Coordinated, Global ATM Heist Nets $13 Million

← Back to Stories (view on slashdot.org)

Coordinated, Global ATM Heist Nets $13 Million

Posted by Soulskill on Friday August 26, 2011 @06:58AM from the get-rich-really-really-quick-schemes dept.

An anonymous reader writes "An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards. 'Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period. Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.' The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."

122 comments

Min score:

Reason:

Sort:

I thought that was a LOT of forklifts by Cryacin · 2011-08-26 07:01 · Score: 1, Funny

When I first read the headline, I thought they meant heist as in leaving a hole in the wall. Would have been much more spectacular.

--
Science advances one funeral at a time- Max Planck
1. Re:I thought that was a LOT of forklifts by famazza · 2011-08-27 00:34 · Score: 1
  
  Leaving a hole in the wall. That's how they steal ATMs in Brazil.
  
  --
  
  -=-=-=-=
  I know life isn't fair, but why can't it ever be un-fair in MY favor!?
Sounds like we're not getting the whole story by Anonymous Coward · 2011-08-26 07:04 · Score: 0

Most institutions carefully monitor their cash outflows. There's something else to this.
1. Re:Sounds like we're not getting the whole story by Anonymous Coward · 2011-08-26 07:51 · Score: 0
  
  Agreed. Posting as AC because I work for a financial institution, but everything is monitored, watched, controlled and observed.
  
  We don't fuck around with things like ATMs where there isn't an employee standing in between a person and money.
2. Re:Sounds like we're not getting the whole story by sjames · 2011-08-26 08:17 · Score: 1
  
  Nope, that's it. They waited until the bank was closed to pull their dirty tricks. On Monday morning, the bank auditors performed their careful monitoring of their cash outflows and found a 13 million dollar problem in the form of a bunch of deposits on the electronic books that were not backed by actual money.
3. Re:Sounds like we're not getting the whole story by Anonymous Coward · 2011-08-26 08:31 · Score: 0
  
  We don't fuck around with things like ATMs where there isn't an employee standing in between a person and money.
  Yeah. Sure you do, Sparky. That would explain why this can't happen: What ATM skimmers look like
4. Re:Sounds like we're not getting the whole story by babtras · 2011-08-26 08:34 · Score: 2
  
  That's why these attacks are coordinated across multiple cities. Pull as much money out as you can before the anomaly is investigated and stopped.
5. Re:Sounds like we're not getting the whole story by treeves · 2011-08-26 10:44 · Score: 1
  
  But ATM skimmers steal from the banks other customers. This story is about stealing directly from the bank. Slightly different situation.
  
  --
  ...the future crusty old bastards are already drinking the Kool-Aid.
6. Re:Sounds like we're not getting the whole story by anagama · 2011-08-26 17:07 · Score: 1
  
  "deposits ... not backed by actual money"
  You realize that banks do this daily -- all our money is loaned into existence and deposited in the borrower's account.
  
  --
  What changed under Obama? Nothing Good
Justice by Anonymous Coward · 2011-08-26 07:05 · Score: 0

later given only probation?
Sounds like $9.4M leaves a lot of money for bribes, and the bribes are already in place for organized crime in most of those jurisdictions anyway.
Russian hackers attacking the US are heroes by GodfatherofSoul · 2011-08-26 07:08 · Score: 1

Over there at least.

--
I swear to God...I swear to God! That is NOT how you treat your human!
1. Re:Russian hackers attacking the US are heroes by Anonymous Coward · 2011-08-26 07:11 · Score: 0
  
  I believe you are thinking of Nigeria.
  The cold war ended ~20 years ago. Only a few are stuck in that mindset.
2. Re:Russian hackers attacking the US are heroes by MetalliQaZ · 2011-08-26 07:12 · Score: 2
  
  Like if an American kid were to hack China?
  
  --
  "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
3. Re:Russian hackers attacking the US are heroes by Anonymous Coward · 2011-08-26 07:22 · Score: 0, Troll
  
  Like if an American kid were to hack Iran?
  FTFY
4. Re:Russian hackers attacking the US are heroes by Darinbob · 2011-08-26 07:30 · Score: 1
  
  No, they're considered heroes if they hack Estonia.
5. Re:Russian hackers attacking the US are heroes by Anonymous Coward · 2011-08-26 07:36 · Score: 0
  
  I don't think so, however corruption is probably still a problem there, so it would not surprise me too much if some money got them a lighter sentence.
6. Re:Russian hackers attacking the US are heroes by Anonymous Coward · 2011-08-26 08:38 · Score: 0
  
  There are still people around who could hack ENIAC clones?
7. Re:Russian hackers attacking the US are heroes by frank_adrian314159 · 2011-08-26 09:12 · Score: 1
  
  You don't bite the hand that lends to you...
  
