Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Financial Institution Letter

ATM and Card Authorization Systems

Summary:

The FDIC, as a member of the Federal Financial Institutions Examination Council (FFIEC), is issuing the attached statement describing risks related to recent cyber-attacks on automated teller machines (ATMs) and card authorization systems that have resulted in large dollar frauds. These attacks are known as Unlimited Operations.

The FDIC expects financial institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology (IT) networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes.

Statement of Applicability to Institutions with Less than $1 Billion in Total Assets: This Financial Institution Letter (FIL) applies to all FDIC-supervised institutions.

Highlights:

  • Cyber-attacks on financial institutions for the purpose of gaining access to, and altering the settings on, ATM Web-based control panels used by small- to medium-sized institutions have increased.
  • Unlimited Operations are a category of ATM cash-out fraud in which criminals are able to extract funds beyond the cash balance in customer accounts or beyond other control limits typically applied to ATM withdrawals.
  • Financial institutions that issue debit, prepaid, or ATM cards may face a variety of risks from Unlimited Operations, including operational, reputation, fraud, liquidity, and capital risks.
  • Financial institutions should ensure that their risk management processes address the risks from these types of cyber-attacks consistent with the risk management guidance contained in the FFIEC IT Examination Handbook and applicable industry standards.

Suggested Distribution:

  • FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:

  • Chief Executive Officer
  • Chief Information Security Officer

Paper copies may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200).

FIL-10-2014
Attachment(s)

Last Updated: April 2, 2014