Hidden Cobra Fast-Cash Q&A

For the Spanish version of this blog post, please click here.

Hidden Cobra Fast Cash QA
Interested in INETCO’s bundled alerts for early warning fraud detection? Book a Demo!

On Tuesday, October 2, 2018, the US-CERT issued a joint Technical Advisory (TA) from the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and the US Treasury warning banks about the ATM cash-out scheme called “FASTCash.”

The TA went on to say that the U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA and that the FBI has high confidence that HIDDEN COBRA actors are using a number of attack vectors to siphon off cash from ATM’s, which it detailed in the report.  It also provided suggested response actions.

The attack signature of “FASTCash” is no different to the other attacks we have discussed in some of our other blog posts over the past few years.  These attacks are still taking place despite the high level of security implemented within many PCI-DSS certified environments.  The reason is that these are highly coordinated and sophisticated attacks, using multiple attack vectors over a very large attack surface.  There are no silver bullets in protecting against these sort of attacks, but layering security to provide the defense-in-depth will help limit the attack surface.

As HIDDEN COBRA targets very specific financial request and response messages, for example ISO 8583, fraudulent transactions go ‘under the radar’ as traditional monitoring does not detect these kinds of attacks. Furthermore, these attacks are also conducted across borders so that in-country controls can be bypassed.

In recent discussions with top FIs, as well as through INETCO hosted webinars, a number of questions have been raised around how to protect payments environments from these kinds of attacks. With these concerns in mind, we decided to create a list of FAQs that can help prepare your team for “FASTCash” attacks.

  1. Does Message Authentication Code (MAC) or MAC’ing stop these cash-out schemes?
    • MAC’ing adds an additional layer of security in that it ensures message integrity from the sender (ATM) to the receiver (Financial Switch or Authorization Host). In the case of these cash-out schemes – which in essence is a variation of the “man-in-the-middle” attacks we have seen in CNP transactions, the fraudulent transactions never reach the authorization realm that would normally perform MAC verification. This lack of visibility therefore causes MAC’ing to offer little in the form of protection.
  2. Does Transaction Signing stop these cash-out schemes?
    • Similar to MAC’ing, as the proxy switch or malware is in-line, the transaction never reaches the real authorization realm and an ISO 8583 approval response is provided to any transaction being routed to the transaction switch, rendering Transaction Signing irrelevant in this situation.
  3. If the bank had implemented EMV chip and pin, would that have stopped the attack?
    • Many of the banks hit with these attacks had already implemented EMV years before. EMV chip and pin would not stop the attack as the attackers were using terminals from across the world that allowed fallback transactions. As fraudulent fallback transactions are intercepted and approved by the proxy switch or malware and never reach the real transaction switch or backend, the EMV check is never done.
  4. How does INETCO Insight alert or stop these cash-out attacks?
    • As INETCO Insight decodes ISO 8583 messages, including a host of other financial message protocols like NDC+ and ISO 20022 and is able to correlate the fields of these messages along the transaction path, INETCO alerts when it picks up fields that are tampered with or authorizations that are processed before they even get to the authorization realm.
  5. Are there any performance issues/latency or lag in the transaction with the solution?
    • INETCO Insight collects a copy of the transaction information directly from the network either from a SPAN or network tap or optionally, an agent.  As we are using a real-time copy of the transaction, we have no impact in any way on the transaction.  There are therefore no performance or latency/lag issues.
  6. If I already have a fraud prevention solution, can I integrate the data captured by INETCO Insight in real-time?
    • Yes, as INETCO Insight captures raw TCP/IP information across ISO 8583 and other proprietary financial protocols, INETCO is able to provide more contextual information than is otherwise usually available. INETCO Insight is able to forward this information to other fraud tools, if so desired.
  7. How is INETCO Insight different from the fraud solutions I already have?
    • While INETCO Insight is able to perform a lot of the functionality of current industry leading fraud solutions, INETCO Insight’s real differentiator is its ability to capture financial transaction information in real-time from the network – across many hops and links that the transactions traverse. These links may have very different protocols, from ATM protocols like NDC+, to payment network protocols like ISO 8583 and authorization host links like XML, MQ and SQL to name a few. By decoding these different message formats across the different links and correlating the fields associated with these formats, INETCO Insight is able to create a single view of the transaction journey.  With a clear view of the transaction journey, we can independently audit it and therefore know when transactions go amiss.
  8. Why would a bank consider using INETCO Insight if it has already implemented other recommended solutions?
    • Banks often use INETCO Insight to improve security posture and to limit the effects of front-end APT attacks, like the ones discussed in this blog. INETCO Insight is an additional security layer that helps as an early warning system. Other security controls and systems should still be in place and tested regularly.
  9. As our current ATM protection is online, does INETCO provide any option for offline ATM malware protection?
    • Yes, INETCO is able to pick up anomalous ATM behavior across your entire fleet. One such behavior is a lack of transactions due to an ATM having been taken offline in a jackpotting attack. In such a situation, INETCO Insight can alert and appropriate action can be taken.
  10. Just to confirm, INETCO not only has the capability to alert, but can also decline when certain patterns/trends are detected?
    • Yes, INETCO Insight is able to provide an email alert or risk advice that can be used to stop a transaction. These rules and alerts can be configured in INETCO Insight’s robust Rules Engine.

If you would like to learn how INETCO can work within your payments environments, please reach out to us at and we can provide you with information on INETCO’s bundled alerts for early warning fraud detection.