
In Hours, Thieves Took $45 Million in A.T.M. Scheme - uladzislau
http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html?pagewanted=all
======
outworlder
> "With five account numbers in hand, the hackers distributed the information
> to individuals in 20 countries who then encoded the information on magnetic-
> stripe cards. On Dec. 21, the cashing crews made 4,500 A.T.M. transactions
> worldwide, stealing $5 million, according to the indictment."

If true, that's hilarious. Seriously, ATM reading magnetic stripes? What
century are we, again? It seems I've traveled backwards in time. Either that,
or it's a new Terminator movie plot.

I haven't seen a credit or debit card without a smartcard (which requires a
PIN) in Brazil in more than a decade now. Not sure if it would have stopped
this particular attack, as the magstripe readers are still there because of
foreign _credit_ cards. However, there are stricter restrictions on foreign
money withdrawals which are enforced regardless of the originating bank.

~~~
username111
US debit cards just require magnetic strip and pin to withdraw from ATMs.

~~~
sschueller
That's the biggest problem.

If the US would switch to chip and pin then all those countries that already
use chip and pin can turn off the magnetic strip by default. Right now they
need to leave it on as the US is common travel destination.

Chip and pin isn't 100% secure either but it would stop a large number of
skimmers.

If you don't travel and you live in a country with chip and pin have your bank
disable your magnetic stripe. Even if someone were to skim your card the bank
will not authorize a transaction via magnetic stripe.

~~~
robk
Chip and pin pushes more burden onto the consumer. I am well protected now
with mag stripe - why would I want to place more of a burden on myself to keep
a PIN safe when the law currently protects me for unauthorized charges?

------
nikcub
Here is the original Government press release:

<http://www.justice.gov/usao/nye/pr/2013/2013may09.html>

I could not locate a copy of the actual indictment, so if somebody could find
a link to it I would appreciate it.

I was curious to how they were caught. That they only caught the runners (the
guys going to the ATM's with cards) and not the group leaders or the hackers
suggests they were caught via traditional ID methods via ATM cameras[1],
mobile phone or car license plates.

The other evidence to support this theory is that the runners in other
countries were not arrested or charged at the same time. If law enforcement
took these guys down from the top, you'd think they would be able to also ID
the runners in other countries.

Instead, only the group of runners organized around New York were caught - 8
people, out of a group that would number at least 50 or more.

I also don't understand the money laundering charge. The defendants deposited
$150k in $20 bills into a Miami bank and then used the account to buy a car.
That isn't doing a very good job of hiding the source of funds, if that is
what their intention was.

Seems very amateur and unworthy of a professional criminal organization - more
likely it was the proceeds of a cut that one of the runners got.

[1] During the Boston Marathon Bombing manhunt the Feds released pictures that
were taken from an ATM showing Suspect #2 (later identified as Dzhokhar
Tsarnaev):

<http://i.imgur.com/0ZF7ud9.png>

From the pictures you can see that ATM's take a photo when the user is
approaching and while they are using the ATM (the first picture seems to be
triggered by the door being opened). The quality is surprisingly good.

~~~
TwoBit
Surprisingly good quality? Maybe compared to 1980s QuickieMart VCR cams.

~~~
skcin7
I'm surprised it's not 1080p or similar quality yet. That technology is so
cheap these days; I'm sure it'll be a few more years before all security cams
are recording in HD as the norm.

~~~
eli
I would guess that has as much to do with storage and bandwidth as it does
camera quality.

~~~
easytiger
and most atms are 1990s technology

~~~
skcin7
Good point. I know how reluctant financial organizations are when they have to
actually spend some of their own money to upgrade something.