  --
  That is all.
8. Re:Russian hackers attacking the US are heroes by GNious · 2011-08-26 19:33 · Score: 1
  
  In all fairness, Estonia is a lot more "wired" than the US, so should pose a more difficult target.
  Disclaimer: Married to an Estonian
So by Anonymous Coward · 2011-08-26 07:11 · Score: 0

Does this mean the "available balance" is duplicated and kept on nodes throughout the world, and synced with the central database only from time to time?
That's what I got from the summary, and it sounds incredibly stupid of a bank or whoever hands out these cards to do it that way.
1. Re:So by Anonymus · 2011-08-26 07:13 · Score: 2, Insightful
  
  Yeah. I wouldn't go so far as to say they deserve it, since nobody really deserves to have stuff stolen from them, but if that's how they were set up, someone had to have know this would happen.
2. Re:So by bioster · 2011-08-26 07:40 · Score: 1
  
  Well, I read the article and it mentions that the attackers were able to reload a card. So they basically just kept reloading the cards and taking money out. The bit about the withdrawal limits was simply so that they could withdraw as much as possible before the banks caught on.
3. Re:So by pakar · 2011-08-26 07:46 · Score: 1
  
  I know that i have withdrawn too much on my card when visiting another continent.. Forgot to transfer some funds but where able to withdraw about 500EUR more than actually in the account... So maybe the visa/mastercard etc just have a flag saying "this card is not over the limit" and then syncing this with the bank from time to time...
  Irritating to get a overdraw fee when you have money sitting on the next account...
4. Re:So by Anonymous Coward · 2011-08-26 07:50 · Score: 0
  
  Not sure if that was exploited here, but I've exploited that in the past on my own account. I had a max $200/day ATM withdraw limit. I just rode around town to a bunch of ATM's and took $200 from each.
  I also had one issue once where I did a "check my balance" at an ATM owned by my bank in the same office that was my main branch (and was the main branch for Bank One in Columbus Ohio), It said I had money. So I took out money, then went and bought a soda and chips at a gas station, and got gas separate, and got dinner elsewhere. I got hit with an overdraft fee for every one of those, cause some checked had cleared earlier that day, but they hadn't updated the balance in the ATM. I had a big shitstorm argument with the branch manager (who told me I should always keep at least $5000 in my account anyway - that's what she does - this to a college kid with very little money). I got them to give back all but one of the fees, but it was BS. Immediately following those transactions, I also had a deposit of my payroll check, so it wasn't like I wouldn't have the money there - it was 100% an issue with their balance checking from the ATM, which I was told will lag 2-4 days behind the actual balance.
  So, I don't know if the DB is necessarily distributed, but they're not all using the most up to date data - or at least they weren't back then (late 90's).
5. Re:So by gnarfel · 2011-08-26 07:54 · Score: 1
  
  Depends on the size of your institution. The one I work at uses live, current balances. Then again, we're a not-for-profit credit union, so we actually care about our members and their accounts. (And we don't make a profit, we give it back at the end of the year as a nice random deposit into your savings, divided by the total number of members.)
  
  --
  Local music(to upstate NY). http://gnarfel.com/ radio.
6. Re:So by jank1887 · 2011-08-26 08:18 · Score: 1
  
  hey, the money in the next account is probably pulling a different interest rate. that rate is based on the bank's expected availability of the money for lending to other people. if you wanted that money more readily available for yourself, and less available to the bank for lending, then you should have put it in that account and taken the lesser interest rate for the benefit. you can't expect to have both. so they hit you for it.
7. Re:So by Coren22 · 2011-08-26 08:21 · Score: 1
  
  I would drop that bank...sounds like a bad bank if they can't even keep the digital balance up to date. My credit union is awesome.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
8. Re:So by jank1887 · 2011-08-26 08:23 · Score: 0
  
  wait, so you had an outstanding check you weren't sure had cleared or not, and you took the amount available at face value? maybe that check could have cleared the minute after you checked your balance before buying the soda. that scenario would have you fully liable for the fees. account balance, available funds, and unobligated funds are very different things. they really need to teach basic finance in high school. If you don't do everything with immediate transactions, if you write checks as obligations for future drafts, you can't use an account balance as a statement of funds available for use. you already promised some of that money to someone else. it's that simple.
9. Re:So by Anonymous Coward · 2011-08-26 08:30 · Score: 1
  
  I have had something similar happen to me.
  
