The FBI and local police have made tens of arrests across the tri-state area this week as part of a crackdown against multiple criminal gangs who exploited a glitch in the software of Santander ATMs to cash-out more money than was stored on cards, according to ZDNet.

Based on information ZDNet received from a Santander spokesperson, sources in the threat intelligence community, and details released by police departments in the affected towns, criminal gangs appear to have found a bug in the software of Santander ATMs. The bug allowed members of criminal groups to use fake debit cards or valid preloaded debit cards to withdraw more funds from ATMs than the cards were storing, reports ZDNet. 

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, says criminals will always take advantage of weak spots in a security system. "This goes for both the brick-and-mortar and cyber presence of any organization. Once a vulnerability is identified, it will be exploited until the victim realizes it needs to be fixed."

"Having visibility into every potential entry point into your organization is key if you want to truly secure your organization," adds Schless. "Whether you’re talking about ATMs, building entrances, or mobile devices, it’s critical to understand what risk they pose to the organization if they’re not secured. You need to treat every potential entry point with the same level of priority in your security posture – especially in the time of remote work. Phones and tablets have just as much access to internal data as traditional devices like laptops and desktops. This ATM-related incident shows what happens when a device isn’t secured the same way as other parts of the infrastructure. "

According to Schless, Santander is encouraging its customers to use the mobile app. "Mobile apps make it much easier to access services, but it also exposes organizations and their customers to a number of mobile-specific risks. Stealing bank login credentials is one of the most common consumer scams on mobile apps."

Back in February, Schless says Lookout discovered a widespread mobile-specific phishing campaign that targeted North American banking users with phishing links delivered via SMS. When victims tap on a phishing link, they’re brought to a fake login page for that bank and asked to enter their credentials. If the victim follows-through, the actor behind this campaign could then log into their bank account and steal funds. 

"There are also malware on phones or tablets that could pose a serious threat to your customers when they log into the app. Mobile malware can often fly under the radar if the user doesn’t have mobile security on their device. If the organization doesn’t have security built into its mobile app, customers could also fall victim to mobile banking fraud," adds Schless. "To properly secure your apps, organizations should integrate security into their apps that have the ability to monitor the health of the devices accessing the app. Only by understanding whether your customers’ phone or tablets are healthy can you make sure sensitive information is not leaked."