$9 Million ATM Hacking Ring Indicted

Trailrunner7 writes "US and international prosecutors have indicted a criminal ring that they allege was responsible for an ATM scam last November that stole about $9 million from RBS WorldPay. The criminals cracked payroll debit cards and withdrew money from ATMs in hundreds of cities around the world. A federal grand jury in Atlanta has indicted eight men in connection with the scheme, including five Estonians, one Russian, one Moldovan, and one unidentified man. Prosecutors allege that the men 'used sophisticated hacking techniques' to defeat the company's encryption system. The scam involved an elaborate plan in which the attackers first bypassed the encryption on the debit cards, which RBS WorldPay issues to customers for employee payroll purposes. They then raised the limits on the accounts attached to the cards, then provided a network of 'cashers' with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours; 130 different ATMs in 49 cities were hit within one 30-minute period."

Proper monitoring

[ls671]

Just earlier, we heard about a hole in Bing cash-back program and many people rightfully stated that not enough care is taken when developing and more importantly, designing secure systems.

This is one more case that proves them right. Bright hackers usually pick the easiest target. Due to the hit and run nature of the theft, I believe that proper real-time monitoring of the system could have prevented most of the attack. Maybe half an hour or less instead of 12 hours time span before it would have been stopped.

Re:Proper monitoring

[WarJolt]

There is such a thing as too much monitoring. If the cost of the monitoring system is more than the amount stolen it's not worth it. In this case a simple system could probably cost less than $9 million and prevented this. A company must have intuition to preempt the costs of theft. Many businesses, especially retail, actually expect theft and factor this into their costs.

If you're running a casino you must invest lots in security because the cost of losing a lot of money is very real and worth the investment.

A small mom and pop store might have a digital recording camera, just in case someone gets mugged, but who has the time to watch all that tape.

Stealing is stealing and the cost effects everyone.

Re:Proper monitoring

[jujuchef]

"I believe that proper real-time monitoring of the system could have prevented most of the attack..."

As someone who has worked in the Card Fraud industry, I can assure you that it is a requirement for every card processor to use real time monitoring software for the prevention of fraud. Visa/Mastercard/etc demand it if you want their logo on the card. The amount of money prevented from fraudulent activity over the past 10 years has dropped very, very significantly. $9 mill on this would be a drop in the bucket in the 90s for some banks. Interestingly this is something that can be worked in to financial institution's budgets as a type of expense/liability.

Here's the problem with realtime monitoring in its current breadth and depth. It can only process and monitor suspect transaction where either the card issuer (the bank of the card user) or acquirer (the bank of the place making the transaction). issuer approvals happen in near-realtime. They have to, otherwise we'd all be waiting at a checkout for hours/days to get approval on the payment. Where banks can fall short, is they are all very much to themselves with their data. Rightly so, this also really, really slows up the ability to share data. Factor in each various country's data protection laws, and this is simply unattainable for some (the UK for example, does not share data just because it'd be nice to do so).

On top of that, there is a bit of a schizm as to whether neural networks or rule-based (human-created manual rules for detection) are the 'best' approach to catch and prevent fraud.

A more recent push, for PCI-DSS enforces encryption of certain data, and to verify that it's done. So I ask you the question, is it the fraud monitoring here, or the security failure and weak encryption allowing this group to legitimize the transactions? It goes back to your original statement that secure design and implementation are the solution.. I'd like to add one-time passwords on to that list.

Lastly, for 'proper' realtime monitoring is a bit of a throw away comment. Take the amount of credit card transaction a day (let's say 3 million) and 1% of those are fradulant (how do we do this properly again?) which means we have to find 30,000 transactions that could cost us money. For 50 people at say, $40,000 a year to find 30,000 fradulent transactions a day would cost say... $2 million annually. So if they caught 'every' fraudulent transaction, then that is a $1 million saving. But realistically, is 50 people enough? how about 500? Now lets make this operation 24 hours, plus office space, equipment, etcetera. At the end of it all, there has to be a line where money spent preventing fraud has a return on its investment (within reason).

