Hacker News new | comments | show | ask | jobs | submit login
$12M stolen from 1,400 convenience store ATMs across Japan in 2 hours (mainichi.jp)
299 points by sjreese on May 22, 2016 | hide | past | web | favorite | 194 comments

Interesting thing about Japan, is the complete acceptance of people wearing surgical masks in public (it's considered to be polite if you are ill). Makes it a lot harder to identify people from video surveillance.

In Turkey a lot of women wear burkas or some variation (depending on the specific religion sub-division). In Greece I've seen people (I might have done it myself) stopping with a motorcycle in the ATM and withdrawing money wearing a helmet and leaving, 90 seconds in total. This can't be done in some ATMs which require you to look at the camera before entering the ATM room[1]. However, that's like 5% of the available ATMs.

[1] In Greece this is illegal. The fact that Banks for years get away with taking pictures without any kind of explicit agreement adds to the narrative that Greece is (officially now) a protectorate and banks are WAY above state where it matters.

*Hey this is a turkish guy and you just wrote something wrong there

In Turkey not a lot of women wear burkas. Burkas and the variation that you would like to point are different things. If you wear burkas, it will be really hard for video surveillance. Because only your eyes and wrinkles around them are visible. The other variation "Head Scarf" which lets your face totally visible is ok for identifying people.

From cultural perspective, a lot of women in Turkey wear "head scarf". It is a symbol that you are a part of a religion and you share almost the same vision with the religion that you are a member of. But burkas is different. It means you feel more radicalized in terms of religion. A social example would be shaking hanks with women. If you are a man in Turkey and have a intend to shake a woman's hands, you can do it with a woman wearing "headscarf" but not burkas. So, basically No. They don't wear burkas at all may be 4% percent at most.

Below is my personal opinion.

I don't really understand why people are bullshitting my country. You never lived there. What you just wrote is a black propaganda. What is the relation between wearing burkas in Turkey and ATM heist? You are not in that position to conclude that opinion. It is just a subliminal message.

A recent survey in Turkey showed that Atheism and other close variants are on the rise at its highest rate ever. I hope that one day people in Turkey will break their chains and get rid of that human-made arabic culture.

True that in Turkey very little amount of women wears clothing that veils the face, but you are over reacting. Previous commenter just count two potential ways of avoiding ATM surveillance.

They're probably Saudi or Gulf Arab tourists and not Turkish. At least, that was my experience when I have been to Turkey the last time and I'm from the region, I have an easy job identifying people's background from their accent, form and attire than outsiders.

There are some small religious groups that uses a face veiling clothing called "çarşaf". This was also historically used in Ottoman era. this setimes covers below nose, sometimes shows the face. https://en.m.wikipedia.org/wiki/%C3%87ar%C5%9Faf Usage seems like .01 to 2 percent of women.

I checked the pics on Google Images, they're virtually taken recently with nothing dating back to the Ottoman period to validate this claim. All look like black Arabian abayas and burkas and it's difficult to imagine that çarşafs and abayas are identical like that.

Fun fact, "çarşaf" or more accurately "şarşaf" in Egyptian Arabic means table clothes or bed clothes. It's amazing words and consequently languages evolve and take on meanings over time.

Çarşaf has the meaning of table cloth in current Turkish as well.

I was gonna post the same pedantry as m00dy---there's a difference between a Burka and a head scarf. I guess it's just a bit of a trigger topic.

There's no need to immediately jump to conclusions about "black propaganda". The head scarf/burka definition was probably an honest mistake. And the relation to robbery is a fairly logical followup to ghshephard's comment about Japan's masks helping robbery. The point is that Japan isn't the only country where people regularly wear things on their face.

If you are unhappy with Turkey getting a bad rep internationally then maybe take it up with Erodgan. He is not doing your country any favors with all the sectarian/dictatorial/communal BS

*Hey this is a Muslim guy and you just wrote something wrong there

You realize you just did the exact same thing between wearing Burkas in Turkey and Islam / Religion?

You are not in that position to conclude that opinion. Head scarves & Burka's go beyond 'identity' as you just trivialized them to.

You used your comment to get across your 'subliminal message' just as much as the commenter you accused of doing did.

"human-made arabic culture"

Just a nitpick, but every culture is man-made.

A headscarf obscures the face, not unlike a surgical mask. What exactly are you correcting the record on?

I don't think you know what a headscarf is.

Pop quiz: can you identify this person? http://i.imgur.com/WBqCCv1.jpg

Wow, the coloration doesn't help. I would have given myself about 40% odds of successfully identifying Audrey Hepburn; I can't do it at all when she's washed purple.

Google image search indicates it's someone named "Audrey Hepburn".

> I hope that one day people in Turkey will break their chains and get rid of that human-made arabic culture.

