A flaw in cash machine software is letting criminals withdraw money without using a bank card.
Security firm Kaspersky Labs identified the problem, leading Interpol to mount a widespread investigation across the USA, India, France, Israel, Malaysia and China.
ATMs infected with malicious software can be instructed to give out 40 notes at once by entering a series of digits on the keypad. Fraudsters do not require a credit or debit card to carry out the scam.
The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
SUBSCRIBE & SAVE
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
Latest Videos From
The hack, known as Tyupkin, requires criminals to enter a unique code into a machine that has already been compromised by the malware. A second Pin code – a random sequence of numbers generated at another location – is also needed to unlock the machine before it will dispense the cash.
Security analysts say that this double-Pin system ensures that the hacker generating the algorithms maintains control over when and where money can be stolen.
"Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software," said Vicente Diaz, principal security researcher at Kaspersky. "Now we are seeing the natural evolution of this threat with cybercriminals moving up the chain and targeting financial institutions directly."
Millions of dollars have already been stolen around the world, the Daily Mirror says, and it is possible that cash machines in the UK could come to be affected.
Tyupkin is said to affect a particular make of ATM which runs Microsoft Windows 32-bit. The initial security investigation was carried out by Kaspersky at the "request of a financial institution" – but the security firm did not specify which.
Unlike some other scams, the Tyupkin hack skims money from the bank itself rather than targeting individual bank accounts.
Many machines run outdated software, the BBC says, "which is hard to update for logistical and financial reasons". Many also require a full hardware overhaul to address contemporary security threats.
"The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is a problem that needs to be addressed urgently," Kaspersky says.