------
delackner
And just a few days ago people were discussing how that ATMs prefer to just
give you money and overdraw an account rather than deny you cash when you go
overdrawn. I guess this is the result? Systems that are only synced once an
(hour? day?) provide a window to let thieves do a coordinated hit on different
network partitions.

~~~
nwh
> In the first robbery, hackers were able to infiltrate the system of an
> unnamed Indian credit-card processing company that handles Visa and
> MasterCard prepaid debit cards.

> The hackers – who are not named in the indictment – proceeded to raise the
> withdrawal limits on prepaid MasterCard debit accounts issued by the
> National Bank of Ras Al-Khaimah, also known as RAKBANK, which is in United
> Arab Emirates.

~~~
ghshephard
Right - but there is a difference between the "Withdrawal limit" and the
"Account Balance" - Just because you have a $50mm withdrawal limit, doesn't
mean you have a $50mm account balance.

~~~
grrrando
This is guessing, but perhaps the withdrawal limit of a pre-paid card acts as
the account balance.

------
downandout
From an engineering point of view, the mere fact that these people were able
to withdraw millions of dollars from _five accounts_ in multiple locations
simultaneously is just absurd. Even if these guys had direct access to the
database to be able to change the withdrawal limits and balances of the cards,
any engineer with half a brain in charge of designing their back end would
create a separate system that monitors transactions and does both security and
reality checks.

Same card being used within seconds at two locations 5 miles apart? Probably
something funny going on. "Deposits" of millions of dollars on a single pre-
paid card in a day? Might be unusual.

These banks deserve to lose every dime they have to lose if they are this
stupid, or are hiring such inept IT people.

~~~
mtowle
Banks must hire among the most inept IT people of any industry. Every time I
log into PNC, I literally switch tabs and try and "do something else" for at
least a minute, because that's how long it takes their Virtual Wallet bullshit
to load. At least, that's what the site says it's doing. Loading. Only they
have "HTML5" emblazoned in huge letters on the page, for some unknown reason,
which inevitably makes me wonder what the fuck is taking so long then. Let me
guess, your SOAP requests are 3 miles long. Uphill. Through the snow.

~~~
hexonexxon
In my country theres a foreign worker scam that allows Indian companies to fly
in the worst IT staff complete with fake resumes and pays them $6/hr for a
year to screw up their website with dozens of SSL certs and slow security
theatre that pretends to do something but is just a little flash to watch
while you wait forever to load their junk software.

major banks here all made at least a trillion in profit last year but couldnt
be arsed to pay for legit IT staff. now we all suffer paying tax dollars to
track down all these thieves who easily fraud their faces off with the
terribad security and poor code quality

------
JoelJacobson
I work for a financial institution. This problem is due to complete ignorance
of banks on best security practices. Their global ATM lacks simple velocity
checks. Such can never be made in real-time as data has to be aggregated
globally to detect the total money flows from certain financial institutions,
but given the manual handling of ATM withdrawals, a minute delay would be
acceptable.

Simply sum all withdrawals, not per card number, but per financial institution
(per BIC-code), and measure the money flowing out per time unit. If it exceeds
a multiple of X times the average for what's normal on that day, raise an
alarm to investigate manually.

Such velocity checks would never work if only looking at withdrawals in a
single ATM and still not good enough if they would measure all withdrawals in
a single banks all ATMs as there are so many banks.

Banks need to cooperate in developing a global anti-fraud system.
Unfortunately they still use COBOL and don't lose enough money on these things
to find the motivation to do it.

~~~
Cakez0r
Out of curiosity, are there financial institutions that are actually still
using COBOL?