Let's assume for the sake of argument that Turkish people manage to get rid of the Arabian deity (Mohammad's god) they embraced a millennia ago, it would be an uphill battle for them against history because whether you like it or not, the most bright spots in history for Turkish people were during the reign of Seljuks and Ottomans, neither would have happened hadn't for the Islamic doctrine and faith.

You could argue of course that Turkey founded by Ataturk was still something impressive and to look up to but it still pales in comparison with what had been achieved during these two eras at least from an imperialistic and militaristic points of view.

That's why I think it wouldn't be easy for Turkey to break free from the negative Arabian influence and Sahara culture even if they renounce Islam altogether when compared to other countries in the region with more diverse and rich history spanning various civilizations and glorious times, and therefore they should focus more on how to reconcile with their past and history and not just get in state of denial about it.

What you said would also apply to, say, the British Empire, which was very Christian for its entire existence.

Most people don't really care about the details of history that much - just whatever narrative they can spin that satisfies today's needs.

Did the British force people to convert to Christianity for them to enjoy the benefits of being subjects of the monarchy?

The British Empire was vast and I can't come up with a definite answer for all the areas that were colonized by them but in my country "Egypt", they didn't do that. They however facilitated the work of western missionaries but it didn't achieve much with the Muslim locals and probably contributed to the outrage of Coptic clergy as these missionaries were snatching people from their congregation. Other than that, the British didn't really care about religion and their social order was constructed on race/class first basis and anything else second while for the Ottomans it was all about religion first and anything else second.

Did the British force people to convert to Christianity for them to enjoy the benefits of being subjects of the monarchy?

How far back in history do you want to go? Plenty of battles within Christianity in British history. E.g. King Henry VIII didn't accept the authority of the pope and led the Church of England away from the Roman Catholic Church. https://en.wikipedia.org/wiki/Church_of_England#Separation_f...

A few generations later, things got pretty dicey for the remaining Catholics:

   England’s Elizabethan Catholics were public
   enemy number one. Their Masses were banned
   and their priests were executed.

Did the British persecute Catholics when they were in an imperialist/expansionist mode around the world?

To the best of my knowledge, that didn't happen. The British Empire in its quests wasn't concerned about anti-Catholicism and disdain for the authority of the Pope, it was primarily driven by political/financial gains. On the other hand, for the Ottoman Turks it was all about Jihad and the subjugation of non-Muslims in newly conquered territories. The persecution and discrimination against non-Muslims for the subjects of their realm was one of the founding principles of taheir rule and public policy.

As a Canadian, yes they did. Look at our history and how the British tried to assimilate the Canadiens.

That's not to mention that forcing Christianity on conquered subjects was one of the main goals of the British Empire.

When did the Ottoman Turks become Muslim?

From the Saljuk period. Is this a history quiz :)?

Oh, I just couldn't recall when it happened, but it seemed obviously important when comparing to Christianity and the British Empire.

I don't necessarily disagree with your analysis. Or that of others here.

My point is that it's irrelevant in terms of how history affects peoples' actions. You're engaging a detailed study of historical reality, but the masses don't do that. They have a narrative spun for them - generally no more than two or three sentences of complexity, max - and that's what matters.

Thanks for correcting the poster. The US traditionally was very isolationist. After world war one we became more involved in international affairs, and dominant after ww2. We're in an odd time. in the mid 20th century lots and lots of americans had been around the world, because of the wars. But those generations have almost died off. Very few americans have first hand experience with other cultures. I think the general population avoids thinking about other cultures.

Please don't take it personally. It's ignorance. Perceptions are built around these weird media effects from the news. Treat us like puppies or children. it's not malice, we just don't know any better.

Speak for yourself.

The Turkish man you replied to wanted to correct an inaccurate stereotype about Turkish culture. Your comment perpetuates the stereotype that Americans are uneducated on global affairs. This may be true for some, but saying that all Americans should be treated like "puppies" because they "don't know any better" is a huge insult.

As an American myself, I would consider it fair to say that Americans are relatively uneducated on global affairs. Do you have some data suggesting otherwise?

Also, I think you've confused a general with a universal. I don't think he was saying that "all Americans" don't know better, just that when confronted with dumb statements it's better to presume ignorance than malice.

As an example, National Geographic did a survey in 2002, and young Americans came in second to last:


"About 11 percent of young citizens of the U.S. couldn't even locate the U.S. on a map. The Pacific Ocean's location was a mystery to 29 percent; Japan, to 58 percent; France, to 65 percent; and the United Kingdom, to 69 percent."

On the one hand, I find this a bit appalling. On the other, I can't totally blame people; America is big enough and far enough from everything else that relatively few Americans ever leave the country, and those who do mostly stay on the continent. So I don't see a "assume ignorance, not malice" posture as an insult; it's mostly what I do myself.