Re:Proper monitoring

[guruevi]

I don't know, if you want to monitor 1000's of ATM machines for certain patterns in order to catch something like this, you probably end up paying more than $9M on it. The software/hardware alone would probably cost $10M and maintenance, wages, service centers etc. only go up from there.

??? What?

[cayenne8]

Not sure I've heard of a payroll debit card?

You mean some company doesn't either do direct deposit, or cut you a check?

I don't think I'd like something not going to my checking account...do you have to pay bills and stuff out of this debit card account I'm guessing that the company owns?

Re:??? What?

[Bill,+Shooter+of+Bul]

Well, its a wide, wide world my friend. The things you don't know about could fill a library of congress or two.

But on topic, these cards have many uses. Telemarketers used to give time limited payroll debit cards out for performance bonuses. In some parts of the world, they are given out instead of checks. With the idea being that you don't have to go to an open bank to get it cashed. Plus in many areas outside the US, checks are dead. No one uses or accepts them. obviously these aren't the kind of people that are planning for a future retirement in the hamptons.

Re:??? What?

[AF_Cheddar_Head]

Lots of companies that have a highly fluid employee population use these payroll debit cards.

My son works for a company owned 7-11 that pays him this way. Each card has an account dedicated to it. Not sure what the benefit from the company perspective is. Probably some kickback on the percentage the card issuing company collects on purchase and maybe ATM fees.

These cards are also probably a handy to pay illegal aliens who can't get bank accounts (just speculating).

Re:??? What?

[interkin3tic]

You mean some company doesn't either do direct deposit, or cut you a check?

Yes. Mark of a company that hates hates HATES its employees. After undergrad I was working at gamestop when they decided to go this route. For some reason, they were incapable of processing a direct deposit for me, so checks were fine. Then these cards came. They give your paycheck to a different company. Said company gives it to you. The fine print in the information pamphlet they handed out: one free transaction a month. After that, $2 fee for using the debit card for anything.

They undoubtedly made a killing from many high school kids on that one. And gamestop no longer had to print and distribute paychecks, saving the company untold hundreds of dollars a month. Since that was one of the least annoying things gamestop did to it's employees, morale probably wasn't a factor.

Re:??? What?

[Rophuine]

These cards are also probably a handy to pay illegal aliens who can't get bank accounts (just speculating).

I used to write software for one of these companies. They practically marketed it that way.

Re:??? What?

So you're telling me in other parts of the world that banks don't accept payroll checks?

Re:??? What?

[sopssa]

Yes, they actually dont. If you really need to cash a check, you have to walk in with special customer support and they will send the check out of country and keep it until the money has cleared out and they've performed other checks, which usually takes 30-50 days. It also costs a lot extra and they dont usually even do this for amounts less than $200.

Checks are still only used in USA and yes they are quite insecure. Here everyones pay gets paid directly to their bank accounts.

Re:??? What?

No, he isn't.

Nor is he giving you a recipe for chocolate cake.

Re:??? What?

I can attest to this. I worked in payments for a multinational for a while. The only country we cut checks for was US, oddly it had the highest incidence of payroll fraud too. Everywhere else deposits into accounts, or uses debit cards.

Re:??? What?

[Iskender]

I live in Finland and I'm 27 years old. Let me explain how weird checks are here.

Some time ago, I made a donation to WFMU (http://wfmu.org/). Since I didn't have ready access to a credit card, sending a check was the only option. I went to my bank and asked if it's possible to do...they weren't sure. Later, I went to another office of the bank and asked again and they said yes, but they have to order it from the main office.

Several days later they phoned me and told me they had the check. I went to get it, and then showed it to my friends. After all, at least the youngest ones had likely never seen one before. I'm not sure I had seen one before, either. People were somewhat impressed by me having such a weird item, or so I thought.

The idea that one's employer wouldn't pay directly to one's account is really weird for people here. Of course, we are probably more backwards in other ways, so don't worry.