------
darxius
It makes me peeved when these reports omit the names of the parties that were
compromised in the intent of "protecting" their name. If I was a customer of
one of the banks that got broken into, I think it would be my right to know
that they're insecure so that I could put my money elsewhere.

~~~
Maxious
It tells you RakBank in the article and the wire service has the other bank

> Prosecutors said the scheme involved attacks on two banks, Rakbank, which is
> in the United Arab Emirates, and the Bank of Muscat in Oman.

[http://www.smh.com.au/it-pro/security-
it/massive-21stcentury...](http://www.smh.com.au/it-pro/security-
it/massive-21stcentury-bank-heist-cyber-thieves-
steal-44m-20130510-2jbf1.html#ixzz2Sr1hnrj7)

edit: Oh, the NYTimes version of this story says it's a US based credit card
processor name withheld [http://newsdiffs.org/article-
history/www.nytimes.com/2013/05...](http://newsdiffs.org/article-
history/www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-
global-cyber-bank-thefts.html) Other versions say the foreign banks themselves
were the credit card processors <http://mashable.com/2013/05/09/atm-hackers/>

~~~
hamstah
I've done a bit of digging and if you look at the RAKBANK prepaid portal [0]
you can see the service is powered by ECS which is based in India [1], with
offices in the US, UAE and Singapore.

Not sure about the other one, the bank of Muscat site is a bit crap, didn't
find mention of the processor in the T&Cs or description of the cards [2].

[0]
[https://www.rakbankprepaidcard.ae/CustomerPortal/WebPages/Lo...](https://www.rakbankprepaidcard.ae/CustomerPortal/WebPages/Login.jsp)
[1] <http://www.electracard.com/contact-us.php> [2]
<http://www.bankmuscat.com/cards/prepaidmain.shtml>

~~~
ticl
More importantly electraCard is certified PCI compliant by Control Case [0]. I
think, this is the primary reason electraCard's name is not on the news; it
has been certified secure by the payment industry standard [1]. Either Control
Case failed to perform audit properly or the hackers had some serious skills.

[0] <http://www.controlcase.com/> [1] <https://www.pcisecuritystandards.org/>

------
wahlis
The credit card companies are making billions in profit. One way of increasing
the profit is by using 40 year old technology like magnetic strips instead of
upgrading the hardware. 45 million may sound like much, but it's much cheaper
than ensuring that every credit card reader in the world only uses chip
readers.

I am sure that the crew here att HN could come up with 50 better solutions to
security than the magnetic strip and a string of numbers.

~~~
muhfuhkuh
I thought that little SIM chip in my Visa Debit card from my Credit Union here
in the States was just for show until I was forced to use it everywhere I went
in Vancouver, Canada.

I guess they've either been stung enough by fraud up there that they switched
over from stripes, or they're just a bit more forward thinking than we are.

------
jrockway
Piece of advice: don't take pictures of yourself committing a crime.

~~~
fixxer
Those are just cashers... you have to be stupid to take that job.

This reminds me of a Canadian syndicate from a few years back... never caught
the top guy (rumored to be British).

Any followers of the Pink Panthers out there?

------
knowaveragejoe
I really wish people would stop linking to mobile sites on aggregators...
mobile users will get the mobile version anyways.

~~~
dubcanada
I wish they would only link to mobile sites. Mobile sites regardless of the
device are usually ten times easier to read.

------
sutro
Just follow these 3 simple steps for safe online banking:

[http://www.theonion.com/articles/after-checking-your-bank-
ac...](http://www.theonion.com/articles/after-checking-your-bank-account-
remember-to-log-o,32260/)

------
salimmadjd
This attack was done by people who are rather sophisticated. This is not some
kind of script kiddie operation.

These people have international reach, were able to recruit people to run the
ATMs for them, and the ostensible "ring leader" was assassinated.

Either organized crime and/or former government agents with cyber security and
cyber-spying training.

------
ics
I wish that my bank would let me set a message to pop up whenever withdrawals
over a certain amount (or percentage) are made. If we can't be secure, I'd at
least like my would-be-account-ruiners to know "LOL STUDENT ACCT". What would
be even better is if every time I accessed an ATM it would snap a photo (so
many are all recording video anyway) and put it into my account mailbox to
view the same way I view checks. That way I could track my facial expression
over time as I watch my account go from $XXXX to $XX every time the rent is
paid and chart it along with other personal metrics. On the off chance that
someone does steal my card/pin/... at least I would be able to shame take a
moment shaming them in Photoshop out of... grief?