  I had some charge, (it was a subscription to WoW I think, back when I used to play it), that automatically went through. It was sent as a credit transaction though. So it went onto my account, then disappeared for two days. Then, two days later, it came out of my account, and sure enough, any transaction that was smaller was run after, and I was charged $700 in fees for $34 in overage.
  
  The main issue was that the online system which did NOT have any kind of disclaimer on it about the accuracy of the account total at the time told me that the account had $X in it, which was wrong.
  
  In the end, I told the bank that I was not asking them, I was telling them that they were going to reverse those charges, or I would spend the $700 they were charging me to file a small-claims action against them since I had by almost pure coincidence all the paper records to prove what had happened. They reversed all of the charges, I closed the account, and I told them I never wanted anything to do with their institution again, and if they attempted to contact me again, my response would be to waste as much of their employee's time as possible.
  
  Interestingly, eventually they did try and contact me to get me back as a customer. I held good on my promise and spent a while explaining to this "account specialist" what had happened. Even more interestingly, he spent the entire time trying to convince me that I just wasn't a very good customer, but they were willing to forgive me my sins if I returned and signed a document saying they could charge me overage charges in the manner they had.
  
  I told him he was a sad excuse for a human being if the level of mindlessness he had sunk to for employment was to convince other people that it was morally wrong for them to not allow a giant banking corporation to steal from them, and that if he had any humanity left in him at all, he should really examine what it was he was doing with his life.
10. Re:So by dissy · 2011-08-26 08:52 · Score: 2
  
  I would drop that bank...sounds like a bad bank if they can't even keep the digital balance up to date. My credit union is awesome.
  I'm not the AC, but I too am in Columbus and have had dealings with Bank One.
  They really are that bad.
  I only used them for about a year (admittedly a little over 10 years ago) but had all the same problems with 23 hour delays on updating your online balance (As in on their website online balance!) ATM balances were fairly delayed too, though only a couple hours.
  I had a similar problem as the anon GP. I was 17 and in college, just lost my crappy job at the local computer stores stock room not two weeks before classes started, and was basically only eating every three days or so due to lack of funds.
  One day I decided screw it, I'll write a check for groceries and just deal with the check-bounce fee later once classes started back up and I had my student loan leftover money. Turns out Bank One didn't charge $60 per NSF like they say, it's $60 PER DAY until you bring your account positive.
  That was the most expensive $40 grocery check I ever wrote, coming up to over $700.
  I spent a few days trying to close my account out, which of course they wouldn't allow while it was negative so it could keep adding fees until it was enough to send to collections.
  Ironically, they never did send me to collections. They called to bug me about it for a few months and eventually gave up and wrote it off. It's not on my credit report or anything.
  I think they know such things are not legal and just try to scare people into paying for that crap.
  Long story short, Bank One was horrible, and from what I hear is still almost as bad.
11. Re:So by NormalVisual · 2011-08-26 10:07 · Score: 2
  
  This brings up an interesting topic - why is it that banks don't/won't show a persistent record of the authorizations against credit/debit cards on your monthly statement? I can see the authorizations when they're active, but as soon as they time out, they're gone from my online statement and never show up anywhere else. It would certainly be nice to be able to easily reconcile authorizations against the actual charges without having to do a lot of extra record-keeping.
  
  --
  Please stand clear of the doors, por favor mantenganse alejado de las puertas
12. Re:So by pakar · 2011-08-26 10:17 · Score: 1
  
  Actually that account is just a transfer-account without any interest at all... It's just an account i get my salary on before i pay the bills and manage where to put my money...
every-24-hour coordination by Iamthecheese · 2011-08-26 07:12 · Score: 5, Interesting

Many banking systems only talk to each-other in nightly batches. It's mostly done that way because that's the way it's always been done, and to save money on entirely new systems. The every-24-hours style is less secure, slow, and inefficient. This is 2011 and there's no real excuse for it.

--
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
1. Re:every-24-hour coordination by roman_mir · 2011-08-26 07:35 · Score: 2
  
  I used to do some work for Symcor, AFAIK that's how Canadian banks work.
  It's crazy, I am building my own retail systems right now, the data exchange between the office systems and the stores are batched (because the Internet connection can and does go down sometimes), but when the networks are up, the data is synchronized a few times an hour, we can safely synchronize every 10 minutes. Of-course that's only 15 stores right now, but the difficulties are somewhat similar - while you are synchronizing, you have to lock the records that are being updated/deleted/inserted and you still have to have enough performance to serve multiple simultaneous reports to office workers and to suppliers and to store directors. It's a hard problem really, not as easy as it seems, even in 2011, but it's doable. Of-course banks just don't do it that way and when they decide to go ahead and try, they'll go through similar set of issues that I had to deal with (record or table locks via multiple running requests, data consistency, etc.)
  
  --
  You can't handle the truth.
2. Re:every-24-hour coordination by Normal+Dan · 2011-08-26 07:38 · Score: 1
  
  But if you think about it from a business standpoint, implementing a system like that would cost far more than $13 million.
  
  --
  A unique way to learn a language: http://languageloom.com
3. Re:every-24-hour coordination by Anonymous Coward · 2011-08-26 07:40 · Score: 0
  
  They don't need an excuse - they're the banks. And from we've seen over the couple of years, they're the ones who are really in charge.
  Also, it not just these cards it also the debit cards that suck. True story:
  Woman get's her debit card stolen. Crooks use it as a credit card. Woman reports fraud and bank gets her money back after a couple of weeks after their "investigation".
  She then asks about all the late fees and penalties that were charged to her because automatic payments that hit her account bounced. Banks said that was her problem - tough shit. $800+ in bogus fees and penalties. I think she filed a complaint with the OCC and got some sort of resolution.
  The banks are evil cocksuckers and th politicians who give them a free ride should go to a special Hell where they see their children slowly die of cancer.
4. Re:every-24-hour coordination by roman_mir · 2011-08-26 07:44 · Score: 1
  
  Oh, definitely. It will be in hundreds of millions, possibly more. Just the hardware upgrades will be in billions probably. The problem is that banks normally close at night, so synchronization does not really have to take into account that there are multiple live transactions going at the same time, so for example it's possible to lock an entire table to do updates (and it's mostly done that way). Imagine having to figure out all of the problems related to frequent synchronization and thus insane performance degradation if they even just switch from table to record locks. That's not going to be enough, they'll have to do much more than that, they'll have to redesign the way transactions work altogether. It's going to be fun, I had to do this for a retail system that I build to do frequent synchronization between all the sale points and center while serving all sorts of reports and requests. But banks are a much bigger problem than just a small store chain.
  
  --
  You can't handle the truth.
5. Re:every-24-hour coordination by pakar · 2011-08-26 07:51 · Score: 1
  
  hmm... bank sends -> allow to withdraw up to X amount when the balance is changed. Visa sends amount X withdrawn to bank when card has been used.. If the network connection is down (at the store or something) then the charges are just buffered until it becomes available again...
  Don't think it will be a big problem since they are just simple messages that can be queued at the bank or at visa depending on their server load... If they want to take less risks then just add more server-capacity to handle the total load..
6. Re:every-24-hour coordination by MWoody · 2011-08-26 07:55 · Score: 1
  
  Wait, so how does an ATM that only synchronizes once a day know that I just put in the right pin number? Does every ATM on the planet download a list of every ATM card and PIN in existence?
  I'm not trying to be sarcastic or glib, I'm just trying to understand how the system you describe could function.
7. Re:every-24-hour coordination by pakar · 2011-08-26 07:58 · Score: 1
  
  But if you think about it from a business standpoint it would probably cost less to implement than $365 Million for Canada
  http://www.rcmp-grc.gc.ca/scams-fraudes/cc-fraud-fraude-eng.htm
  And they current batch-based systems could still be used for this... just smaller chunks...
8. Re:every-24-hour coordination by Anonymous Coward · 2011-08-26 08:01 · Score: 0
  
  The PIN is stored on the card.
9. Re:every-24-hour coordination by roman_mir · 2011-08-26 08:02 · Score: 2
  
  No, you didn't get my point. The data comes flooding into the center, it will lock all of the record that are updated (hopefully just records and not entire tables.) There will be not a single moment in time that there will be no updates coming into the banks, unless there is some form of absolute synchronization (possible), but even then, if you synchronize with the center say every 1 hour, that means that once an hour every bank, every buffer that there is out there will send data into the center.
  IF (that's a big if) the center is only used to collect data and for nothing else, that may be OK. If (and that's the case) the data in the center is constantly used for various transactions, not just printing and check clearing (like what we did in Symcor), but for all sorts of transactions, then those transactions may be blocked by the incoming data.
  If you ask me what kinds of transactions do centers like that handle? I'll tell you exactly, because I was an architect on a number of projects like that. You can download your check images, statements on line, this data is not sitting in every bank! This data is requested from the center (again, I am talking about Symcor) and it is then served to the requester through a number of proxies. The data may not be immediately available (not even sitting on a hard drive,) but there are pretty cool robot storage facilities, with robotic hands spinning around on vertical poles, going up and down, grabbing disks or other types of storage (tape) and bringing them to readers and plugging them in and moving them around, all based on near-real-time requests, this depends on the SLA. Though I worked on it 2001-2004, maybe it's different today, but even if it is different, data needs to be synchronized across multiple storage systems, some are on line, some are not, etc., and it's because some are used for real time or near real time requests.
  It is just not a simple problem, it really is entire infrastructures and ecologies of systems that were built around the principle mainframes, and in many systems (all?) it is assumed, that data comes in at night.
  The expense to switch from that to a more real time system will be horrendous.
  
  --
  You can't handle the truth.
10. Re:every-24-hour coordination by Anonymous Coward · 2011-08-26 08:04 · Score: 0
  
  The PIN entered is verified against the PIN stored on the card.
11. Re:every-24-hour coordination by babtras · 2011-08-26 08:06 · Score: 1
  
  To clarify, transactions are mostly authorized in realtime by the bank that issued the card (*some* credit card transactions can be done "offline" but not normally at an ATM unless there's a network problem). The nightly batches are settlement processes where the bank actually pays the ATM owner for the cash they gave to the bank's customer. Authorization happens in realtime, money shuffling between financial institutions happens at night.
12. Re:every-24-hour coordination by Anonymous Coward · 2011-08-26 08:06 · Score: 0
  
  The PIN is encoded on the card's mag strip. Not the PIN itself, though. If you read the mag strip, it would not show your actual PIN. The ATM knows how to decode it.
13. Re:every-24-hour coordination by garyebickford · 2011-08-26 08:10 · Score: 1
  
  Well, no worries there. The PIN is perfectly safe there, no doubt. |>_|
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
14. Re:every-24-hour coordination by sjames · 2011-08-26 08:19 · Score: 1
  
  But it would only cost that once.
15. Re:every-24-hour coordination by babtras · 2011-08-26 08:21 · Score: 2
  
  Not any more it isn't. WAY back in the past, there was a PIN "Offset" stored on the card, which relies on an ATM having the correct "PIN Verification Key" from the financial institution to validate. However, that's no longer the case. If you look at the track 2 data on any card today, the numbers in the offset field are either random or '0000'.
16. Re:every-24-hour coordination by roman_mir · 2011-08-26 08:23 · Score: 1
  
  Don't forget that there is insurance that banks buy for this as well. Of-course from POV of insurance companies it would be a good thing for banks to do, to minimize any sort of vector of attack, so if banks wanted to pay less insurance premiums, they could invest, but likely it would be much more than just a few hundred million dollars.
  Think about this: a tiny project in a bank costs maybe around 250K. That's small time peanuts, and that's software only.
  Now think about this: there are thousands of systems in operation in banks. Every system will have to be at the very minimum reviewed for potential impact of such a gigantic paradigm shift. So say it takes 100K to review a project on average. So that's 100K X thousands of projects for to be reviewed.
  Hundreds of millions, if not billions will be spent on reviews. Then there will be a huge architectural undertaking. Then the hardware, links, software will have to be actually built. Then there will be a transition period, with small steps taken, some parts of systems will be transitions (while the old systems will all be running exactly as they were). There will be doubling of the impacted systems.
  I guarantee that most systems that are impacted will have to be doubled. The old will continue operating and the new will come on line to start transitioning with a tiny test.
  This is not going to be 365Million. We are literally talking about tens of billions. And when you take into account that there are multiple centers, not all banks are connected into the same systems, it's going to be in hundreds of billions.
  
  --
  You can't handle the truth.
17. Re:every-24-hour coordination by toadlife · 2011-08-26 08:25 · Score: 1
  
  The PIN is stored on the card.
  As a hash, I hope.
  
  --
  I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
18. Re:every-24-hour coordination by Anonymous Coward · 2011-08-26 08:35 · Score: 0
  
  The atms work in realtime. It's the ACH (automated clearing house) that operates overnight usually. There are multiple levels the transactions must go thru, but generally speaking the banks have a record of the transaction within minutes.
19. Re:every-24-hour coordination by _0xd0ad · 2011-08-26 08:50 · Score: 1
  
  There are only 10,000 possible PINs. Hashing isn't going to help much.
20. Re:every-24-hour coordination by gl4ss · 2011-08-26 08:54 · Score: 1
  
  you don't have live checking of balance for debit cards? how would your system have detected to reject these cards?
  (fun fact, visa electron, i think known as maestro in more countries but it's "visa electron" here, often when roaming only checks that there's _some_ money on the account, not that there's enough for the withdrawal, I think it's because it's just hacked on top of the regular visa processing, they're quite effectively the same thing as credit card visa, only that you're supposed to only use them electronically - thus it's possible to over draw accounts you weren't supposed to be possible to overdraw... so imagine someone stealing more money from you than what you have, "haha").
  anyhow, around here in finland, despite the local banking cartels effective cartel on card processing, you can get quite easily as a business mobile terminals that you can do card charges with and they're checked live(all kebabs, bars, etc places have them, they don't need to check bank cards live but debit cards yes).
  
  --
  world was created 5 seconds before this post as it is.
21. Re:every-24-hour coordination by roman_mir · 2011-08-26 09:03 · Score: 1
  
  There are on-line and off-line debit cards. In Canada the on-line transactions are handled by Interac. It is a central system.
  But this story is about pre-paid cards. Apparently data about purchases from these cards is synchronized in batches at night.
  
  --
  You can't handle the truth.
22. Re:every-24-hour coordination by Solandri · 2011-08-26 09:06 · Score: 1
  
  Heaven forbid they use the money from ATM fees to actually improve the ATM network, rather than pocketing it as pure profit.
23. Re:every-24-hour coordination by avandesande · 2011-08-26 09:13 · Score: 1
  
  Ever had to wait a day before your money was available to your credit card even if the money was deposited? It's not that big of a deal but the entire system is riddled with inefficiencies due to these batch jobs.
  
  --
  love is just extroverted narcissism
24. Re:every-24-hour coordination by madhatter256 · 2011-08-26 09:13 · Score: 1
  
  The banks that were affected were SunTrust.... which is the most poorly secured bank in Florida, at least...
  
  --
  Previewing comments are for sissies!
25. Re:every-24-hour coordination by jonbryce · 2011-08-26 09:42 · Score: 1
  
  Maestro is the Mastercard equivalent of Visa Debit.
26. Re:every-24-hour coordination by jonbryce · 2011-08-26 09:46 · Score: 2
  
  It is a challenge response system that operates on the card itself. For example, my bank supplies a card reader for online transactions. I enter the pin and an 8 digit number supplied by the bank at the time of the transaction, and get an 8 digit number back which I enter on the website to authenticate the transaction. The card reader will tell me if I have entered the right pin or not, but after 3 incorrect attempts, the chip on the card gets locked, and I have to take the card to the bank to unlock it.
27. Re:every-24-hour coordination by pakar · 2011-08-26 10:26 · Score: 1
  
  So a normal withdrawal that is linked directly into the account could not be used?? I can see a withdrawal within a few minutes later on my account... If i withdraw an amount from any ATM here i can see that the amount has been withdrawn from the account from any other ATM (different banks) ... Seems a bit strange to not reuse existing infrastructure that already handles this type of thing...
  I think there is a more hidden agenda about wanting delays, and that is that they are making big bucks on those that overcharge their account because they forgot to transfer funds into the account...
  Also about insurance... X banks pay Y amount of money... X*Y must be smaller than the total amount the insurance-company takes in, and probably quite a bit more for them to want to take the risk...
28. Re:every-24-hour coordination by baegucb · 2011-08-26 10:30 · Score: 1
  
  When I worked for CIBC in the 70s, in a regional data center, checks came in via messenger 3 or 4 times a day. 99% of the checks were internal to CIBC and there was always a rush to seperate other banks checks. Then the checks would be read in by an IBM 1419 and processed by the IBM mainframe. Cash dispensing machines were done by batch too, similar to how checks were processed. We were told that the penalty for not getting other banks checks back to them on the same day incurred a penalty equal to the face value of the checks. Not too difficult, since there were so few bank chains back then (I haven't lived in Canada in a long while)..
29. Re:every-24-hour coordination by Eil · 2011-08-26 11:06 · Score: 1
  
  Many banking systems only talk to each-other in nightly batches. It's mostly done that way because that's the way it's always been done, and to save money on entirely new systems. The every-24-hours style is less secure, slow, and inefficient. This is 2011 and there's no real excuse for it.
  (Disclaimer: I used to work in financial I.T. But don't worry, I got better.)
  At the end of the banking day, the backend systems of every decent-sized financial institution begin churning through the day's data to settle transactions, adjust accounts, produce reports, and exchange information with other institutions. This is called running cycle. Some parts of cycle are kicked off automatically when a certain condition is met (e.g., it's 18:00 or a file suddenly appears in a magic directory), other parts are started manually by the datacenter operators. Depending on the volume of data to be dealt with, cycle can take anywhere from a couple hours to halfway through the night. End-of-month cycle can take an entire weekend. If you're (to pick a non-random example) a Unix admin and something you did to one of the boxes crashes a job and holds up cycle, you get a phone call no matter how late/early it is.
  Cycle can't be run during the day for a number of reasons, none of which are simply tradition. The biggest one is that in the middle of the business day, there are lots of accounts and databases which are open and being actively used in real-time by other systems and users. Trying to run heavy reporting or transaction jobs on that data all day long just for the sake of staying up-to-the-minute is highly wasteful in terms of system resources alone. You'd be putting extra load on a production server with extremely expensive downtime (as in, millions-of-dollars-per-minute downtime) and drastically lowering the system response time for users who are entering or retrieving data from it. It's far better to shift that load to the evening when the business is closed for the day, downtime is much cheaper, and there's more time available to fix the tough problems.
  A good analogy would be this: running cycle in the middle of the day is like running fsck on your desktop system with all of the filesystems mounted and also while you are trying to use it for important work. Now, there are plenty of real-time data reporting systems where possible and where it makes sense. But for the most part, the consumers of the data (customers, accountants, managers, actuaries, and other software) are perfectly able to do their jobs with the previous days' data.
  Maybe one day humans will do away with the concept of business hours. Or perhaps we'll develop software that can affordably process petabytes of raw financial data in the blink of an eye. Until then, we're stuck with a daily after-hours cycle.
30. Re:every-24-hour coordination by roman_mir · 2011-08-26 11:15 · Score: 1
  
  Actually I don't know about this moment in time, but back when I worked for Symcor it didn't process CIBC. It processed RBC, TD and BMO, in fact they spawned the company and outsourced check processing and statement printing to them. But the checks are processed at night.
  
  --
  You can't handle the truth.
31. Re:every-24-hour coordination by roman_mir · 2011-08-26 11:18 · Score: 1
  
  I am not talking about synchronizing only the withdrawals, that is actually done by Interac in Canada. I am talking about synchronizing all account data. But in case of the pre-paid debit cards the data can be waiting anywhere in the world, it's collected at night from whatever local branches and buffers.
  
  --
  You can't handle the truth.
32. Re:every-24-hour coordination by networkBoy · 2011-08-26 11:33 · Score: 1
  
  Yes,
  And banks make more off accidental overages than they lose on scams that exploit this. Think about the complexity to actually pull off the scam. The principal of this scam is simple, execution is not.
  -nB
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
33. Re:every-24-hour coordination by Anonymous Coward · 2011-08-26 14:21 · Score: 0
  
  maestro = mastercard :)
  (hence why they both have the overlapping circles for logos)
34. Re:every-24-hour coordination by pakar · 2011-08-27 10:06 · Score: 1
  
  still, the banks already has real-time systems to handle this... made a purchase on my card today and the amount showed up as reserved on my account in less than 5 minutes... why not extend it to VISA/Mastercard since all the transactions still goes to their servers to be validated..
  Yes, you need some locking for the real account-data.. But for just a "available amount" it should be a lot less critical and that could instead just be checked during the big batch job to correct for any errors....
35. Re:every-24-hour coordination by metrix007 · 2011-08-27 19:40 · Score: 1
  
  It really isn't. A visa debit card lets you use your debit card as a credit card. Maestro does not allow that, it's just an international network like cirrus or plus.
  
  --
  If you ignore ACs because they are anonymous - you're an idiot.
36. Re:every-24-hour coordination by Anonymous Coward · 2011-08-29 12:37 · Score: 0
  
  The ATM networks are not necessarily connected to the issuing bank all the time. When they are down, they use what's called a "stand-in" transaction. That's a pre-authorized limit that is automatically approved if there is no connectivity. The issuing bank simply takes the hit if it's a fraudulent transaction. If a bank has to use stand-in transactions due to problems, it can cause a lot of phone calls during the holidays when people are going from store to store buying things and getting denied because of the low stand-in limit.
  With regard to the PIN, if the home ATM network is still up, it can check the PIN even if the bank connectivity is down. The ATM networks are very resilient.
  For certain types of cards, usually those with high limits like home equity lines of credit, the transactions sometimes are batched and processed at night. That means you could exceed your limit and the issuing bank would never know it until that night after you're long gone. Or you could call in your card as stolen and it could still be valid until the next batch update.
  It happens so infrequently that the bank just takes the hit because it costs less than fixing it. You don't pay more to fix an issue than it is costing you.
Honesty by Anonymous Coward · 2011-08-26 07:15 · Score: 4, Insightful

"The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."
Would you try to steal $9.4M by nonviolent means if you knew that the penalty for being caught was probation? Be honest.
1. Re:Honesty by Anonymous Coward · 2011-08-26 07:21 · Score: 1
  
  Naturally not.
  (Ask me again when I know how)
2. Re:Honesty by scorp1us · 2011-08-26 07:32 · Score: 4, Funny
  
  It's still more honest than members of congress. At least with the heist, you know you're getting robbed.
  In America, the government robs you then sends you the bill.
  