Although he may have simple meant "presume ignorance, not malice," the wording used was very derogatory.

I do not doubt that Americans on average are less educated on international affairs than other Western countries. But arguing that a factually incorrect comment about Turkish headwear on HN (by a user of unknown nationality) is a result of broader "American ignorance" is meaningless.

Furthermore, I believe m00dy's response was accurate and fair. If he viewed every incorrect comment about Turkish culture as written by an American "puppy," I doubt he would have commented, and no one would have learned anything.

> Although he may have simple meant "presume ignorance, not malice," the wording used was very derogatory.

Indeed it was. after a few hours i realize i came off as a jerk. My apologies to you and anyone else i may have offended.

No problem; I think the issue was just wording.

>About 11 percent of young citizens of the U.S. couldn't even locate the U.S. on a map.

This seems particularly bizarre, because even if someone hasn't learned world geography, surely they've seen a map of the US in various contexts, and can recognise its shape?

That would be fun to research, but my guess: if you showed them the shape of various countries, more people could pick out the right shape. But that shape cuts off Canada and Mexico in ways that are essentially arbitrary, so if they're keying on those edges, or on the grid-of-states shapes, they could still struggle with a satellite photo.

My guess is that this number would be significantly better today because people interact a lot more with world maps when they accidentally zoom out on, e.g., Google Maps pages.

>The US traditionally was very isolationist. After world war one we became more involved in international affairs, and dominant after ww2.

Except not.


The US traditionally has a big chunk of the electorate that's very isolationist minded. And with that come quite a few politicians pandering to that----at least rhethorically.

For the record: I'm not American :-)

Wait, it's against the law for me to photograph someone entering my property?

The act of taking the photograph is probably not illegal.

But something to the tune of "All user biometrics shall only be stored with the consent of the subject." pretty much means it is illegal to do so, unless you have some sort of sign.

This type of law is usually under the guise of protection of personal information, or some other flag. Though the laws vary in many countries. For the sake of argument, I'm simply saying it's not illegal to photograph someone entering your property in order to point out how "secondary" or "related" laws apply without ever explicitly being defined so.

European data protection rules apply to CCTV systems; they're generally legal with signs and appropriate policy.

(Compare US law on taping phone conversations)

Without his consent? Absolutely. In Greece the police will have you remove any camera that faces the street (even a small chunk of it) if you're not a bank of course.

Now when we're talking about private property, written consent about what you do with that data is obligatory.

Indeed these banks receive tons of lawsuits every year, but if there's something more rotten in Greece than the economy is the justice estate...

I had a look, and apparently there is quite a bit of controversy regarding Islamic headscarfs in Turkey:


And then I was confused what constitutes a headscarf, so I found this:


The reason often varies depending on the Asian country and with varying level of social acceptance. It is not limited to illness (contraction or spreading).

For example, in Taiwan, females will wear the mask to block the sun in an attempt to prevent freckles.

They are also often used to combat pollution. Many choose to only wear while riding scooters, while others any time outdoors.

In some countries masks have become commonplace such that decorative fashionable masks are sold at convenience stores.

This a south/east/south-east asian thing, not specific to japanese. You will find the same in vietnam, korea, cambodia, thailand, taiwan, ...

Also Hong Kong. I always thought it may be related to population density. Another thing I've noticed in Hong Kong is sanitizing gel dispensers placed pretty much everywhere - corridors in metro stations, hotels, etc. Seems reasonable with the amount of people living there per square meter of space.

I'm not sure it's population density or at least not that alone. There are parts of the West with comparably high densities, especially in large cities, and covering your face is generally frowned upon.

I suspect that the cultural focus on cleanliness has a lot to do with it, but given that it's Hacker News there may be someone with a more exact idea of the origin.

You wear one if you're sick. So that you don't get other people sick basically.

Contrast with my experience in Sydney, where catching the bus during flu season is bloody hazardous. Being coughed and sneezed on gets old quickly, so I totally understand the surgical mask thing; it's a basic courtesy.

Yes. Though I am not sure if it's actually effective, or only a superficial courtesy.

It may even be counter-productive, if it means you no longer feel the need to cover your mouth when coughing.

Isn't surgical mask more effective than covering your mouth when coughing?

Allergies is one major motivator.

Allergies should be a good reason not do that, at least from a public health perspective.

It's most likely due to the country's brush with SARS and avian flu. http://www.bbc.com/news/world-asia-china-21680682

I wonder if this is a consequence of the SARS outbreak ~10 years ago.

No, it predates it, to the 80's at least, to my personal knowledge, and I have no reason think it's not older than that.

