Slashdot Mirror
Flash Mob Steals $9 Million From ATMs
Mike writes "A global flash mob of ATM thieves netted $9 million in fraud against ATMs in 49 cities around the world. The computer system for a company called RBS WorldPay was hacked. One service of the company is the ability for employers to pay employees with the money going directly to a debit card that can be used in any ATM. The hacker was able to infiltrate the supposedly secure system and steal the information necessary to duplicate or clone people's ATM cards. Shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack on ATMs around the world. Over 130 different ATMs in 49 cities worldwide were accessed in a 30-minute period on November 8. 'We've never seen one this well coordinated,' the FBI said. So far, the FBI has no suspects and has made no arrests (PDF) in this scam."
in other news a flash mob recovered all the rights that have been stolen from the people by their governments over the last few years
Requiem for the American Dream
Did he hack the bank across state lines from his home?
So, were they on the honor system to funnel the cash back to the 'hacker'? Or was this like winning the lottery?
Would you, could you, in a car? http://v25media.com
I thought flash mobs are groups of people in the same place at the same time. Not all over the world?
$9 Million stolen from a bank? Peanuts compared to the next $900 Billion the banks are stealing back again - a hundred thousand times more.... I can't even get to grips with that scale of money....
Gee, I guess we can rule out any foul play from the bankers. We can trust their integrity.
The article says over $9,000,000 was stolen using only 100 cards in 49 cities in a 30 minute period. That, boys and girls, is $90,000 per card. The article says the limits on the cards were overridden, using them to make withdrawals in multiple increments of $500 or so. $90,000 / $500 is 180 withdrawals in a 30 minute period, or 6 withdrawals per minute.
This article doesn't pass the basic sniff test. It reeks of either disinformation or seriously bad math.
Learning HOW to think is more important than learning WHAT to think.
One service of the company is the ability for employers to pay employees with the money going directly to a debit card that can be used in any ATM.
I've never heard of this... Do they mean the money isn't going into a bank first?
A flash mob is a large group of people who assemble suddenly in a public place, perform an unusual action for a brief time, then quickly disperse. The organization of flash mobs is generally accepted as being limited to the social media or viral emails, rather than organized by public relations firms or for a stunt. Also flash mobs are not politically or commercially motivated as described by Bill Wasik's in where he said, they serve no purpose.
NOT "large" group. Probably well under 100 people.
Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.
NOT an unusual action - they took money from an ATM. Not exactly pillow fighting in the middle of the street.
WAS organized with one specific goal and purpose in mind - getting away with 9 million dollars.
MOST DEFINITELY commercially motivated.
NOT A FLASH MOB! A well organized group of CRI-MI-NAL-S!
Then again, article WAS linked from myfoxny.com - that famous source of unbiased and non-sensationalistic information.
Mit der Dummheit kämpfen Götter selbst vergebens
Obvious Man!
Since the M in ATM stands for Machine, saying ATM Machine is redundant.
That's almost as much as John Thain (of Merrill Lynch) thought he should get for securing the bailout funds!
Is it just my observation, or are there way too many stupid people in the world?
Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.
Article DOES NOT say what their per-withdrawal limit was.
What if DOES SAY is that they were able to withdraw money multiple times, with the daily sum being over $500.
It also says that the writer of the article has a daily limit of $500 but that is besides the point.
Mit der Dummheit kämpfen Götter selbst vergebens
mobâ
noun, adjective, verb, mobbed, mobâ...bing.
â"noun
1. a disorderly or riotous crowd of people.
2. a crowd bent on or engaged in lawless violence.
3. any group or collection of persons or things.
4. the common people; the masses; populace or multitude.
5. a criminal gang, esp. one involved in drug trafficking, extortion, etc.
______
I don't see a crowd here.
---- Booth was a patriot ----
Argh, use the right word! They copied the data, rather than stole it. Er, oh, money came out of the machine. Well, they still copied something, so I'm not totally wrong.
I need more friends willing to say "Here's this ATM card. At midnight tonight, make as many $500 withdrawals as you can in 30 minutes and put them onto this card. You get to keep half of what's on the card."
Where do you find friends like that?
/humor
greed@All_Evils:~#
I smell a future movie about this. Like Oceans Eleven with atms.
of true cyber-criminals?
They don't look like someone who just won a lottery to me.
They look more like homeless people.
Which brings up the question - why aren't there more homeless people robbing banks out there?
I mean... they are in a clear advantage.
They are invisible AND they have nothing to lose.