Re:??? What?

are you sure the bank didnt give you a money order as opposed to a cheque?

a money order like a check is transferable as payment for services.
However is prepaid, certified and guaranteed not to bounce (comparable to certified check)
http://en.wikipedia.org/wiki/Money_order#Using_money_orders

Re:??? What?

[jonbryce]

Cheques are almost dead in Britain, and pretty much completely dead in the rest of Europe.

Re:??? What?

[WuphonsReach]

The idea that one's employer wouldn't pay directly to one's account is really weird for people here. Of course, we are probably more backwards in other ways, so don't worry.

Here in the US, direct deposit where the check goes straight into your checking (bank) account costs money and many small businesses don't want to pay the fees involved.

Larger companies usually offer direct deposit, however.

Re:??? What?

[Gilmoure]

Weird. My company went from offering direct deposit to requiring it a few years ago. Saved a fair bit of money, not having ADB (payroll company that supports a lot of business in the U.S.) have to print and send checks and pay statements out every other week.

Re:??? What?

[Rorschach1]

I also worked for one of the first (maybe the first?) companies to develop such a system and use it in the US - they'd already build a similar system overseas. I didn't work directly on that project to any real degree, but I was there in the early days and at that time migrant field workers were their ONLY users.

Not that the companies ever had any trouble paying the illegal aliens with checks. This system just meant less work distributing checks, no issuing replacements for lost checks, and lower fees for the workers who didn't have to go to a check cashing outfit.

Was the company you worked for by any chance founded by a red-haired guy with a 4-letter last name?

Re:??? What?

[Rophuine]

I worked for a spin-off of a US company in another country, so I never met the founder. I do know the US company used a 3-letter acronym from a name indicating they may well have been the first.

There was also a 3rd-party software house involved who used a four-letter acronym.

Sounding familiar?

Re:??? What?

[lamapper]

The fine print in the information pamphlet they handed out: one free transaction a month. After that, $2 fee for using the debit card for anything.

What a rip off, solution, in one transaction, move your entire paycheck from account to another bank account, thus avoiding the $2.00 fees for additional transactions related to the cards.

Of course they would then put in an artificially low maximum that would prevent you from transferring / withdrawing your account in one transaction.

Re:??? What?

[lamapper]

My son works for a company owned 7-11 that pays him this way. Each card has an account dedicated to it. Not sure what the benefit from the company perspective is. Probably some kickback on the percentage the card issuing company collects on purchase and maybe ATM fees.

The lovely "VCom" machines in most 7-11s, especially the company owned ones. 7-11 employees are allowed to use them for FREE, no fees. As of 2007, 7-11 would direct deposit into your bank account, you would get a paper copy of your check and/or check stub statement. With the VCom card, you could withdraw money, no limits, up to and including your entire paycheck if you wanted too. Those VCom machines are convenient if you do not have a supermarket near you. Most supermarkets (grocery stores) will allow you to get between $200 - $1000 at the register with your purchase if you have taken the time to fill out one of their cards.

They are very convenient if you are in a town where you do not have a bank branch, as there is probably a 7-11 somewhere. So you have access to one more ATM network. Worth having in my opinion.

My preferred financial institution (they allow me to invest in stocks and bonds and are NOT just a bank) will cover any and all debit related fees when you use other company ATM machines. While I like that and its nice of them, I prefer to go to the grocery store when I need money as they do not charge a fee there. And I usually need something from the store anyway, so its a win - win - win.

Re:??? What?

ADB (payroll company that supports a lot of business in the U.S.)

ADP

Re:??? What?

[Gilmoure]

D'oh! See what not getting a paper check does?

Though I do have some old Apple keyboards around.

Re:??? What?

[interkin3tic]

What a rip off, solution, in one transaction, move your entire paycheck from account to another bank account, thus avoiding the $2.00 fees for additional transactions related to the cards.

Of course they would then put in an artificially low maximum that would prevent you from transferring / withdrawing your account in one transaction.

Transferring it with that one transaction is probably exactly what they and the company would point to if called out on it. I didn't read far enough to see if there was anything about a maximum, after reading the 2$ for every transaction afterwards I understood what type of scam it was and was on the phone with personnel. I'm assuming the overdraft charges were also a scam, likely measured in "fold" rather than "percent" and a balance inquiry to be sure you don't transfer more than your paycheck counts as your free transaction.