You will find it elsewhere in SEA, but the prevalence in Japan is extremely high. I've been in train carriages where 40% of its passengers are wearing them.

It has to do with the fact that you are still expected to show up at work when you have a cold or other similar "minor" illnesses. It's the same in Korea and other Asian countries.

That's not entirely accurate. It's because of H5N1 outbreak 10 years back that people have become a lot more conscious about airborne diseases. It is polite to wear a mask when you are sick so that you don't spread it to other people when you cough or sneeze.

The practice of wearing a surgical mask in asian countries is far more than 10 years old. I saw it in Hong Kong and Shanghai in the 70's.

Not sure, but it definitely blew up after 2003.

Having lived in Japan for around 10 years, in my experience, the vast majority of mask wearers are doing so because of allergies (particularly Sugi). It's pretty rough for a lot of people - particularly in the early spring months. Also why air purifiers are big business here.

I feel like this could be solved with a decent VPN + an occasional webcam.

I bet it had to do with the 2003 SARS epidemic in Hong Kong, as is also the case in other nearby Asian cities/countries like Taiwan and Singapore.

I'm from HK and to the best of my memory the practice never existed before the epidemic. During the epidemic, anywhere you went in public, there were at least 8/10 people wearing masks, thanks in part to huge public (TV/print) campaigns by the government and places like schools/clinics/hospitals providing free masks. That is just one of many counter measures that live on to this day. Another one is that all elevators and escalators have stickers or signs stating how many times/day and when it was last disinfected, and elevators tend to have a big clear plastic sheet covering all the buttons.

A great number of the mask users in Japan are allergy sufferers. The Forestry agency in Japan planted mono-culture trees, fast growing cedar. The pollen from these trees waft from the cedar farms in yellow clouds. Having a single predominate plant species putting out so much pollen triggers awful allergies for those people who are sensitive. And triggers normal-bad allergies in people who might not have become allergic without the large exposure to that mono-culture pollen.

Yet, in the US, if you're wearing a mask, the majority will think you're a terrorist.

What a world we live in.

A ski mask, maybe. If you're wearing a surgical mask people will think you're sick.

Hong Kong is the same way -- and I can't blame them. SARS was terrifying.

Interesting that Asians covering their faces is so received so differently from Middle Easternern women covering their faces.

One is for medical reasons and by choice, the other is for religious reasons and "by choice".

Totally different beasts. Muslim women covering their whole body but their eyes is way more difficult to identify for law enforcement since they have only the eyes as one data point to uncover the identity while for Asian folks who cover their mouth - not their face, huge difference -, you'd still get the eyes - provided that they are not covered by sunglasses -, the hair - provided that they are not wearing ridiculous hat -, body shape and probably gait as data points to work on in their search.

All in all, it's still a better situation for the latter than the former when it comes to law enforcement.

Not quite so different. There are huge discussions about the headscarf in Europe, which doesn't cover the whole face like a Burkha.

That's because it isn't the act of covering your face that people find offensive, it's the reason behind it.

Asia is a very big place.

Stalin was as Asian.

14000 transactions at 1400 ATMs in 2 hours?! Think about the logistics. That's 120 transactions per minute. And 1600 cards. Either an army of coordinated people, in itself highly risky as it vastly increases the likelihood of someone grassing on the group, or fewer people all sitting at the same ATMs drawing for 2 hours.... difficult not to get noticed. If they really pulled this off it will be the most well organized organized crime ever.

The Yakuza has 102,000 members - https://en.wikipedia.org/wiki/Yakuza.

"The yakuza are notorious for their strict codes of conduct and organized nature."

The Yakuza don't pull stunts like this, they're way too closely watched by the cops and an operation on this scale will be traced back to where it came from.

You slipped in a zero :). It's 1400 transactions, for ~12/min. Still a lot, but not quite as omgwtf'y.


actually - it was 14 000 transactions, but at 1400 different ATMs. stet

Oops, sorry!

I was thinking the same. And it mentions every single transaction was for the maximum withdrawal amount.

The system doesn't notice when 116 transactions per minute are for the maximum withdrawal amount?

The ATMs don't run out of cash really quickly?

A lot of Japan's economy is still cash-based. On common paydays like the 25th and (to a lesser extent) the 15th of the month you'll see long lines at the ATMs. The heist happened on the 15th.

The maximum withdrawal amount in this case is only about 1000 USD. Not that much. A lot of people will withdraw the max on the payday.

And it was only 10 transactions per ATM in average, spread along 2 hours.

To the extent that these ATMs are just terminals that serve a variety of networks, I wouldn't assume Seven Bank is at fault.

The real WTF is how cards can still be cloned so easily, how they got the passwords, how the S.A. bank didn't notice a spike in transactions from Japan, etc.