\---

This actually got me thinking about a relatively straight-forward way to make
ATMs more secure. Many ATMs have cameras and are, presumably, recording each
time someone makes a transaction. I don't know exactly how the system works,
but here's what I think:

\- People who use ATMs should pretty much expect to be recorded in some
fashion for security purposes, even if it's just a camera in the corner of the
room.

\- By using an ATM most people, even the privacy-conscious, would agree to
this amount of surveillance. If not, they are welcome to visit their bank
during regular business hours, in a ski mask if they prefer, or better yet use
the inside of their mattresses instead.

\- Adding a camera to a device, particularly one like an ATM, is trivial to
implement and should only make a slight difference in cost.

\- This camera could also be sensitive to infrared or other bands in order to
defeat the ski-mask (thieving) or eye-patch/bandage (handicapped or
disfigured) crowds.

\- The software could be made such that it only proceeds with certain actions
IFF it recognizes that the camera is not being blocked, that it recognizes a
face, and that the face is not being spoofed by a Polaroid or something silly.

\- ATMs are networked and should be capable of uploading medium resolution
photos. Assuming reasonable policies could be maintained, the photo could be
sent over the wire directly to your card-issuing institution and then routed
to you, perhaps with a 7-days-til-self-destruct mechanism. Obviously _you_
could archive these if you wanted, but the point is that banks/credit
companies would treat it the same as security footage, i.e. data glut that's
only useful while it's fresh.

\- As soon as you are made aware of some sort of fraud, you can simply report
the transaction, with identifying snap, to the bank (who will hand it over to
authorities).

I'll leave the potential problems of this system to your imaginations, but it
seems to me like a fairly easy to adopt solution to small, regular ATM theft.
Obviously a coordinated attack could perhaps find some sort of exploit, but
maybe it could deter the small-timers enough to be worth it.

EDIT: I am aware that this doesn't solve any of the particulars in the
article, but I still think it's "on topic" since we all like tech, and ATMs
are tech :)

~~~
Paul_D_Santana
> _I wish that my bank would let me set a message to pop up whenever
> withdrawals over a certain amount (or percentage) are made._

ING Direct does exactly this!

I get an email (text messages possible too) every time I make a purchase over
a certain amount that I've chosen. You can set the limit as low as $1 if you
really wanted to, so you can be notified of literally every single debit card
purchase.

This forward thinking is one of the many benefits (no fees _EVER_ being
another) I've enjoyed and why I love banking with them.

Online banking is definitely the future, or at least will grow to be a much
larger part of it.

~~~
nmcfarl
Simple alerts via their iPhone application of every debit card transaction
made -showing the places name, and a location on a map at the same time.

Because there is no cut off, other than turning off notifications, this sounds
like it could be annoying. But in practice, it’s just nice, and gives you a
sense of security.

And when looking back over transactions at the end of the month - the maps are
dang handy for jogging my memory…

~~~
Paul_D_Santana
> _And when looking back over transactions at the end of the month - the maps
> are dang handy for jogging my memory..._

Whenever I get an email from ING about a transaction or deposit (one that
isn't totally obvious) I do this:

    
    
      Click "Forward".
      Delete all text/images.
      Write a few words about the purchase or deposit.
      And send it to myself.
    

That way I can look back in Gmail at any time and know _EXACTLY_ what I spent
that money on. This is helpful because sometimes knowing _WHERE_ I spent money
doesn't tell me _anything_ about I actually purchased.

For example, I have a Debit Card Purchase of $10 at Farhad Monadjeem. What in
the _HECK_ is that???? Oh, that's actually the car wash at Mobil; the owner's
name I suppose. This system is also great for online purchases, so I don't
have to login to various websites to see what item(s) I purchased; it's all in
my email.

Easy and extremely effective!

------
lifeisstillgood
Wtf - 3000 ATM withdrawals in the same card and no alarms go off? Presumably
there is a "ignore flags flag" they set too!

So this just reminds me of the Microsoft paper a few months back - the problem
is not robbing the electronic bits, the problem is getting them out of the
financial system.

In the traditional bank transfer they need a money mule stupid enough to
transfer to a Russian bank. In this one the people with the (inside) knowledge
to uncap 12 cards needed to find 100 guys walking up to atms, plus their
supervisors and contacts.

So it seems either you can rob a bank but need an idiot to help you get it out
the country, or you can rob a bank and need a guy who happily sends hooded
killers round to your place.

All for what Zuckerberg sees as small change.

------
heifetz
Can someone explain to me how they were able to withdraw so much money with
only a few prepaid accounts? I'm assuming that the even though the prepaid
accounts had a small balance, ATM machines let them withdraw as much as they
wanted??