Oh no not again!

[bguiz]

When will banks start upgrading their security?

Me think its the same syndicate as these guys.

Re:Oh no not again!

[physburn]

Will this was the Royal Bank of Scotland, a formally solid institution, but one that went bust last year and had to be bailed out to the tune of 10 billion. You wouldn't expect much security out of a bank that managed they financial affairs that baddly. Actually though RBS where one of the first UK banks, to provide on-line payments and where very forward looking in providing electronic money management. So its a shame for the hack, and needing the bailout.

---

Computer Security Feed @ Feed Distiller

Re:Oh no not again!

[jonbryce]

I'm pretty sure it was a lot more than £10bn. Lloyds was bailed out to the tune of £160bn. RBS is about 2.5 times bigger than Lloyds and in a much worse financial state.

Re:Oh no not again!

"a bank that managed they financial affairs that baddly"?

They be bad bank. We be good.

Re:Oh no not again!

I was making fun of physburn's poor grammar and typing skills.

crime

Apparently crime DOES pay.

Re:crime

[Rophuine]

Of course it does. Otherwise it wouldn't be so popular.

Re:crime

[Sulphur]

Mobster in restaurant: "We're Crime and Crime doesn't Pay."

Re:crime

[LowlyWorm]

Power wears out those who do not have it.

Re:crime

"Obviously crime pays, or there'd be no crime."

-G. Gordon Liddy

Laptop with finger print or retina recognition

[Phoe6]

If you are worried that your laptop containing sensitive data might get stolen and thief would there by get the passwords stored in your firefox browser, then here is my suggestion.
Use the finger print or retina recognition so that the laptop operates only when it recognizes you. These are becoming standard these days with IBM T400 series having finger print recognition and Dell Inspiron 15 series having retina recognition.
If you are worried that there are so many passwords to maintain, then yes, I am worried about that too. Open IDs are coming up for help, but there are not there yet.

I, whenever possible use OpenID. then I store my passwords in firefox sxipper (with not all the values default, like I wont store my expiry date of the card, but would have input card number and password) and I dont use finger print recognition as I did not feel the need for it.

Re:Laptop with finger print or retina recognition

[jandrese]

What is the point of fingerprint recognition if they just pull the drive out and read all of the data off of it? You don't need fancypants biometrics to encrypt the hard drive, which is the only real protection against losing data when your laptop is stolen.

Re:Laptop with finger print or retina recognition

[BountyX]

Biometric security is a horrible idea. Not only can you trick a retina scanner with a photograph and easily lift a finger print, but it is also non-disposable. There are much simpler and effective solutions to protecting sensitive information, like TrueCrypt. I bet most fingerprint readers and retina scanners on consumer electronics have manufacturer backdoors.

Re:Laptop with finger print or retina recognition

[timeOday]

The security-oriented Thinkpads (probably including all of those with fingerprint scanners, but also some without) also have support for hardware whole-disk encryption. It's great. After entering a password at power-on, it's otherwise unnoticeable. No performance overhead.

The fingerprint scanner, I had on a T60 and never used. To me it's easier just to enter a password.

Re:Laptop with finger print or retina recognition

You are on the wrong article, I believe you wanted to reply to this post:
http://ask.slashdot.org/story/09/11/10/2045258/Best-Tool-For-Remembering-Passwords

Re:Laptop with finger print or retina recognition

[Talisman]

Biometrics by itself is inadequate for complete security (if such a thing even exists), yes. But as a part of the holy trinity of security (something you have, something you know, something you are) it is still useful.

Re:Laptop with finger print or retina recognition

[Cylix]

I don't know what world you live in, but biometric components are highly disposable.

Just last week we had a copy of an employees eye floating around. We quickly plugged that hole by confiscating the employee's left eye.

Every so often we get a real joker who thinks its funny to prove how he can bypass the thumb readers. Those guys stop smiling the moment we take that compromised thumb away.