Have you ever worked on a risk system? Hard to get right I would imagine. Very possible news of a hurricane would lead to a bunch if max rate withdrawals. May not want to cut everyone off then..

The false positive rate for "shut down everything" needs to be very low, but it sounds like the threshold for "page somebody" could have been sooner.

It got shut down in 2 hours, not impossible someone got paged 15 minutes in...

Japan is a very cash-based economy. Large withdrawals are not uncommon. 116 transactions at the same ATM should raise some red flags, but there are very few people looking.

Can I speculate that this is an untraceable form of tax protection payment from 7 Bank to Yakusa?

Would the south african bank be held accountable for this? or can they get away with this as the cards are fake/stolen ?

The article makes it seem as if Banks of the ATMs are the ones who lost the money.

I'm also a bit surprised the criminals carried their operation in Japan, It would have been easier in a more messy place e.g India / Africa ?

Yes, the south african bank will most likely be liable for this.

>I'm also a bit surprised the criminals carried their operation in Japan, It would have been easier in a more messy place e.g India / Africa ?

No, you'd want a location with lots of ATMs that have large amounts of money in them. In my experience India and Africa would both be particularly bad places for this. LE isn't a factor here, mules may get arrested but the perpetrators certainly don't care.

>No, you'd want a location with lots of ATMs that have large amounts of money in them. In my experience India and Africa would both be particularly bad places for this. LE isn't a factor here, mules may get arrested but the perpetrators certainly don't care.

Contrary to popular belief (and "your experience", Africa & India , has a lot of ATMs that have a lot of money, I am from South Africa, and I've been to India so I know this for a fact.

Your experience must be severely limited then, as both of those countries have very low ATM densities.

This isn't just my personal experience, but a very easily verifiable fact.

I also seriously doubt that level09 was referring to South Africa in his comment, rather than the other "messier" african nations that all have far lower ATM densities.

Interestingly this is not the first time it happens. 3 years ago: http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-...

yeah this is a not uncommon style of attack there have been multiple instances http://krebsonsecurity.com/2013/02/crooks-net-millions-in-co... has some more.

As all credit balances on cards are just numbers in a database somewhere and prepaid cards can be refilled and drained pretty quickly, you can see the appeal of this style of attack.

100 people involved? That's a lot of people who could potentially slip up.

Also, that is not exactly a life changing amount of cash, even if divided evenly only between them.

Eh, it's not too bad for 2 hours work. Assuming 100 people (which would be about 9 minutes per ATM -- 1 minute to withdraw, 8 minutes to travel to the next one), that's $127,000 for two hours of unskilled labor. If you assume that half of that gets passed upward, that's $63,500 for each of the 100 unskilled workers and $6.35 million for some smaller group (say, 5-10) who organized it.

It's actually probably safer for the workers than the organizers -- if one of the workers is picked up, they probably have a huge incentive to roll over and give up the guy who recruited them, but the organizers probably won't get much out of giving up their 100 minions.

And yeah, $50,000 probably isn't life-changing for you but if you're a teenager or 20-something without any prospects, it could be life changing. It's not "retire to an island" money, but it is "pay for college", "start a small business", "buy a car" and "move out of your craphole town to a place with economic opportunity" money.

And for the organizers, $1M a piece may be retire-to-an-island money, assuming you mean "move to a cheap island" and not "buy your own island".

My guess is that they were minions ordered to do so by someone else. The someone else will get the bulk of the cash.

> Also, that is not exactly a life changing amount of cash, even if divided evenly only between them.

320x the minimum wage in my country. I could sure live several years with that amount of cash.

Can a mod change the title to use the amt listed in the first paragraph?

Current title: 120M stolen from 1,400 convenience store ATMs across Japan in 2 hours

First paragraph of article:

>TOKYO (Kyodo) -- A total of 1.4 billion yen ($12.7 million) in cash has been stolen from some 1,400 automated teller machines in convenience stores across Japan in the space of two hours earlier this month, investigative sources said Sunday.

Suggested title: $12.7 million stolen from 1,400 convenience store ATMs across Japan in 2 hours

This is the only declassified story, I could find .. The 120M number is real and BMO is on full alert.

Any source?

I'm surprised there are still ATM cards without chips, and in Japan out of all places.

The timing of ATM chip deployment is determined by the region's rate of card fraud, not technological sophistication. There were significant transaction costs for the transition, and it made economic sense to roll them out sooner in places with higher rates for fraud, so, Europe before US. Not sure about how the rollout happened in Japan, but it makes sense that they haven't completed a transition given their very low crime rate.

CC fraud in the US is/was waaaaay higher. Earlier EU adoption had to do with lower CC merchant fees..