~~~
kijin
According to the article, they hacked into the prepaid card vendor's system
and increased the balance.

------
hexonexxon
This is just one of many cashout crews at the bottom of the crime pyramid that
got caught. The masterminds are prob in Russia/Ukraine and wont be extradited
so long as they arent stupid enough to go to a country on vacation that has
extradition treaty with the US or they will find themselves getting kidnapped
by feds to stand trial in the US, for a middle east bank heist because USA
polices the world and your taxpayers cover the millions it will cost in
flights and court fees/investigation

------
whizzkid
Even though this is really sad from IT point of view, I kind of like that
there are people who always forces IT to be better and better. PS: I
personally think that human made systems will never be absolute secure anyway.

------
chrisfarms
Does it concern anyone else that the chairman of Security Innovation Network
uses the phrase "cyberspace".

Well anyway, I'm just going to take a little trip on the Information
Superhighway, I'll be back later.

------
photorized
What impresses me most about this is just how incredibly well it was
orchestrated, especially considering the number of moving parts and
participants. Some top-notch project management there.

------
nnq
...was expecting to hear of brand new ATM Scheme implementation :)

------
ExpiredLink
> _then encoded the information on magnetic-stripe cards_

See the problem?

------
mamatta
And that's where <http://solinkcorp.com/> comes into play.

Shameless plug: Brother's Canadian startup

------
orangethirty
I'm always amazed at how many ATMs I have seen with their cables showing on
the back. Wonder how many get cracked that way.

------
maeon3
The people who should suffer and eat this loss are the people responsible for
letting it happen. Sadly, this will not happen, and the loss will be
socialized (and profits capitalized) across the entire people through the form
of raised insurance rate policies.

It's the system of insurance that is broken, not the fact that dumb
corporations are doing stupid things and losing other people's money.

Socialism doesn't work in any system that you implement it in. When you
separate the consequences from the actor, the rational actors will behave in a
maximally self-interested way and screw everyone else. When all do this, the
nation falls back 100 years. Not remedied, the nation falls back 1000 years.

~~~
eli
Huh? So you want the head of security at the hacked bank to pay for the losses
personally?

~~~
Cakez0r
He means the bank should take responsibility and chalk up the stolen cash as
their loss. What's more likely to happen though is that the bank will pass the
cost of the loss on to customers (in the form of increased prices).

~~~
freehunter
Well of course they're going to raise prices. They're a business. This isn't
happy fairy land; their cost of doing business went up, so their prices will
have to go up. If businesses didn't increase their prices to match an increase
in cost of goods sold, they'd quickly go out of business.

~~~
fennecfoxen
NO. This is where you're wrong. This is a business; their goal is to get
money: ALL the money, at all times. If they could raise prices and make more
money, they would have done it already. They're _not_ sitting on their laurels
saying "We have enough money!" only to be shaken from complacency and driven
to change their price schedule because of an unexpected expense.

This money comes straight out of their value as a business. It is a loss to
the shareholders.