Worst case scenario - they get sent to a jail. HA!
3 meals a day, clothing, housing and health-care at the cost of the society.
Mit der Dummheit kämpfen Götter selbst vergebens
Comment removed based on user account deletion
Did they hack the ATM machines after stealing the PIN numbers?
I have to go work in some CSS style sheets for a web site that links ISBN numbers to UPC codes. I hope they don't make me redundant.
I wonder what the PIN Number was that they all used in those ATM Machines. Maybe they used a custom PCB Board to prototype the hack. Then they downloaded the plans onto a CD Disc. I'll bet they literally died after they got away with all the cash.
Anyways, I could care less.
A host is a host from coast to coast...
Unless it's down, or slow, or fails to POST!
Most ATMs, Point of Sale Devices, Network Printers, Hospital Equipments, etc. are hardened to prevent hacks... when would people learn that same needs to be done to their transaction processing systems. Any system thru which such information flows should be hardened too.
Why don't companies learn from mistakes of others or do they have to experience it first-hand to justify the cost to fix their systems?
-Dee
woosh... GP was saying the bankers are the idiots
They hacked one bank, and probably the bank limits the amount of money it can deliver per day, to prevent "fresh money" shortcomings, I doubt someone could "collapse" the Western banking system like this.
And yeah, Putin & the Russian government is much better, and not based on capitalism at all :|
Dilbert RSS feed
and where are the cameras on these Atm's?
...because it's all in the same place, it's because it's the mob
RBS Worldpay is the Royal Bank of Scotlands Worldpay cheapo net transactions processor. The processor is shit (and expensive), and RBS are basically owned by the UK govt. after the bailout.
So if you use Worldpay on your website, I would get shot of it sharpish. They are the kind of outfit that will have multiple holes in their security. (I used to use their payment processor back in 2002.)
Now they have warning. If need be, i'm sure they'll probably put checks in to temporarily shutdown the entire ATM system if they detect something like it again.
These people in the photos are believed to be "cashers," low-level players, in a scheme devised from some mastermind -- a dangerous computer hacker or hacking ring authorities fear could strike again.
The implication being that they are dangerous in the sense of "do not approach these hackers, they are armed and dangerous". But there was nothing in the article to suggest they meant dangerous in any other sense than being dangerous to the profits of banks.
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
any group or collection of persons or things.
And they are not a group why again? Kind of a coincidence they all decided to do the same thing at the same time, everywhere...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
That many people coordinating themselves, presumably using the intertubes. . ?
If even one person was caught on a security camera or ratted out for having $300,000 in cash under the bed. . , or has mental issues and throws a hissy-fit and decides to name names. Well that person could get everybody caught.
So that means the information security being used by the organizers will have to have been reliable. Lucky for them, they're hackers, so they're pretty smart. Unfortunately for them, they're hackers, which means they think they're pretty smart. Usually such people work from within the protective embrace of anonymity. But once you step out those doors, you're just a conceited geek in a world filled with real people and physical objects and chaotic patterns emerging from the interaction of those people and things.
My guess is that this adventure was not a product of the same people who bring us Storm Worms and digital age mob crime. Too many countries. This sounds more like the kind of group who cracks games. They'll have awesome systems for moving data around without anybody knowing. Or that's what they'll think anyway. After fifteen years, I'm sure they've built up some hubris. How good are hackers at knowing exactly how much spying has been done with this whole wire-tap thing and similar?
I wonder if they were conned into doing this by some kind of spook agency. It would certainly make wire-tapping look good and the kind of people who argue against it look bad. Who knows?
The real tragedy is that by the time they all get rounded up, the currency they stole won't be worth enough to pay for their one phone call. sigh.
-FL
Redundant Boy!
Also, since the N in PIN stands for Number, saying PIN number is redundant. TFA didn't make this mistake, but since they go together so often I though I'd point it out for completeness.
One time I heard a friend say "I want to get some cash out of the ATM Machine, but I can't remember my PIN Number."
He's dead now.
Hang on a second: That works out to over $69000 per ATM. Do they really have that much cash loaded in each one? I'd be surprised if that's true.
The funniest ATM theft I've heard of took place in Saskatchewan, Canada. This took place on a long weekend in a sleepy little rural town.
4:00 AM sees our thieves breaking into the local gravel contractor. After breaking through the gate they steal a gravel truck and an oxy-acetelene torch. Next stop is the post treating plant about 1/2 mile (1 km) down the highway. They steal a loader. This is what is used to load poles and posts onto semi-trailors.
