Sounding alarm over an especially sinister new wave of cybercrime, regulators are warning bankers that hackers have succeeded in changing the controls on automated teller machines to allow thieves to make nearly unlimited withdrawals.
The hackers often schedule the withdrawals for holidays and weekends, when extra dollars are loaded into ATMs and monitoring by the banks drops off, an umbrella group for financial regulators said Wednesday.
The U.S. Secret Service is calling the scam Unlimited Operations because it circumvents the usual caps on ATM withdrawals, enabling the criminals at times to extract far more than depositors have in their accounts.
“A recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts,” the Federal Financial Institutions Examination Council said in its alert. The council comprises various banking regulators, including the Federal Reserve and the Consumer Financial Protection Bureau.
Federal bank deposit insurance and banking laws ensure that affected bank customers eventually recover losses when their accounts are drained using stolen debit card data. Still, the inconvenience to the customer can be considerable. Prepaid cards are more problematic, because some do not come with deposit insurance.
Consumer privacy advocates generally recommend that consumers avoid using debit or ATM cards altogether. It’s better to use credit cards, in which the proceeds of any fraud are not directly drawn from consumers’ bank accounts, they say.
“Another great reason to ditch debit cards and use only credit cards,” said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego.
The latest warning comes after millions of Americans have had their financial information breached in a series of high-profile cyberattacks, most notably the theft of personal data from more than 110 million Target Corp. customers during the winter holidays.
Saying small and medium-sized banks are most vulnerable, the examinations council said regulators expect bankers to upgrade their security systems quickly because the potential losses are so high.
The regulators also said banks continue to experience so-called direct denial-of-service attacks, in which hackers cripple bank customer websites by bombarding them with millions of electronic demands. Such attacks can be used as diversions, forcing bank security employees to deal with them while the fraudsters hack their way into bank computers, experts say.
“Each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack,” the regulators said in issuing their warning.
A spokesman for the American Bankers Assn. didn’t immediately respond to an email and phone call seeking comment. But Rodney K. Brown, president and chief executive of the California Bankers Assn., said banker conferences are devoting increasing attention to cyberattacks, which he described as “more than a nuisance but not something that is destabilizing financially to banks.”
The regulators said the scam often begins with phishing attacks — scam artists sending phony but official-looking emails to bank employees, who may unleash malicious software by clicking on a link.
Criminals use the malware to obtain employee login credentials and to determine how the institution accesses ATM control panels, often based online, that allow changes to be made in the amount of money customers may withdraw, geographic usage limits and how fraud reports are generated.
After hacking the control panel, criminals withdraw funds by using fraudulent cards they create with account information and personal identification numbers stolen through separate attacks, the regulators said. The PINs may be stolen by malicious software or scanning programs at merchant sales terminals or ATMs, or by hacking into computers.
“The cash-out phase of the attack involves criminals organizing simultaneous withdrawals of large amounts of cash from multiple ATMs over a short time period, usually four hours to two days,” the warning said.
For the record, 1:50 p.m. April 10: An earlier version of this article said personal data had been stolen from 110 million Target stores during the winter holidays. It was 110 million Target customers.