.

Evolving fraud prevention requirements
Cash-out schemes that involve multiple attack vectors over a very large attack surface continue to happen, despite the high level of security implemented within many PCI DSS-certified environments. Here are several high-profile examples.

May 2018. The Central Bank of Mexico announced that hackers had stolen as much as USD $15 million from five companies by tapping into bank payment systems and performing numerous fraudulent transactions, including cash withdrawals.

August 2018. The Federal Bureau of Investigation (FBI) issued warning of a global ATM cash-out scheme. Within days of that alert, India’s Cosmos Cooperative Bank was attacked. Cybercriminals installed malware on the bank’s debit card payment system, access card information, remove fraud controls, such as maximum withdrawal amounts, and exploit unlimited network access via fake or proxy servers. Criminals made off with over USD $13.5 million, using cloned cards to orchestrate 12,000 ATM transactions over a two-day weekend across 28 countries including Canada, Hong Kong and India.

October 2018. The United States Computer Emergency Readiness Team issued a joint Technical Advisory from the Department of Homeland Security, the FBI and the U.S. Treasury warning banks about the ATM cash-out scheme called “FASTCash”. In this attack, very specific financial request and response messages, for example ISO 8583, were targeted and fraudulent transactions went under the radar as traditional monitoring does not detect these kinds of attacks. This attack was also conducted across borders so that in-country controls were bypassed.

January 10, 2019. Visa issued an advisory to U.S. payment card issuers, advising them to be on alert for suspected ATM cash-out fraud schemes. Card issuers have been asked to increase their monitoring of ATM traffic and report any suspicious activity, especially ATM withdrawals involving prepaid cards.

May 2019. Dutch Bangla Bank Limited (DBBL), a local Bangladeshi Bank, was hit with a USD $3 million ATM cash-out attack when a Russian hacker group installed malware on one of the bank’s switches, thereby creating a proxy switch that went undetected for months. The malware was only uncovered after Visa tried to settle payment transactions with DBBL. By routing transactions through the proxy switch, hackers were able to withdraw funds from ATMs located in Cyprus, Russia and Ukraine without the bank ever knowing.

Why a multi-layered approach
Traditional fraud system management tools that make use of contextual information to analyze transactions will provide one layer of defence against cash-out attacks. But common single point monitoring solutions, such as those listed below, still run a risk of being compromised.

MAC’ing. Message Authentication Code or MAC’ing solutions add an additional layer of security by ensuring message integrity from the sender (ATM) to the receiver (Financial Switch or Authorization Host). But sometimes the fraudulent transactions never reach the authorization realm that would normally perform MAC verification. In the case of the “FASTCash” attack, which in essence is a variation of the “man-in-the-middle” attacks we have seen in card-not-present transactions, this lack of visibility therefore causes MAC’ing to offer little in the form of protection.

Transaction signing. Similar to MAC’ing, transaction signing may also fail to stop certain cash-out schemes. If the proxy switch or malware is in-line, the transaction never reaches the real authorization realm and an ISO 8583 approval response is provided to any transaction being routed to the transaction switch, rendering transaction signing irrelevant in this situation.

Malware management. In the case of the attack launched against Cosmos Bank, many banks may be inclined to assume that a malware management tool will suffice in preventing this sort of attack. Yes, malware management tools will be one layer of defence against such an attack, but it should not be the only one. These solutions can be compromised as well.

EMV chip and pin. Another common layer of defence is EMV chip and pin, and this has definitely limited the number of ATM cash-out attacks happening in Canada. But if attackers are using terminals from across the world that allow fallback transactions, EMV chip and pin will not be able to stop this attack. Fraudulent fallback transactions would be intercepted and approved by the proxy switch or malware and would never reach the real transaction switch or back-end, meaning the EMV check is never done.

Adding real-time, transaction-level monitoring
With the right set of real-time, statistical and machine learning techniques that build adaptive behavioural models, transaction-level monitoring and alerting has proven to be a reliable and cost-effective way to monitor for suspicious card activity and identify outlier transactions. Furthermore, it also provides the ability to monitor for message field tampering, missing transaction links and routing issues. Having a tool that independently analyzes every end-to-end transaction protects you from rogue switches approving fraudulent transactions.

Multi-point, network-based data collection capabilities give you the power to immediately identify potential fraud attacks, even if these transactions bypass fraud management systems or if the fraud management system has been overridden by malware. Risk scores can be assigned to each individual transaction. Flexible real-time alerts flag high-risk transactions and anomalies such as:

  • Missing back-end transactions for identifying “man-in-the-middle” attacks. Fake processing where a transaction enters the payment switch, but never reaches the host for authorization due to switch malware or card compromise;
  • A rise in transaction declines, unexpected EMV fallbacks, consecutive magnetic stripe transactions or reversal rates. They would be for a certain BIN (bank identification number) range, card type or group of devices;
  • Excessive transaction clearing or stand-in transactions by the switch: over a set amount of time;
  • Unexpected transaction anomalies and a rise in failed transaction rates. The transactions from a certain card or switch are failing or flagged as suspect activity due to high transaction volumes or unusual repeat card usage by device or geography;
  • Increase in foreign card transactions. High volumes or unusual repeat foreign card usage from on-us and off-us locations.
  • Status codes and response code errors. When a MAC or other TCP network error occurs, causing transactions to decline or be incomplete;
  • Suspicious repeat terminal usage. This could be triggered by repeat card usage or transaction volume limits exceeded within a set amount of time;
  • Isolating terminals used in a coordinated ATM cash-out attack. Creating visibility into implausible transacting scenarios, such as multiple devices or countries where the same bank card is being used in a limited period;
  • High withdrawal velocity or abnormal numbers of high-value transactions. Flagging transactions based upon high volume, high amount or unusual repeat card usage at the same terminal or across an unlikely geographical area; and
  • Distance-based card fraud. Knowing when the same card is being used for two consecutive ATM transactions that are not physically possible or likely.

Extending real-time detection to real-time prevention
Immediately detecting suspicious activity and receiving real-time risk advice for every transaction is a great advance in the battle against fraud: often helping IT operations and payments security teams evaluate and take action within minutes. While real-time suspicious activity monitoring is an essential layer to any fraud prevention strategy, it can still be too late to stop fraudulent transactions.


When selecting a real-time transaction level monitoring tool, it is essential that it also include fraud prevention capabilities, such as intelligent infrastructure adaptation rules and port blocking that identify and reject transactions that do not conform to end customer behaviour patterns. With a combination of real-time fraud detection and prevention, IT operations and payments security teams can now halt fraudulent transactions before they are approved. By utilizing real-time alerts to instruct firewalls to block suspicious traffic in flight, you can stop fraudsters in their tracks before they impact your bottom line.

In light of all the headline-grabbing ATM cash-outs and cyber security breaches we are continuously hearing about today, it’s understandable that your financial organization might be looking for ways to prevent being thrust into the spotlight. If this is the case, a multi-layered defence strategy will help you secure your systems and information assets, meet customer security expectations and be ready to defend against cash-out attacks.

Stacy Gorkoff is vice president of marketing and channel development for INETCO Systems Limited ( She is responsible for overseeing strategic marketing, brand awareness and communication initiatives. Stacy has over 15 years of experience working with leading edge network monitoring and application performance management companies in a marketing, communications and business development capacity.

Previous post

How to outwit fraudsters

Next post

Rejuvenating payments