$9 Million ATM Hacking Ring Indicted

Trailrunner7 writes "US and international prosecutors have indicted a criminal ring that they allege was responsible for an ATM scam last November that stole about $9 million from RBS WorldPay. The criminals cracked payroll debit cards and withdrew money from ATMs in hundreds of cities around the world. A federal grand jury in Atlanta has indicted eight men in connection with the scheme, including five Estonians, one Russian, one Moldovan, and one unidentified man. Prosecutors allege that the men 'used sophisticated hacking techniques' to defeat the company's encryption system. The scam involved an elaborate plan in which the attackers first bypassed the encryption on the debit cards, which RBS WorldPay issues to customers for employee payroll purposes. They then raised the limits on the accounts attached to the cards, then provided a network of 'cashers' with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours; 130 different ATMs in 49 cities were hit within one 30-minute period."

Proper monitoring

[ls671]

Just earlier, we heard about a hole in Bing cash-back program and many people rightfully stated that not enough care is taken when developing and more importantly, designing secure systems.

This is one more case that proves them right. Bright hackers usually pick the easiest target. Due to the hit and run nature of the theft, I believe that proper real-time monitoring of the system could have prevented most of the attack. Maybe half an hour or less instead of 12 hours time span before it would have been stopped.

Re:Proper monitoring

[WarJolt]

There is such a thing as too much monitoring. If the cost of the monitoring system is more than the amount stolen it's not worth it. In this case a simple system could probably cost less than $9 million and prevented this. A company must have intuition to preempt the costs of theft. Many businesses, especially retail, actually expect theft and factor this into their costs.

If you're running a casino you must invest lots in security because the cost of losing a lot of money is very real and worth the investment.

A small mom and pop store might have a digital recording camera, just in case someone gets mugged, but who has the time to watch all that tape.

Stealing is stealing and the cost effects everyone.

Re:??? What?

[Bill,+Shooter+of+Bul]

Well, its a wide, wide world my friend. The things you don't know about could fill a library of congress or two.

But on topic, these cards have many uses. Telemarketers used to give time limited payroll debit cards out for performance bonuses. In some parts of the world, they are given out instead of checks. With the idea being that you don't have to go to an open bank to get it cashed. Plus in many areas outside the US, checks are dead. No one uses or accepts them. obviously these aren't the kind of people that are planning for a future retirement in the hamptons.

Re:Laptop with finger print or retina recognition

[jandrese]

What is the point of fingerprint recognition if they just pull the drive out and read all of the data off of it? You don't need fancypants biometrics to encrypt the hard drive, which is the only real protection against losing data when your laptop is stolen.

Re:??? What?

[AF_Cheddar_Head]

Lots of companies that have a highly fluid employee population use these payroll debit cards.

My son works for a company owned 7-11 that pays him this way. Each card has an account dedicated to it. Not sure what the benefit from the company perspective is. Probably some kickback on the percentage the card issuing company collects on purchase and maybe ATM fees.

These cards are also probably a handy to pay illegal aliens who can't get bank accounts (just speculating).

Horrible Article

[carp3_noct3m]

The original and much more informative article, written by someone that at least has basic understandings of technology at wired One of the keys to why this is so big can be found in the following... "The hack involved reverse-engineering PINs for payroll debit card accounts" and "Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access on November 4. Pleschuk allegedly developed the method for reverse-engineering the encrypted PINs." So what it boils down to is that usually something happens to a bank, and it is some stupid CIO or consultant that leaves unencrypted info on a laptop or something similarly stupid, while this seems to be a "legitimate" hack/crack. This involves all the steps of classic vulnerability assesment a pro security consultant would do, but with blackhat intent, including passive recon, 0 days, etc. It should be noted that in the Credit Card fraud underworld, the biggest problem is not getting cards info, including PIN's. The problem is called "cashing out". Often internet currencies (e-gold, etc) and offshore gambling sites are used to launder money, but this is why the "cashiers" usually charge 50 points. They got caught because of how they got the money, and the real special thing here is that they targeted only a few high level payroll accounts. Making their indicment only on 16 counts. I highly doubt they would be expected to pay back every bit of it, and if they are smart they had a contigency plan, hide a million or two in a hole in the ground, and will only serve a handful of years in jail, but my entire last statement is pure speculation as I know very little about how the justice system works in regard to this stuff, barring to say that I have a friend who spent 5 years in prison for non-malicious haking of government computers, while the local young girl murderer gets 3 years....ahh i need to drink less, or maybe more, before posting to /.!

Re:Horrible Article

[Talisman]

"...if they are smart they had a contingency plan, hide a million or two in a hole in the ground, and will only serve a handful of years in jail..."

Let's assume high and say $2MN dollars is successfully hidden. Let's say they get 5 years in jail. There were 8 of them. 2MN/8 = $250,000. $250,000/5 = $50,000.

Good job, guys! You went to jail for 5 years for $50,000 per year, which is what a mid-level IT tech makes. You also guaranteed yourselves a lifetime of being watched by government agencies the world over.

Now, I don't know how many people were just foot soldiers and how many were involved in the technical side of the hack, but say instead of ripping off a bank, you used your what seems to be considerable insight into security flaws to start a security firm and make a lot more money, legitimately. Just not as exciting, I suppose. Good grief, just informing RBS about this hack would have netted you a fat, LEGAL payday. Or, you could have contacted their current security firm, told THEM about the hack, they pay you quietly under the table, then get to look like heroes when they show RBS what they found. There were a lot of ways to use this to your advantage.

I work with a lot of former eastern bloc nationals, and it never ceases to amaze me how much 'ripping off the system' is ingrained into their mentalities. Some of the world's best programming talent comes from that region, and the majority seem inclined to use it for nefarious purposes.

We had to fire what was probably the best technician our company ever had, a Bulgarian, because instead of using his abilities to improve our company's network, he used it to to hack the company firewall and phone switch, and sell Internet access and long distance to people. He probably made a few thousand dollars, but lost a job that paid $72,000, which is a fortune in Bulgaria.

Re:??? What?

[interkin3tic]

You mean some company doesn't either do direct deposit, or cut you a check?

Yes. Mark of a company that hates hates HATES its employees. After undergrad I was working at gamestop when they decided to go this route. For some reason, they were incapable of processing a direct deposit for me, so checks were fine. Then these cards came. They give your paycheck to a different company. Said company gives it to you. The fine print in the information pamphlet they handed out: one free transaction a month. After that, $2 fee for using the debit card for anything.

They undoubtedly made a killing from many high school kids on that one. And gamestop no longer had to print and distribute paychecks, saving the company untold hundreds of dollars a month. Since that was one of the least annoying things gamestop did to it's employees, morale probably wasn't a factor.

Did Glenn Beck steal 9 million dollars?

Is he the unidentified man? Why does Glen Beck not deny his involvement?

Re:Laptop with finger print or retina recognition

[BountyX]

Biometric security is a horrible idea. Not only can you trick a retina scanner with a photograph and easily lift a finger print, but it is also non-disposable. There are much simpler and effective solutions to protecting sensitive information, like TrueCrypt. I bet most fingerprint readers and retina scanners on consumer electronics have manufacturer backdoors.

"used sophisticated hacking techniques"

[countertrolling]

Want some coke?

Um, okay..

hackerz

[kaoshin]

and a person the prosecutors identified only as "Hacker3."
Hacker 3, a three year old child, was already suspected by the RIAA of copywrite infringement.

smarter criminals

Bank Robber: thousands of dollars stolen, but they go to a maximum security prison
ATM fraud ring: millions of dollars stolen, but they go to a medium security prison
Ponzi scheme: billions of dollars stolen, but they go to a minimum security prison.
Bankers: trillions of dollars stolen, and they're given more by the government with a bonus on top

Re:??? What?

[Rophuine]

These cards are also probably a handy to pay illegal aliens who can't get bank accounts (just speculating).

I used to write software for one of these companies. They practically marketed it that way.

Re:crime

[Sulphur]

Mobster in restaurant: "We're Crime and Crime doesn't Pay."

Bring a dufflebag

[buyingtires]

Considering the $9 million was taken from 2,100 ATMs, that's over $4,200 per transaction... Most ATMs only have 20's to dispense, so that would be a pretty big pile of cash to carry out of the store/bank/gas station.

It's less about nationality

I spent 3 years going after someone who defrauded my company for quite some money, and frankly, I wish it was in a different country. The guy was quite bright financially, but instead of using it for honest gain he really HAD to do something shady even if more profitable, honest options were available. This is why we eventually took the lid of the finances he managed and found a large hole where our revenue was supposed to be - hidden by falsified statements.

He was a national, but he played the woefully inadequately trained UK judges for all it was worth. We had all sorts of bizarre lawsuits he started just to keep us too busy to go after him, one even involved his alleging we had his laptop, which he managed to win by wailing at the judge for 3 hours (the judge said that "there must be something to it is he jammered that long" which gives you an idea of how resistant these people are to conmen). He produced some receipts into evidence which were CANCELLED purchases (and of the wrong date) - it was like reading a book and thinking "boy, that could never happen in real life".

Eventually we managed to trip him on one of those lawsuits so he ended up having to pay (which is something he appears not to do on principle) so we managed to bankrupt him and start a global search for his assets. We'll never get our money back, but he'll never get me off his back either, he's become my little pet project - as is the bank that handed him our money after the lawyers had warned him he was no longer on the mandate or an authorised company representative. He had a guy in the bank who waited until he fraudulently changed company records and then quickly closed the account, handing him the money. Thank you, big global bank starting with "H" - you know who you are and I'm about to come after you big time.

I'm a nice guy. You have to go very, very far to piss me off. However, there is a point of no return and then you'll learn a wholly different side to me, on the principle that you had plenty of chance to stop.

Why did I wish it happened in a different country? Well, the police isn't interested to go after fraud, the company registry isn't interested to correct anything unless the police is involved (nice bit of practical recursion here), the judges can be waylaid by the most pathetic arguments known to man because they don't know what the real world looks like and you can't then shoot the f*cker as last resource to functional justice because they've taken the guns away. And if by some unimaginable event you DO manage to get a conviction.. .. you'll discover the jails are full, and he'll walk anyway.

I'd say that in the list of thoroughly f*cked up countries the US certainly doesn't come at the top. The UK is far higher up..