By now its about 4:15 or so. Did they make noise? Well - a diesel truck and 350 HP diesel loader will make some noise I suppose. It woke some of the locals up.
Around the corner from the bank about one (1) block away is the local police station which is manned 24x7. The police are at their desks thinking the gravel contractor must be getting an early start this morning.
So the thieves drive the loader over to the bank. The reach in through the roof totally demolishing the building and grab the ATM which is firmly bolted to the concrete floor and footings. Seems the concrete wasn't much of a match for the 350 HP loader because the ATM was cleanly plucked through the gapping hole and dropped into the back of the dump truck.
By now the cops were heading for their cars thinking there must have been a big accident on Main Street.
Our thieves meanwhile shut off the loader and hopped into the dump truck and took off.
A few miles south of town they stopped at an abandoned farm yard and took their time with the oxy-acetelene torch and chopped the ATM apart.
Having done this they took the money and casually left the scene of the crime. So far no one has been caught! So far apparently these thieves are keeping their mouths closed. Apparently there are no leads.
The best part of this story is the locals still laugh about their bank robbery! When you live in a sleepy Saskatchewan rural town then once in a while a little excitement spices up an otherwise dreary life.
No, no, no TFA has got it all wrong. These people were law abiding taxpayers getting their bailout money back from wealthy bankers. Hey guys, next time I want in on it!
This is the 3rd such serious compromise of customer security at RBS Worldpay and raises grave concerns about the company culture and ability of management to fix this problem.
$9m will be only the start, Id imagine that after losing so many customers details to criminals, this figure will pale into insignificance next to the total cost of falsified loan applications and other activity that is certain to follow.
I really feel sorry for their customers, but then again, this is now a clear pattern of failure at RBS.
AG
And non of the ATMs had built-in camera ?
May I be so bold to suggest that there was no actual "hacking" taking place at all?
By "hacking" I mean the stuff that movies and TV tells us that hacking looks like.
A bespectacled nerd in his teens or early twenties, furiously typing something at his green and black screen filled with lines upon lines of scrolling text, uttering "Come on... come on..." until he suddenly "hacks the Gibson" and a welcome screen appears, upon which he jumps up yelling "YES! I AM INVINCIBLE!".
TFA tells us the following:
Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.
- known limit - $500
- 100 ATMcards used
- $9 million gone
That comes out to about 90k per card, right?
Does anyone remember that little issue with Tranax ATMs from couple of years ago?
It smells to me that something similar happened here. Someone leaving the ADMIN pass at 55555555 or 12345678.
There was probably no need for hacking cards - they probably left the same limit.
Instead, he/she/or it - just changed the codes for banknotes inside the machine.
So... you just tell the ATM that its 100s are 5s - and then repeatedly ask for 5s.
$500 limit coughs up ~$100.000 +/- couple of earlier withdrawals that already left the machine a few 100s short.
In other words - about $90.000 per card.
The beauty of it?
Those suspects in the photos may be regular Joes and Janes who came later, found the machine giving 100s for 5s - and got caught on camera.
Mit der Dummheit kämpfen Götter selbst vergebens
I'm not affected by this - I'm unemployed!
Oh, wait...
Anyone hoping to pocket a percentage of $9,000,000 by giving a bunch of passwords to a bunch of people you don't know, and then assuming you won't get grassed out to the cops is likely making a major mistake.
If the criminal is smart, a better strategy might be to "give" the information away to the right group of people. This might give someone a smug sense of "revenge" against a former employer. Someone could short the stock in the stock market, or the theft could cover up some insider funny business. The initial criminal act may be different than what it appears.
Alternatively, the actual "inside" mastermind may actually be a victim too. Maybe someone conned an insider for information, or access to a laptop, and just sold the information. Maybe someone got hold of the backup tapes. This might actually a fairly low-value theft for the original criminal.
I've never used RBS Worldpay, but was notified several weeks ago that my financial records for the past 20 years, as well as SSN, were compromised.
What's incredibly distressing is that RBS Worldpay (part of Citizens Financial Group) shares data with other affiliates. I just have a basic checking account in one of their banks, that's it--no credit cards, no gift cards, no payroll cards.
However, they didn't go public with the news or notify any customers until the day before Xmas eve in December 2008: http://news.prnewswire.com/ViewContent.aspx?ACCT=109&STORY=/www/story/12-23-2008/0004946566&EDATE=
Even more distressing was that when I called them during the first week of January to get information on why my data was exposed even though I don't use RBS Worldpay services, I was told it was just them being careful and 20-30 cards were the sum total of illicitly accessed information to date--clearly a lie.
