In August 2020 EAST published Central/Host Fraud definitions which cover corporate attacks against central infrastructure like banking host systems in order to perform different Modus Operandi not directly connected to a Terminal. These definitions were produced by the EAST Expert Group on All Terminal Fraud (EGAF).
The compromise of a corporate network is the first step with these types of incidents. This can be done by external attackers as well as by internal employees of the institution. Attackers typically try to get access to this critical infrastructure, enabling the three different Corporate Networks Attacks shown below.
- Card Processing
- Fund Transfer
- Remote Malware Distribution and Control
The third one relates to control of a financial institution’s network leading to illegitimate file distribution in order to install and execute ATM specific malware. The different malware Modus Operandi actually used within the corporate network attack can be Jackpotting (also known as ATM Cash-out), Man-in-the-Middle (MITM) and SW-Skimming. These are described in EAST’s Terminal Fraud Definitions.
In October 2020 The PCI Security Standards Council (PCI SSC) released a bulletin ‘The Threat Of ATM Cash-Outs Payment Security’.
EAST Executive Director Lachlan Gunn speaks to Jeremy King, the PCI SSC Regional Head for Europe and Otto de Jong, Chair of EAST EGAF and DBNL Anti-Fraud Officer for ING.
Lachlan Gunn: Thank you both for agreeing to speak today on this key issue.
Why did EAST produce Central/Host Fraud Definitions?
Otto de Jong: It is vital that the way that corporate network attacks are described is consistent to allow law enforcement and industry responders to accurately report what they are seeing in a way that allows for standardisation of reporting. This optimises the ability of organisations to mitigate and defend against the evolving threats and helps law enforcement when conducting follow up investigations to such crimes. The aim is for these fraud definitions to be adopted globally by the Industry and Law enforcement when describing or reporting payment terminal fraud. The INTERPOL Financial Crimes Unit is recommending the usage of EAST definitions for Payment Card Fraud, and we hope that other law enforcement agencies will do the same.
Why did the PCI Security Standards Council issue an industry threat bulletin on ATM Cash-outs?
Jeremy King: We have heard from many of our stakeholders in the European payment community that ATM “cash-outs” are a growing concern across the globe. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the ATMIA who’s industry is well aware of these daily threats.
Otto de Jong: This is indeed timely. The most recent EAST Payment Terminal Crime Report shows that ‘cash-out’ through black box attacks is a growing threat. ATM malware and logical attacks against ATMs were up 269% (from 35 to 129) and all the reported attacks were Black Box attacks.
What businesses are at risk of this devious attack?
Jeremy King: Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple countries throughout Europe and around the world as the result of this highly organised, well-orchestrated criminal attack.
Otto de Jong: In addition to financial institutions and payment processors, recent corporate network attacks have demonstrated that this is also a threat to key infrastructure companies like utility companies, universities, hospitals and so on. This year the corporate network attack threat is evolving from targeting the payment system (cash out or swift transactions) to ransomware attacks (bitcoins).
What are some detection best practices to detect these threats before they can cause damage?
Jeremy King: Since ATM ‘cash-out’ attacks can happen quickly and drain millions of dollars in a short period of time, the ability to detect these threats before they can cause damage is critical. Some ways to detect this type of attack are:
- Velocity monitoring of underlying accounts and volume
- 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
- Reporting system that sounds the alarm immediately when suspicious activity is identified
- Development and practice of an incident response management system
- Check for unexpected traffic sources (e.g. IP addresses)
- Look for unauthorized execution of network tools
Otto de Jong: Monitoring systems can also be compromised. Checking of related monitoring mechanisms, such as globally operated by card schemes, can be helpful to identify this kind of attack.
What are some prevention best practices to stop this attack from happening in the first place?
Jeremy King: The best protection to mitigate against ATM ‘cash-outs’ is to adopt a layered defence that includes people, processes, and technology. Some recommendations to prevent ATM ‘cash-outs’ include:
- Strong access controls to your systems and identification of third-party risks
- Employee monitoring systems to guard against an “inside job”
- Continuous phishing training for employees
- Multi-factor authentication
- Strong password management
- Require layers of authentication/approval for remote changes to account balances and transaction limits
- Implementation of required security patches in a timely manner (ASAP)
- Regular penetration testing
- Frequent reviews of access control mechanisms and access privileges
- Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
- Installation of file integrity monitoring software that can also serve as a detection mechanism
- Strict adherence to the entire PCI DSS
Otto de Jong: In addition, every institution with an IT infrastructure should perform a threat risk assessment to spot weakness in their system. This should be evaluated on an annual basis. Performing penetration tests annually by independent assessors must be part of such an assessment.
Lachlan Gunn: That concludes the Q&A session. Many thanks again to you both. Hopefully this will help to further raise awareness of the risks posed by corporate network attacks, what can be done to detect them, how to protect against them and also how to classify attacks to allow for accurate reporting and follow up by law enforcement and the industry.