Credit card fraudsters are increasingly resorting to salami ATM attacks, that are very difficult to detect and can result in significant losses.The new method was described by Gartner Vice President and Analyst Avivah Litan, who calls it "flash attack," because it involves hitting many ATMs at the same time.
The attacks are based on the "salami slicing" concept, where extremely small ammounts are stolen from multiple sources in order to fly under the radar.
According to Ms. Litan, it all starts with a gang of fraudsters installing rogue PoS devices, capable of stealing credit card data and PINs, at stores belonging to a particular retailer, in multiple cities and states.
The skimmers planted inside these terminals send data to a central database, from where it is used to create hundreds of counterfeit credit cards.
The cards get the associated PIN numbers sticked onto them and are handed out to a network of money mules, dispersed around the country.
All mules are given around five fake cards at once and are instructed to withdraw very small amounts from each of them. Hundreds of ATMs in different cities are hit the same time.
"[...] Within ten minutes, simultaneous withdrawals at all these ATM machines add up to about $100,000 in proceeds," the Gartner analyst explains.
The gang repeats the operation five times a month with different cards and they earn $500,000, of which a portion is used to pay the money mule network.
Ms. Litan learned of the new attack from several affected banks and payment processors, who told her that this type of fraud is notoriously hard to detect or block.
Possible mitigation involves determining the source of compromise and suspending all cards used there over a long period of time, which can prove extremely costly.
In addition, finding the point-of-breach can be very complicated, because the fradusters begin abusing the cards a long time after they were compromised, sometimes a year or more.
"The long term solution: Stronger cardholder authentication, whether using Chip and PIN, dynamic PINs, mobile geolocation information, or other authentication alternatives," Litan concludes.