Just another day in the security division of OCP.

Re:Laptop with finger print or retina recognition

I agree

PCI Credit card companies security certifcations require you change your password every 40 days

Good luck changing your retina or finger print everyday.

Re:Laptop with finger print or retina recognition

[harl]

What happens when you need to change your password?

Re:Laptop with finger print or retina recognition

[DarthVain]

LOL. Ya I love when people get all hot and bothered about this type of technology, thinking it is all high tech and infallible. My favorite example of this was people spoofing "facial recognition" biometric software and sensors..... with a printed picture held up for the camera. LOL!

"Caught" them.

[hackus]

Well, this is how I see it.

First of all, alleged is an understatement. How they would link bogus accounts, addresses and phone numbers to these 9 people I think would be very hard to do. (i.e. impossible.)

Secondly, really? The most advanced criminal ring in the world? If so, how did they get caught if they are that good? I would be more inclined to believe that they are amateurs.

Why would I think that?

1) Well, first of all, the government cannot look like a putz in public, which is strictly an image problem. So best to dress up the criminals to be world class.

2) #1 reenforces number two, which is, they have NO CHOICE but to capture SOMEONE. The public cannot know that the electronic banking system is so easy to steal money, without direct authorization of course from Congress or the Federal Reserve. (Who by the way, make laws that are illegal (Constitutionally), so they can steal your money legally.)

Loss of confidence in the electronic banking system simply cannot be permitted.

3) Finally as in all fascist states where business and government are basically the same, crimes of this fashion are not considered illegal, they are considered a threat to power.

So keep in mind if you do steal money from the crooks themselves, be aware they may imprison someone who is innocent just because they can't catch you.

Which means you might want to pick a different target.

FYI.

-Hackus

Re:"Caught" them.

Kook alert

Re:"Caught" them.

Or maybe... that is what they want you to think.

This was supposed to have over 12 months time

But the Moldovan put the decimal in the wrong place. He always misses some mundane detail like this.

Horrible Article

[carp3_noct3m]

The original and much more informative article, written by someone that at least has basic understandings of technology at wired One of the keys to why this is so big can be found in the following... "The hack involved reverse-engineering PINs for payroll debit card accounts" and "Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access on November 4. Pleschuk allegedly developed the method for reverse-engineering the encrypted PINs." So what it boils down to is that usually something happens to a bank, and it is some stupid CIO or consultant that leaves unencrypted info on a laptop or something similarly stupid, while this seems to be a "legitimate" hack/crack. This involves all the steps of classic vulnerability assesment a pro security consultant would do, but with blackhat intent, including passive recon, 0 days, etc. It should be noted that in the Credit Card fraud underworld, the biggest problem is not getting cards info, including PIN's. The problem is called "cashing out". Often internet currencies (e-gold, etc) and offshore gambling sites are used to launder money, but this is why the "cashiers" usually charge 50 points. They got caught because of how they got the money, and the real special thing here is that they targeted only a few high level payroll accounts. Making their indicment only on 16 counts. I highly doubt they would be expected to pay back every bit of it, and if they are smart they had a contigency plan, hide a million or two in a hole in the ground, and will only serve a handful of years in jail, but my entire last statement is pure speculation as I know very little about how the justice system works in regard to this stuff, barring to say that I have a friend who spent 5 years in prison for non-malicious haking of government computers, while the local young girl murderer gets 3 years....ahh i need to drink less, or maybe more, before posting to /.!

Re:Horrible Article

http://en.wikipedia.org/wiki/Paragraph

Re:Horrible Article

[Talisman]

"...if they are smart they had a contingency plan, hide a million or two in a hole in the ground, and will only serve a handful of years in jail..."

Let's assume high and say $2MN dollars is successfully hidden. Let's say they get 5 years in jail. There were 8 of them. 2MN/8 = $250,000. $250,000/5 = $50,000.

Good job, guys! You went to jail for 5 years for $50,000 per year, which is what a mid-level IT tech makes. You also guaranteed yourselves a lifetime of being watched by government agencies the world over.

Now, I don't know how many people were just foot soldiers and how many were involved in the technical side of the hack, but say instead of ripping off a bank, you used your what seems to be considerable insight into security flaws to start a security firm and make a lot more money, legitimately. Just not as exciting, I suppose. Good grief, just informing RBS about this hack would have netted you a fat, LEGAL payday. Or, you could have contacted their current security firm, told THEM about the hack, they pay you quietly under the table, then get to look like heroes when they show RBS what they found. There were a lot of ways to use this to your advantage.

I work with a lot of former eastern bloc nationals, and it never ceases to amaze me how much 'ripping off the system' is ingrained into their mentalities. Some of the world's best programming talent comes from that region, and the majority seem inclined to use it for nefarious purposes.

We had to fire what was probably the best technician our company ever had, a Bulgarian, because instead of using his abilities to improve our company's network, he used it to to hack the company firewall and phone switch, and sell Internet access and long distance to people. He probably made a few thousand dollars, but lost a job that paid $72,000, which is a fortune in Bulgaria.

Re:Horrible Article

Murders don't get just "3 years" so don't play the poor victim.

Did Glenn Beck steal 9 million dollars?

Is he the unidentified man? Why does Glen Beck not deny his involvement?

"used sophisticated hacking techniques"

[countertrolling]

Want some coke?

Um, okay..

Oops forgot link...

[carp3_noct3m]

http://www.wired.com/threatlevel/2009/11/rbs-worldpay/

hackerz

[kaoshin]

and a person the prosecutors identified only as "Hacker3."
Hacker 3, a three year old child, was already suspected by the RIAA of copywrite infringement.

Re:hackerz

[nexuspal]

You are exactly correct Sir. Any hacker worth his or her salt would use ANOTHER PERSONS NETWORK, on a CLEAN COMPUTER. But we all know that of course, and this isn't any surpise to any of us that some non-anonymous hacker is now under investigation...

Re:hackerz

And the $9 million makes only a little drop in the ocean on that charge!

smarter criminals

Bank Robber: thousands of dollars stolen, but they go to a maximum security prison
ATM fraud ring: millions of dollars stolen, but they go to a medium security prison
Ponzi scheme: billions of dollars stolen, but they go to a minimum security prison.
Bankers: trillions of dollars stolen, and they're given more by the government with a bonus on top

Re:smarter criminals

Not necessarily smarter, just more charismatic/good with people.

Parents and teachers really do a disservice to their children by telling them to study and go into hard sciences. The "smart" people of the world comprise the drones of our hierarchy.

If you want to be successful, smarts is not on top of the list of things to have.

Re:smarter criminals

[bradbury]

Plus you have the added fact that the prisons are generally outside of Russia/former Soviet Union -- and there is quite a bit of difference between going to prison in the former S.U. and more modern civilized countries. Financial criminals most probably view imprisonment in current environments as a paid vacation. Hardly a deterrent, perhaps even an incentive, to commit non-violent crimes.

Re:smarter criminals

[Bovius]

When I saw this article, I imagined Dr. Evil holding his pinky finger up and saying "Nine meeeeellion dollars!". There's much more serious fraudulent activity going on.

Re:smarter criminals

[Epi-man]

Bank Robber: thousands of dollars stolen, but they go to a maximum security prison

You forgot...(most likely) has a criminal record, claimed to or had a gun and held it to someone's head threatening to kill them, very high probability they will make an attempt to escape or harm other people....

ATM fraud ring: millions of dollars stolen, but they go to a medium security prison

Hurt approximately zero people, threatened approximately zero people with harm, but organized others to help with their deeds

Ponzi scheme: billions of dollars stolen, but they go to a minimum security prison.

Bilked lots of people out of money, but once contained does not represent a threat to escape nor anyone's safety

Bankers: trillions of dollars stolen, and they're given more by the government with a bonus on top

And yet you don't think the people in government who stole the money from us and gave it to the bankers should be in prison???

To me, you obviously don't get it.

Re:smarter criminals

[Wildclaw]

And yet you don't think the people in government who stole the money from us and gave it to the bankers should be in prison???