This is factually incorrect on two grounds: First, the adoption of Chip & Pin in Europe predates the European Union. Second, credit card fraud in Europe, France in particular, was out of control before its adoption. I believe it was either a French or Swiss researcher that developed the technology in response.

My understanding is that French (and presumably other European) banks assigned the liability for fraud to the account holder, whereas in the US, liability for fraudulent credit card charges falls to the banks and the credit card processing networks.

This meant that individual account holders were much more tolerant of chip-and-pin technology, and demanded additional security features like portable card readers, which mean that the credit card never leaves the account holder's possession.

Do you have a source for this? Lite googling suggests this isn't true now in the UK (e.g., http://www.theukcardsassociation.org.uk/faqs/ ) and I can't find any evidence it was true in the past.

Edit: it's also not true in France now: http://www.french-property.com/guides/france/finance-taxatio...

In the US the liability for fraud is on the merchant accepting the card.

This is mostly false. In the past, the liability was completely on the bank. In October, it switched to the merchant only if the merchant hadn't upgraded to a chip reader. The switchover process is continuing, and when it is complete the liability will be with the banks, as it was before.

It's been a while, but I seem to recall in a past company that for card-not-present transactions, the risk of fraud was on us, not on the bank approving the transaction.

Chip and pin does not predate the EU. Debit cards used to be swipe and pin since the 80's, credit cards were not so widely used and supported both pin and signature.

I don't doubt that that many complicated economic and political factors influenced things, but you're interpreting the fraud data wrong. The US credit card fraud rate as a fraction of transactions value is currently only double (~2.1 times) the EU rate, and only 1.5 times the UK rate:


I am unable to find good data on fraud rates in Europe going back before chip-and-pin, but the system reduced fraud in the UK by ~60-70%, at least for face-to-face transactions:


So the UK almost certainly had significantly higher fraud than the US before rolling out chip-and-pin. If seliopou is right, then this was also true for France.

Let me know if you can find better Europe-wide data.

And lower CC merchant fees respond to the merchants' losses to fraud.

Could you explain what you mean?

Interchange fees are set based (in large part) on how much fraud the processor expects to deal with. This is why interchange fees are lower for card-present than card-not-present transactions, and higher in business categories that tend to have more fraud.

A processor does not charge lower fees for chip cards in a vacuum, they do it because they expect to eat less fraud from chip cards.

Oh, I understand what you're claiming now. But I don't think the effect your describing is very important. As colechristensen points out, the fees in the US are 5-20 times larger while their fraud rate is only about twice. So it looks like other factors (e.g. degree of regulation, monopsony effects, etc.) have a much larger influence on interchange fees than fraud rates. Indeed, the amount lost from fraud is only about 0.1% of transactions in the US, and 0.05% in the EU.


In the US there is a ~1.5-5% fee for each credit card transaction. In the EU it's capped at 0.3%

Losses due to fraud are much easier to eat in the US because of the 10x larger fee.

The cards were not Japanese but South African. I'm shocked though that the machines in Japan accept non pin cards.

7-Eleven and Post Offices are the only places which accept cards issued outside of Japan. I assume they have to cover all possible types of cards, otherwise people from other countries could get stuck without money here that way.

Some other combinis also accept foreign cards, but yes, getting money from a foreign credit/debit card in Japan can be difficult.

I hope this doesn't make it even harder to do so.

The international ones (every 7-11 atm) have to accept everything. My Japanese card doesn't even have a magstripe, only chip and pin, so the hometown banks aren't as stupid as this may make them seem.

South Africa has had chip-and-pin cards for a very long time, but like many other countries the magstripe was kept for compatibility with US cards (I was told). I used to think this was common the world over. Not so?

(I know the US recently went chip-and-pin.)

Yeah, it's really odd. Only Post Office and 7-11 ATMs work with my non-PIN credit card. (Mine also has a chip, though.)

There're still fax machines in heavy use in Japan. It's a strange place.

Fax machines are still present pretty much everywhere, especially in corporations and government facilities. When I've been working in the UK 5 years ago in a large research institution, I had a fax machine next to my desk.

(The only thing it did though was activating once a day and printing out some ads, mostly car dealerships or insurances, AFAIR.)

Is fax spam not illegal in the UK? In the US, AFAIK, there is a potential $500 fine per unsolicited fax ad.

I used to help my dad identify senders of spam faxes so we could get a court to issue summary judgment. I think the fine can be tripled if the violation is willful.

Even with faxes from a whole bunch of his clients... as many as I could trace back to the sender, and then of course collecting the judgment isn't easy. So after all that, it was barely enough to pay me. I guess that is why you don't see folks going after the spammers as much.

I don't know. But the first time I saw it happening I went and shown it to my boss; she reacted like most people react to on-line ads. "Yeah, it does that."

