Debit Card / ATM Cashout Losses and Attacks

Here are some new questions being asked by insurance company underwriters when I ask for higher debit card limits.  Not bad questions for every bank to ask themselves.

These questions are mainly driven by recent FBI guidance regarding ATM Cashout schemes. For more info about ATM Cashouts: https://krebsonsecurity.com/2018/08/fbi-warns-of-unlimited-atm-cashout-blitz/

1) Have you made any changes to security as a result of ATM cash-out schemes? Please explain your response.

2) Does the Bank?
· Require two-factor authentication using a physical or digital token when possible for local administrators and business critical roles.

· Implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold.

· Implement application whitelisting to block the execution of malware.

· Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports.

· Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution.