Slashdot Mirror
$9 Million ATM Hacking Ring Indicted
Trailrunner7 writes "US and international prosecutors have indicted a criminal ring that they allege was responsible for an ATM scam last November that stole about $9 million from RBS WorldPay. The criminals cracked payroll debit cards and withdrew money from ATMs in hundreds of cities around the world. A federal grand jury in Atlanta has indicted eight men in connection with the scheme, including five Estonians, one Russian, one Moldovan, and one unidentified man. Prosecutors allege that the men 'used sophisticated hacking techniques' to defeat the company's encryption system. The scam involved an elaborate plan in which the attackers first bypassed the encryption on the debit cards, which RBS WorldPay issues to customers for employee payroll purposes. They then raised the limits on the accounts attached to the cards, then provided a network of 'cashers' with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours; 130 different ATMs in 49 cities were hit within one 30-minute period."
Just earlier, we heard about a hole in Bing cash-back program and many people rightfully stated that not enough care is taken when developing and more importantly, designing secure systems.
This is one more case that proves them right. Bright hackers usually pick the easiest target. Due to the hit and run nature of the theft, I believe that proper real-time monitoring of the system could have prevented most of the attack. Maybe half an hour or less instead of 12 hours time span before it would have been stopped.
Everything I write is lies, read between the lines.
Well, its a wide, wide world my friend. The things you don't know about could fill a library of congress or two.
But on topic, these cards have many uses. Telemarketers used to give time limited payroll debit cards out for performance bonuses. In some parts of the world, they are given out instead of checks. With the idea being that you don't have to go to an open bank to get it cashed. Plus in many areas outside the US, checks are dead. No one uses or accepts them. obviously these aren't the kind of people that are planning for a future retirement in the hamptons.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Lots of companies that have a highly fluid employee population use these payroll debit cards.
My son works for a company owned 7-11 that pays him this way. Each card has an account dedicated to it. Not sure what the benefit from the company perspective is. Probably some kickback on the percentage the card issuing company collects on purchase and maybe ATM fees.
These cards are also probably a handy to pay illegal aliens who can't get bank accounts (just speculating).
The original and much more informative article, written by someone that at least has basic understandings of technology at wired One of the keys to why this is so big can be found in the following... "The hack involved reverse-engineering PINs for payroll debit card accounts" and "Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access on November 4. Pleschuk allegedly developed the method for reverse-engineering the encrypted PINs." So what it boils down to is that usually something happens to a bank, and it is some stupid CIO or consultant that leaves unencrypted info on a laptop or something similarly stupid, while this seems to be a "legitimate" hack/crack. This involves all the steps of classic vulnerability assesment a pro security consultant would do, but with blackhat intent, including passive recon, 0 days, etc. It should be noted that in the Credit Card fraud underworld, the biggest problem is not getting cards info, including PIN's. The problem is called "cashing out". Often internet currencies (e-gold, etc) and offshore gambling sites are used to launder money, but this is why the "cashiers" usually charge 50 points. They got caught because of how they got the money, and the real special thing here is that they targeted only a few high level payroll accounts. Making their indicment only on 16 counts. I highly doubt they would be expected to pay back every bit of it, and if they are smart they had a contigency plan, hide a million or two in a hole in the ground, and will only serve a handful of years in jail, but my entire last statement is pure speculation as I know very little about how the justice system works in regard to this stuff, barring to say that I have a friend who spent 5 years in prison for non-malicious haking of government computers, while the local young girl murderer gets 3 years....ahh i need to drink less, or maybe more, before posting to /.!
"It's ok, I'm completely secure as long as my iron is off"
You mean some company doesn't either do direct deposit, or cut you a check?
Yes. Mark of a company that hates hates HATES its employees. After undergrad I was working at gamestop when they decided to go this route. For some reason, they were incapable of processing a direct deposit for me, so checks were fine. Then these cards came. They give your paycheck to a different company. Said company gives it to you. The fine print in the information pamphlet they handed out: one free transaction a month. After that, $2 fee for using the debit card for anything.
They undoubtedly made a killing from many high school kids on that one. And gamestop no longer had to print and distribute paychecks, saving the company untold hundreds of dollars a month. Since that was one of the least annoying things gamestop did to it's employees, morale probably wasn't a factor.
Is he the unidentified man? Why does Glen Beck not deny his involvement?
Biometric security is a horrible idea. Not only can you trick a retina scanner with a photograph and easily lift a finger print, but it is also non-disposable. There are much simpler and effective solutions to protecting sensitive information, like TrueCrypt. I bet most fingerprint readers and retina scanners on consumer electronics have manufacturer backdoors.
Trying to install linux on my microwave, but keep getting a kernel panic...
Bank Robber: thousands of dollars stolen, but they go to a maximum security prison
ATM fraud ring: millions of dollars stolen, but they go to a medium security prison
Ponzi scheme: billions of dollars stolen, but they go to a minimum security prison.
Bankers: trillions of dollars stolen, and they're given more by the government with a bonus on top
These cards are also probably a handy to pay illegal aliens who can't get bank accounts (just speculating).
I used to write software for one of these companies. They practically marketed it that way.
Considering the $9 million was taken from 2,100 ATMs, that's over $4,200 per transaction... Most ATMs only have 20's to dispense, so that would be a pretty big pile of cash to carry out of the store/bank/gas station.