Sounding alarm over an especially sinister new wave of cybercriminals, regulators are warning bankers that hackers have succeeded in changing the controls on automated teller machines to enable thieves to make nearly unlimited withdrawals using fraudulent debit, prepaid and ATM cards.
The hackers often schedule the withdrawals for holidays and weekends, when extra cash is loaded into ATMs and monitoring by the banks drops off, an umbrella group for financial regulators said Wednesday.
The U.S. Secret Service calls this scam Unlimited Operations because it eradicates the usual caps on ATM withdrawals, enabling the criminals to extract far more than depositors have in their accounts.
"A recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts," the Federal Financial Institutions Examination Council said in its alert.
The council is made up of various banking regulators, including the Federal Reserve and the Consumer Financial Protection Bureau.
Because bank customers are protected by federal deposit insurance, they would eventually recover losses when their accounts are drained using stolen debit card or ATM card data, although the inconvenience could be considerable.
Prepaid cards appear to be more problematic because not all come with deposit insurance.
Consumer privacy advocates generally recommend that consumers avoid using debit or ATM cards and opt instead for better-protected credit cards.
The latest warning comes after millions of Americans have had their financial information breached in a series of high-profile cyberattacks, most notably the theft of personal data from more than 110 million Target Corp. customers during the winter holidays.
Saying small and medium-size banks are most vulnerable, the examinations council urged bankers to upgrade their security systems quickly because the potential losses are so high.