I was also surprised that flip-phones are a thing which a lot of people buy and use.

Oh we're past chips, and have NFC enabled credit cards. Which is even worse, see http://privacy-pc.com/articles/hacking-in-the-far-east-7-too...

Contactless only lets you spend 25 pounds(so I guess $30-40) in a single transaction, you can only do 5 a day(until you have to enter the pin), and it's impossible to withdraw cash using it. The card also won't surrender its data without a valid decryption key from an authorized terminal. I have absolutely no idea how you can even describe contactless as "worse" in this case.

Yeah, 'the trade body said fraud via the cards was "extremely low", at less than one penny for every £100 spent.' (bbc)

Well if we're on the topic of Japan, contactless lets you spend 20,000 yen (125 GBP) in one transaction.

Fraud is definitely a lesser concern in this country of lower crime rates. I'm afraid it will probably be tightened up as they globalise.

100 people, 4 hours, 13 million dollars. Set in the "mystical" and "lcd bright" Japan. Sounds like the next George Clooney movie. Ocean's 100? :)

How on earth does the system absorb a nearly $13M loss now?

The article has the amount at USD 12,7m. That's a lot of money but quite a bit less than the title suggests.

Yeah, the posted headline is just plain wrong. It was 1.4 billion Japanese Yen.

This is just getting confusing (and ridiculous), I dont' know if you're using long or short scale.

Currency conversion, plus bad editing/title, plus confusion around the short/long scale.

Sometimes, M = 1,000, and MM = 1,000,000

(edit: just came back realizing that this was a useless comment since they'd both be wrong here)

In this case it was apparently neither of those

Why the hell is M 1,000? Shouldn't you use k?

Mille is latin for 1000 and therefore the roman numeral for 1000 is `M`.

It's pretty unlikely for anyone to use a mix of roman numerals and decimals to describe.. Anything.

It's used in accounting in certain companies. It probably depends on the company culture.

Mille is sometimes used (eg, CPM is Clicks Per Mille/Thousand)

It's also sometimes used in the US for 1/1000 of a dollar for property taxes (mill levy).

Edited, thanks.

That's an order of magnitude better but to nitpick: the amount is closer to $13M ;)

A more accurate title would probably be "120M stolen from hacked South African bank via 1,400 convenience store ATMs across Japan"

Actually, a more accurate title would be "12M stolen from hacked South African bank via 1,400 ATMs across Japan"

Actually, a more accurate title would be "$13M stolen from hacked South African bank via 1,400 ATMs across Japan"

Actually..... Since this is a pedantic chain....

13M was not stolen. 12M was stolen (and some more).

Thus the more accurate title would be "12M stolen from hacked South African bank via 1,400 ATMs across Japan" since the statement in your title is demonstrably false, while the other title is (presumably, from the article) true.

1.4 billion yen stolen from 1,400 ATMs across Japan. There is a 100,000 yen limit per card per day from convenience stores.

That's 2X or 3X the common ATM limits in the US (which seem to vary from bank to bank, or even account to account). Is there a higher limit at non-convenience-store ATMs?

Depending on the bank and your type of card between 500,000-2,000,000+.


How would that make a difference?


This is about stolen credit cards. What do vulnarabilties have to do with it?

How did they get passwords?

Let me guess they run Windows XP Embedded?

You could have a Cray in there behind the wall and it still would have happened. It's the debit card system and protocols that make this possible. They didn't hack any ATMs.

Amateur hour.

If you want to rob a bunch of ATMs and get away with it, try keeping your vulnerable window longer than 2 hours...

I mean, it's going to be pretty straightforward to gather a bunch of footage and see what happened those 2 hours. These guys will get busted within the next few days basically guaranteed.

If they can coordinate a 100 person operation across 1400 ATMs nationwide in the span of two hours, I'd assume they had basic face covering to make it hard for authorities to determine their identities. At least, I hope so. After all that trouble...

Besides, I think the decision to execute the transactions in a short time window is correct. Otherwise banks would easily spot a pattern in the transactions (max amount, stolen CC, South Africa) and start rejecting them. Even if legitimate transactions are denied, it's still worth it. They would have never been able to get away with $12 mil in cash.

The fact that it had to be done by 100+ guys almost guarantees they'll be caught.

A small crew can disappear but 100's of people at least some of them with records and known to the police not a chance.

The way these things are usually setup, the people using the cards have little to do with collecting the info, or making the cards. If a few are fought they don't know anything about the others, and are much harder to trace. So cops don't put a lot of effect into tracking these people.

There are now 100 people holding cash. How will the organizers get it back?

Dead drops? One guy talks, they have a drop site. Law enforcement knows how to do stakeouts. Wait until someone comes to pick up the cash from the drop site, tail him to wherever he goes next.

