In this article, we describe “unlimited operations”—a narrow yet insidious form of cyber attack that poses a particular threat to financial institutions. In a typical unlimited operation, hackers remove security features from bank accounts, increase balances, and then provide teams of “cashing crews” with account information that allows them to make mass ATM withdrawals from the compromised accounts. The lack of security features and increased account balances allow the cashing crews to withdraw money from ATM branches all over the world in amounts far greater than typical withdrawal limits.

While the dangers are especially acute for international banks, the technology could also apply to any corporation that issues any form of credit or debit card—even gift cards. These attacks also use payment processors and vendors as a means to access the card issuer, thus creating potential liability and litigation risk for a variety of corporations.

On June 24, the U.S. Attorney's Office for the Eastern District of New York announced the extradition and unsealing of an indictment against Ercan Findikoglu, who is charged with orchestrating a cyber attack that allegedly succeeded in stealing $55 million from a number of banks. The methods purportedly used by Findikoglu and a diffuse network of conspirators pose a threat to banks and a variety of other corporations.