ATM cash-out: A rising threat requiring urgent attention

The PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention.

ATM cash-out

What is the threat?

An ATM cash-out attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.

Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

How do ATM cash-out attacks work?

An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems.

The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner.

With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.

Who is most at risk?

Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.

What are some detection best practices?

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools.

What are some prevention best practices?

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS.

3 common misconceptions about PCI compliance

Being the PCI guy at my company carries a certain amount of burden. Not only am I responsible for all of the ongoing compliance and yearly assessments, but I also have to interpret the PCI DSS scriptures on how PCI affects products, initiatives, and platform decisions.

PCI compliance misconceptions

Anyone closely involved with PCI recognizes that our mission tends to be of a holy order. And it’s often a lonely and monastic order: we read the arcane words and interpret them for the common layperson to understand.

What you don’t know could hurt you

If you’ve been the arbiter of PCI for your company, you’ve probably run into a variety of misunderstandings, long-held misconceptions, and just weird ideas. (Nodding your head?) These aren’t limited to occasional questions from co-workers—they also happen with many vendors. I’m honestly surprised that so many vendors operating in areas that impact PCI compliance have virtually no clue about how their products affect or are affected by PCI.

After all, there’s no excuse to be clueless. One of the great things about PCI is that the rules are available for anyone to peruse. That’s why many discussions about PCI end pretty quickly when you simply ask someone to point to the PCI DSS guidelines to support their argument. I can usually tell I’m working with a seasoned professional if they can quote chapter and verse. I can also tell when someone hasn’t done their homework.

Having worked in the PCI world for several years, I’ve seen a lot of good and a lot of bad. Here are three of the biggest misconceptions and misunderstandings I tend to run into.

Misconception #1: You believe a certain product or system is out of PCI scope

The first misconception primarily impacts vendors. It’s the misconception that just because a piece of equipment doesn’t process or transmit credit card data, it’s not in the scope of PCI. This simply isn’t true.

There are essentially two types of systems in scope. One type is any system that directly touches credit card information. The second is any outlying larger connected systems that touch the first type of system.

Vendors tend to get into trouble when they have a device that directly talks to a POS or similar credit card processing system. The moment that device can talk to the POS that’s in scope, it’s basically a given that it (and whatever it touches) is also in scope as a connected system. It’s not always a black-and-white distinction, but you must have very tight firewall rules to make your case.

Misconception #2: You’ve accurately scoped your CDE

The second misconception involves what PCI compliance fundamentally tries to protect. While the PCI DSS guidelines have good recommendations for general security, they’re specifically trying to protect payment-related information. If you’re implementing the controls well, they do a solid job of increasing overall security. But at the end of the day, the scope is intentionally narrow.

That’s why one of the biggest issues I see companies struggling with is how to adequately define their card data environment (CDE). Getting the scope right for CDE is the most essential thing you can do, and everything else builds on top of that.

This is where understanding the card data flow comes into play. You must be able to articulate how a credit card transaction is created and transmitted from beginning to end. This understanding forms the basis of what is in scope and what is not. Because the precise goal of PCI is to protect card data, you should almost always try to reduce scope.

Misconception #3: Not recognizing the differences between PA-DSS and PCI DSS

The third misconception is about the differences between the PA-DSS (which is used to certify payment solutions) and the PCI DSS (which is used to assess adherence to the data security standard). This might seem contradictory, and it probably should be, but there are many cases where you can have a system that has a PA-DSS certification that will not meet PCI DSS compliance.

Again, this goes back to the problems that vendors face in these situations. More than a few times I’ve seen a company get surprised during an assessment when the QSA asked to see the updates to fix vulnerabilities in Windows systems upon which a vendor has built their POS solution. Usually the customer has no control over those updates—they’re typically bundled with a vendor’s application update. I’ve witnessed some pretty hairy phone calls between a QSA, store operator, and vendor trying to sort out why a POS hasn’t been patched in a few years to fix known Windows vulnerabilities.