Deposit it in real banks and transfer it somewhere? Okay, now you don't even need a participant to cooperate, you can just identify him and pull his bank records.

Maybe they convert it to BTC. Are there mixing services doing enough volume to really be untraceable? Otherwise investigators can watch it on the other side and see whose bank account it gets converted into.

Pay cash upfront like a large drug deal between gangs.

Large drug deals between gangs are vulnerable to stakeouts and busts if one of the parties involved leaks the meeting time and location.

The whole point of mules is for them to get burned. Assuming this was done properly, every single one of those 100 people can get caught and the cops won't be any closer to catching the people responsible.

That only holds true once the money has percolated up the chain - if they catch anyone in the window prior to the handoff, it could be of use.

Of course, if they pulled this off effectively, the drops all were probably executed soon after the 2h window, and then you've got a much colder trail to follow, even if you find one of the mules and magically have video surveillance of the region.

In all likelihood the handoff would be executed via bitcoins or a wire transfer by whoever is coordinating the operation in Japan. In all likelihood the people actually responsible for the hack are going to be eastern european or Russian, and once the money is no longer in cash it'll be gone forever.

Good point. It will also be way more difficult to regulate the spending habits of the group, which will draw even more suspicion.

And then you have a 100-player Prisoner's Dilemma, unless they organized the group in a decentralized manner.

Why regulate? You could have accepted BitCoin up front, assigned ATMs, then distributed numbers at the last moment.

Cash flows up, risk flows down. Seems to be the MO of most organized crime.

>Good point. It will also be way more difficult to regulate the spending habits of the group, which will draw even more suspicion.

These 100 guys aren't a part of "the group" though, they're just random idiots hoping to score a quick buck.

The people actually running this in all likelihood aren't even in japan.

I am sure the Yakusa can find 100 foot soldiers with to much difficulty.

More likely, the Yakusa can find 100 random people who they have some sort of leverage over and who know virtually nothing about anything of importance so it doesn't especially matter if they get arrested.

A bear jumps out of a bush and starts chasing two hikers. They both start running for their lives, but then one of them stops to put on his running shoes.

His friends says, "What are you doing? You can't outrun a bear!"

His friend replies, "I don't have to outrun the bear; I only have to outrun you!"

Let me guess, they'll narrow it down to a bunch of people wearing surgical masks, hats, glasses, cheap windbreakers, and blue jeans. Now they can just arrest half the people in Japan!

Even if faces are clear, how realistic it can be traced back to anyone?

How can you really find someone from 100x100 pixel image? I am genuinely interested.

Assuming ATMs take and store a photo every time they're used, then it'll be a matter of matching the photos to photos of people already in the corpus of training data several times. That makes it quite easy.

Presumably you leverage the camera network to follow them to some other location.

This isn't the UK

The guys retrieving the money, yes, but that doesn't guarantee that the masterminds will get caught.

Chances are the ones going to the ATMs are money mules (https://en.m.wikipedia.org/wiki/Money_mule), probably not of the completely innocent kind, but of the "not too smart, falling for a 'want to earn $100 in an hour?'" question from a 'friend'.

$100 will give them about a 10% cut, if they do one ATM. It is more likely, though, that they had each guy do >1 ATM. So, you would need, maybe, around 250 of these guys. To recruit them, find around 50 slightly smarter but still not too smart guys who get $2000 each. On top of that, you need real criminals who can make sure the lower levels do not run away with the money, either by convincingly threatening them with bodily harm, or by following them to the ATMs while staying out of view of the cameras.

Yes, costs will add up, but you should be able to keep costs below 50%.

A 10% cut wouldn't be $100. It sounds like each person ran about 140(!) transactions, maxing the withdrawal on each one. That's 14 million yen per person or about 127,000 usd. 10% would be 12,700. Still possible that this happened but my guess is it was yakuza given the coordination and manpower.

As someone upthread remarked, it actually seems improbable it was yakuza - way too visible, even with no provable connection, going to make their lives problematic for awhile.

Plus, we probably wouldn't be hearing about it a week after the fact, if it's part of a long-standing interaction like the yakuza, barring someone with loose lips.

Ah, armchair critic from people who don't even know who those things are usually run...

As if those 100 guys matter...

The mules get busted. The mules are amateurs.

>Amateur hour.

Please tell me how you'd do it instead? Build robots to go to the ATMs?

Only thing that matters here is the link between the people going to the ATMs and the people actually running the operation.

ATMr... it's Uber for ATMs from your smartphone

Well, IoT is all the rage these days...

No matter how you spread it out, couldn't they just look at the video from when each fraudulent withdrawal was made? Also, what is the vulnerable window here?

This is on exactly the opposite side of the spectrum from amateur hour.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact