Sounding alarm over an especially sinister new wave of cybercrime, regulators are warning bankers that hackers have succeeded in changing the controls on automated teller machines to allow thieves to make nearly unlimited withdrawals.
The hackers often schedule the withdrawals for holidays and weekends, when extra dollars are loaded into ATMs and monitoring by the banks drops off, an umbrella group for financial regulators said Wednesday.
The U.S. Secret Service is calling the scam Unlimited Operations because it circumvents the usual caps on ATM withdrawals, enabling the criminals at times to extract far more than depositors have in their accounts.
“A recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts,” the Federal Financial Institutions Examination Council said in its alert. The council comprises various banking regulators, including the Federal Reserve and the Consumer Financial Protection Bureau.
Federal bank deposit insurance and banking laws ensure that affected bank customers eventually recover losses when their accounts are drained using stolen debit card data. Still, the inconvenience to the customer can be considerable. Prepaid cards are more problematic, because some do not come with deposit insurance.
Consumer privacy advocates generally recommend that consumers avoid using debit or ATM cards altogether. It’s better to use credit cards, in which the proceeds of any fraud are not directly drawn from consumers’ bank accounts, they say.
“Another great reason to ditch debit cards and use only credit cards,” said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego.
The latest warning comes after millions of Americans have had their financial information breached in a series of high-profile cyberattacks, most notably the theft of personal data from more than 110 million Target Corp. stores during the winter holidays.
Saying small and medium-sized banks are most vulnerable, the examinations council said regulators expect bankers to upgrade their security systems quickly because the potential losses are so high.
The regulators also said banks continue to experience so-called direct denial-of-service attacks, in which hackers cripple bank customer websites by bombarding them with millions of electronic demands. Such attacks can be used as diversions, forcing bank security employees to deal with them while the fraudsters hack their way into bank computers, experts say.
“Each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack,” the regulators said in issuing their warning.
A spokesman for the American Bankers Assn. didn’t immediately respond to an email and phone call seeking comment. But Rodney K. Brown, president and chief executive of the California Bankers Assn., said banker conferences are devoting increasing attention to cyberattacks, which he described as “more than a nuisance but not something that is destabilizing financially to banks.”