You can’t outsource ownership

One critical aspect to remember is that if you’re subject to PCI compliance, you’re ultimately responsible for everything. No matter how much you outsource, you can’t outsource ownership. That includes depending on a PA-DSS. I’ve actually worked with vendors to roll out systems that their own techs have installed—only to discover that the installation doesn’t even meet the vendors’ own PA-DSS standards.

As a bonus tip, if you’re working with vendors to select a new payment solution, read through their PA-DSS before making any decisions. Ask hard questions about how their rollout, installation, and real-world management matches up to their PA-DSS. Test the PA-DSS configuration first. I’ve had PA-DSS guides include language and features that aren’t actually built into the solution. It honestly makes me wonder how they got a PA-DSS certification to begin with, but that’s another topic of discussion for later.

Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains

On Nov. 23, one of the cybercrime underground’s largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States.

An advertisement on the cybercrime store Joker’s Stash for a new batch of ~4 million credit/debit cards stolen from four different restaurant chains across the midwest and eastern United States.

Two financial industry sources who track payment card fraud and asked to remain anonymous for this story said the four million cards were taken in breaches recently disclosed by restaurant chains Krystal, Moe’s, McAlister’s Deli and Schlotzsky’s. Krystal announced a card breach last month. The other three restaurants are all part of the same parent company and disclosed breaches in August 2019.

KrebsOnSecurity heard the same conclusion from Gemini Advisory, a New York-based fraud intelligence company.

“Gemini found that the four breached restaurants, ranked from most to least affected, were Krystal, Moe’s, McAlister’s and Schlotzsky’s,”  Gemini wrote in an analysis of the New World Order batch shared with this author. “Of the 1,750+ locations belonging to these restaurants, nearly 50% were breached and had customer payment card data exposed. These breached locations were concentrated in the central and eastern United States, with the highest exposure in Florida, Georgia, South Carolina, North Carolina, and Alabama.”

McAlister’s (green), Schlotzsky’s (blue), Moe’s (gray), and Krystal (orange) locations across the United States. There is an additional Moe’s location in Hawaii that is not depicted. Image: Gemini Advisory.

Focus Brands (which owns Moe’s, McAlister’s, and Schlotzsky’s) was breached between April and July 2019, and publicly disclosed this on August 23. Krystal claims to have been breached between July and September 2019, and disclosed this in late October.

The stolen cards went up for sale at the infamous Joker’s Stash carding bazaar. The most recent big breach marketed on Joker’s Stash was dubbed “Solar Energy,” and included more than five million cards stolen from restaurants, fuel pumps and drive-through coffee shops operated by Hy-Vee, a supermarket chain based in Iowa.

According to Gemini, Joker’s Stash likely delayed the debut of the New World Order cards to keep from flooding the market with too much stolen card data all at once, which can have the effect of lowering prices for stolen cards across the board.

“Joker’s Stash first announced their breach on November 11, 2019 and published the data on November 22,” Gemini found. “This delay between breaches occurring as early as July and data being offered in the dark web in November appears to be an effort to avoid oversaturating the dark web market with an excess of stolen payment records.”

Most card breaches at restaurants and other brick-and-mortar stores occur when cybercriminals manage to remotely install malicious software on the retailer’s card-processing systems, often by compromising third-party firms that help manage these systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals, and that data can then be used to create counterfeit copies of the cards.

Companies that accept, store, process and transmit credit and debit card payments are required to implement so-called Payment Card Industry (PCI) security standards, but not all entities are required to prove that they have met them. While the PCI standards are widely considered a baseline for merchants that accept payment cards, many security experts advise companies to put in place protections that go well beyond these standards.

Even so, the 2019 Payment Security Report from Verizon indicates the number of companies that maintain full compliance with PCI standards decreased for the second year in a row to just 36.7 percent worldwide.

As noted in previous stories here, the organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain from big box retailers like Target and Home Depot to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).

It’s really not worth worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.

Just remember that while consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.