Depends what you mean by stealing. If you mean taxing is stealing, then you just don't get it. You can't steal what you already own. And the government owns the whole country, every single bit of it, by virtue of having the bigger guns. Taxing is nothing more than collecting rent.

If you are saying that some government employees went above their authority in giving money to the bankers, then you are correct. There are lots of people in the government who should be held accountable for willfully ignoring existing laws and regulations.

Amazing

[Fotograf]

i am always amazed when ring like that is discovered. It must be some incredible especially when it is worldwide coordinated. Makes you wonder that in real world there are doch few cops like you see in cinemas.

Sophisticated Hacking Techniques

[samexner]

used sophisticated hacking techniques

They just opened the machines. Shhh! But don't tell anyone.

Nice Try

[Mr.+Lwanga]

One of these characters is already under indictment for similar shenanigans http://www.wired.com/threatlevel/2009/11/rbs-worldpay , so a good bet is that the Feds have a rat, sorry, a cooperative concerned citizen, big deal. The real story, not these unfortunate Estonian freelance security consultants, but that if RBS was stupid enough to get nailed like this, who else is this sloppy with their security? A decent amount of work and planning went into this ( except for the exit strategy), and no one noticed all of the poking and prodding that was going on in RBS' network. Banking regulators have their own IT security compliance audit, that is a lot more serious than PCI certification, so did RBS have a few holes that got covered up for the audit, then put back in production later? We may never know.

Re:Did Glenn Beck steal 9 million dollars?

[tux0r]

On the basis of this post, I propose a new IM-style abbreviation: COL (Chuckle Out Loud).

As in, I just COL'd (because I just did).

Good form, sir!

T2 Judgement Day

[BrunoB]

easy money!

Bring a dufflebag

[buyingtires]

Considering the $9 million was taken from 2,100 ATMs, that's over $4,200 per transaction... Most ATMs only have 20's to dispense, so that would be a pretty big pile of cash to carry out of the store/bank/gas station.

Re:Bring a dufflebag

Go get it some time - it's only 210 bills which is hand-sized... an inch or two thick.
Now after the 3rd or 5th hit, yeah, it's a pile

Re:Bring a dufflebag

In Europe, in large cities you can get 200 Euro bills from an ATM, that would make it pretty manageable.

It's less about nationality

I spent 3 years going after someone who defrauded my company for quite some money, and frankly, I wish it was in a different country. The guy was quite bright financially, but instead of using it for honest gain he really HAD to do something shady even if more profitable, honest options were available. This is why we eventually took the lid of the finances he managed and found a large hole where our revenue was supposed to be - hidden by falsified statements.

He was a national, but he played the woefully inadequately trained UK judges for all it was worth. We had all sorts of bizarre lawsuits he started just to keep us too busy to go after him, one even involved his alleging we had his laptop, which he managed to win by wailing at the judge for 3 hours (the judge said that "there must be something to it is he jammered that long" which gives you an idea of how resistant these people are to conmen). He produced some receipts into evidence which were CANCELLED purchases (and of the wrong date) - it was like reading a book and thinking "boy, that could never happen in real life".

Eventually we managed to trip him on one of those lawsuits so he ended up having to pay (which is something he appears not to do on principle) so we managed to bankrupt him and start a global search for his assets. We'll never get our money back, but he'll never get me off his back either, he's become my little pet project - as is the bank that handed him our money after the lawyers had warned him he was no longer on the mandate or an authorised company representative. He had a guy in the bank who waited until he fraudulently changed company records and then quickly closed the account, handing him the money. Thank you, big global bank starting with "H" - you know who you are and I'm about to come after you big time.

I'm a nice guy. You have to go very, very far to piss me off. However, there is a point of no return and then you'll learn a wholly different side to me, on the principle that you had plenty of chance to stop.

Why did I wish it happened in a different country? Well, the police isn't interested to go after fraud, the company registry isn't interested to correct anything unless the police is involved (nice bit of practical recursion here), the judges can be waylaid by the most pathetic arguments known to man because they don't know what the real world looks like and you can't then shoot the f*cker as last resource to functional justice because they've taken the guns away. And if by some unimaginable event you DO manage to get a conviction.. .. you'll discover the jails are full, and he'll walk anyway.

