A banking watchdog said hackers could target bank ATMs and change the controls on the machines to enable the theft of possibly unlimited amounts of money.
The Federal Financial Institutions Examination Council issued an alert saying thieves could target small- to medium-sized institutions and withdraw large amounts of cash.
The watchdog said that hackers normally waited for holidays and weekends, as ATMs are flush with money on those days and also monitoring by banks is low. The U.S. Secret Service has dubbed the scam Unlimited Operations, because it bypasses regular caps on ATM withdrawals, enabling hackers and thieves to extract far more than depositors have in their accounts.
"A recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts," the Federal Financial Institutions Examination Council said in its alert.
The hack involves installing malware on the ATMs and changing settings to give hackers access to ATM control panels, enabling the withdrawal of large sums. The cash-out period for such operations usually lasted somewhere between four hours and two days.
Consumer groups have been advocating the use of credit cards over debit and ATM cards, as money is not drawn directly from a consumer's account in the event of fraud.
"Another great reason to ditch debit cards and use only credit cards," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego.
The banking watchdog also said that banks continue to be targets for direct denial-of-service attacks, DDoS, in which hackers bombard bank sites with millions of electronic demands. While bank staff are busy dealing with these requests, fraudsters hack their way into bank computers.
"Each institution is expected to monitor incoming traffic to its public website, activate incident response plans if it suspects that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack," the regulators said in issuing their warning.