And it gets even worse--the compromise was identified and recognized by them in June/July 2008!
In other words, they didn't give a shit about exposing their customer data until they lost some large money.
the video from fox shows images and video of the "cashers"...not the profile of who I would think would be behind something like this.
It looked to be mostly 30-ish, mixed male/female, and black.
In a worldwide scheme like this one, especially with this "dangerous computer hacker" involved, I would have expected to see more teens or organized crime/gangs as the peons.
I'm interested to see what this comes up with in the end as far as distribution methods and planning technique. Oh, and $69k per ATM is impressive.....also waiting to hear how the dumbass that decided to put an over-ride code into the ATM software is prosecuted.
"hey guys, we really should have an override on that time limit thing in case we want to withdraw $2,000 per minute...ya know?"
Computer Crime = Capital Offense. No appeals. Death by public execution. Seeing their friends swinging from a gallows sure would go a long way in making this cr@p less attractive. This is nothing short of computer based terrorism. Treat it as such and find these f@ckers.
My peace of mind does not depend on
I'm concerned about the pictures that myfoxny.com obtained. Of the 8 individual people shown in the 12 photos (a few people appear twice) 6 are very clearly black or minority. 130 ATMs robbed in 50 cities, you only get security photos of 8 people and nearly all of them are minority? I don't think so.
I have lived where people have not much to lose. One day our neighbor took it upon himself to
protect his property from a fighting couple that hung around with a 45 caliber handgun. Of course
someone noticed that a man was firing a shiny handgun down the street in the middle of the afternoon
and the police came around shortly thereafter. when our neighbor calmed down (unfortunately he came over
to our house), he walked out with his hands up and gun in his belt.
When we visited him in jail, his attitude was nonchalant, he was taking a short break from
all of the usual crackheads in his life to a tightly controlled atmosphere he felt comfortable in.
He had OG status and nobody fucked with him.
The judge agreed with his right to defend his property, just not the way in which it
was conducted (cowboy style). He came put six months later completely unphased.
I am not saying I agree, I am just saying never assume...
I think I see a problem here
1) Gather ATM card information and duplicate cards
2) Pass them out to confederates (cashers)
3) Cashers withdraw money
4) ????
5) Profit.
Or, in other words, why wouldn't the cashers just take the money and run, leaving the mastermind with nothing? Unless of course the mastermind was one (or more) of the cashers, and used the rest of the people to camouflage his own involvement.
no its 10 hour period according to FBI
After acquiring RBS Worldpay (then Lynk Systems or RBS Lynk) Citizens Financial group eventually installed their own CEO. That CEO brought in his cronies, including a CIO.
.
At an all-hands off-site meeting the new CEO & CIO essentially stated the entire IT staff sucks. To solve that problem the CIO announces they are moving from MS platforms to Java & Oracle.
A few months later the CIO leaves RBS. The Oracle transition was less than half-done.
Everyone else with half-a-clue left within two months after the Dale Carnegie meeting. At that time the most senior DBA had worked for RBS for less than two months.
The fraud prevention module was written by a project manager in the much the same manner that referees play sports.
The main application to manage customer data is written in VB6, mostly by people from the British Virgin Islands . . . in much the same manner that residents of another former British colony write code.
So you are left with a staff of disgruntled under-performers administrating an IT system that takes so much time & effort just to keep running that no one gives the first thought to security.
About one year later a large group of people, headed up by a 'hacker' walks off with large amounts of cash . . .
To where? The British Virgin Islands are known for their discrete offshore banking . . .
Excellent post, yes hackers and "flash mobs" are being given a bad name (it's not even a flash mob) and duh, this is more likely an inside job and there's plenty of disgruntled out there with all the layoffs.
I broke down and read TFA, and I still don't understand whose money has been stolen. The payroll cards are presumably issued off an employer account, so that employees can hit an ATM and snag their pay (as I'm interpreting the idea of a payroll card). So why is there $90,000 sitting in a payroll account just waiting for the card to take it all? I would expect that the payroll card I get would be limited to the amount of money I've earned this pay period ... ??
Even if you remove the daily transaction limit (as the article says occurred) there still has to be enough money in the account to which the card is attached.
I'm guessing I don't understand what a payroll card is, or am just too dumb to be a criminal in this day and age.
[17] Leary, T., White, C., Wood, P. R., Bhabha, W. D., and Wirth, N. Lambda calculus considered harmful. In Proceedings