I'd say that in the list of thoroughly f*cked up countries the US certainly doesn't come at the top. The UK is far higher up..

Re:It's less about nationality

and you can't then shoot the f*cker as last resource to functional justice because they've taken the guns away.

Errr...slight logic flaw here. If you shot him this would be murder regardless of whether guns were legal or not. So given that you're prepared to commit the most serious crime - murder - why would you care whether you had to commit a lesser crime of buying an illegal gun? And if you're going to commit murder with it, wouldn't you be better off buying an illegal weapon than using the one that's legally registered *to you*?

Also, when you say 'they've taken the guns away' do you mean that you would have qualified for a handgun license before the 'gun ban' (hint: 99.9% certainly not).

Finally, can you name a country where this sort of thing is taken seriously and is a police priority unless your company has some serious clout (hint: it isn't the US, according to US slashdotters' experience)?

Hong Kong busts?

[GarWarner]

Does anyone have more information on the Hong Kong and Netherlands roles in this case? I blogged a summary of charges, including some of the SQL Statements the baddies were using to monitor, change limits on, and monitor "their" cards from the indictment here: CyberCrime & Doing Time. The part I'm trying to find more data on comes from this bit from the FBI Press Release: Cooperation between the Hong Kong Police Force and the FBI also led to a parallel investigation, resulting in the identification and arrest of two individuals who were responsible for withdrawing RBS WorldPay funds from ATM terminals in Hong Kong. The Netherlands Police Agency National Crime Squad High Tech Crime Unit and the Netherlands National Prosecutor’s Office provided key assistance in the investigation. Does anyone know what the Netherlands Police Agency contributed to the case? Does anyone have information on possible related arrests in Hong Kong? Thanks! GarWarner

Wow!

This sounds like a LOT of effort! I'd be willing to bet that if they put that much effort and thought into a legal enterprise they likely would have made 10 times as much.

Fractions!

[FlopEJoe]

If only they had just taken the fractions of a cent on every transaction they would have gotten away with it.

Whats wrong with this picture

[hesaigo999ca]

>The $9 million loss occurred within a span of less than 12 hours; 130 different ATMs in 49 cities were hit within one 30-minute period
This is where being a programmer, it makes sense that it is physically impossible to have that many cards to 1 account used in that many cities, so after the first 4 or 5 like this, you would think you stop the transactions from going on, unless the crime was committed on a realtime schedule where everybody was synched to do the withdrawals all at the exact time (almost to the second)
If this was the case then cuddos to the criminals for now giving the idea to the banks to put all transactions in a queue.

Then again this is the police nabbing the crooks, the banks didnt bother spending their own money to catch the bad guys,
lets use tax payer money for our shortfalls. I guess you could say this was a nicely planned crime, but how did they get caught?

Re:Whats wrong with this picture

When I read that part of the quote, I though, "Hmmm, so 49 people where involved", and "How inside was it?".

There is something very wrong when loosing money become bank policy; they must have a deal with the insurance company!

Re:Did Glenn Beck steal 9 million dollars?

I don't think that an idiot blow-hard crybaby like Glenn Beck would be capable of staging or participating in something so elaborate, but it *is* telling that he hasn't denied his involvement either. I know that a lot of Americans must feel that this is suspicious, and I do too. It's just the way I feel, and I think that Glenn owes it to his supporters to prove that he wasn't involved.

Why would you HACK?

Loans are harder to find than ever before in America. Even small cash boosts for last minute emergencies, holiday shopping, kids, classes, bills and others. The family still deserves a great holiday season even though the economy is slow. The SAFEST and FASTEST way is 60 MINUTE PAYDAY! They get you up to $1500 wired right into your account! It took me less than an hour, although everyone is a little different. You should check it out rather than going through a drawn out credit approval. Plus, it's a %100 Secured Site. What are you waiting for...? www.GetRecessionFree.com