  --
  Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
3. Re:Honesty by jdgeorge · 2011-08-26 07:56 · Score: 1
  
  Amusing, but this is the same as every other country with a functional government.
4. Re:Honesty by mr1911 · 2011-08-26 08:15 · Score: 3, Funny
  
  You imply the United States has a functional government.
  
  Amusing, but this is the same as every other country with a dysfunctional government.
  FTFY
  
  --
  This post comes with a double-your-money-back guarantee!
  Any offense taken to this post is at your sole discretion.
5. Re:Honesty by Anonymous Coward · 2011-08-26 09:24 · Score: 0
  
  Oddly enough, I wouldn't, but I'm hopelessly honest.
6. Re:Honesty by Anonymous Coward · 2011-08-26 11:07 · Score: 0
  
  [Insert canned reply from Usenet about the government does many things that people never notice in their everyday life, then they go online to FoxNews.com to complain about how the government is ruining their life]
7. Re:Honesty by Anonymous Coward · 2011-08-26 11:19 · Score: 0
  
  Reminds me of this: http://11k2.files.wordpress.com/2009/05/090529lolfatcats1.jpg
cities across Europe, Russia and Ukraine by Iamthecheese · 2011-08-26 07:16 · Score: 1

In soviet Russia, bribes pay you!

--
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
1. Re:cities across Europe, Russia and Ukraine by Anonymous Coward · 2011-08-26 07:20 · Score: 0
  
  In Soviet Russia, Slashdot is not read
2. Re:cities across Europe, Russia and Ukraine by Anonymous Coward · 2011-08-26 07:33 · Score: 0
  
  > In soviet Russia, brides pay you!
  Great! Where do I sign up!?
acceptable to machavieli if by magsk · 2011-08-26 07:25 · Score: 1

plan a heist of Russian and former soviet block countries banks and financial institutions. So they realize the real damage caused by letting these people off lightly. IMHO Russia now takes enjoyment out of these hits, since they see it as a way to inflict damage on the west by way of proxy. Need a global effort to eliminate such criminals.
1. Re:acceptable to machavieli if by garyebickford · 2011-08-26 08:12 · Score: 1
  
  Except that if they catch you, they won't bother with a trial. They'll torture you, then shoot you and your entire family. Like other organized crime groups in the good old days.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Not cybercrime by billcopc · 2011-08-26 07:29 · Score: 1

Did the attack take place over the internet ? Or was an android used to execute the attacks ? No ? Then it is NOT cybercrime. It's not cyber-anything!
This was a meatspace attack, the kind any 12 year old can perform with a card cloner - you know, a small, simple electronic device consisting of about $15 worth of components and a few hundred bytes of PIC code. I figure all they did was run the same cards simultaneously at different ATMs, exploiting a probably very huge gaping race condition in the bank's software. More importantly, I wouldn't be surprised if many other banks were also vulnerable to this type of attack, with no intentions to fix it. The only reason we don't hear about it more often is because most of us in the western world don't have dozens of sketchy friends with the nerves to coordinate this sort of attack yet still remain trustworthy. We also tend to have more to lose from getting caught, than the few thousand dollars gained in a successful attack. Is it worth risking a criminal record and incarceration for the sake of a year's salary ? For most of us the answer is no. We aren't criminals, not because we're "good people", but because it is simply not worth the risk. If the take were larger by an order of magnitude, you'll find allegedly honest people are suddenly far more interested in taking that risk.

--
-Billco, Fnarg.com
1. Re:Not cybercrime by PeanutButterBreath · 2011-08-26 07:38 · Score: 1
  
  Hence, "cyber".
2. Re:Not cybercrime by Anonymous Coward · 2011-08-26 07:39 · Score: 0
  
  Did the attack take place over the internet ? Or was an android used to execute the attacks ? No ? Then it is NOT cybercrime. It's not cyber-anything!
  Exactly! They may as well call it a trousercrime - on the assumption that the participants wore trousers at some point during the planning or execution of this lulzy jape./
3. Re:Not cybercrime by Baloroth · 2011-08-26 07:42 · Score: 1
  
  If the take were larger by an order of magnitude, you'll find allegedly honest people are suddenly far more interested in taking that risk.
  And you'd find the hole being plugged very quickly. This sort of attack is rather tricky to pull off (you need someone to physically be at each ATM, meaning hundreds or possibly thousands of people), and that coupled with the fact that most ATMs have cameras makes this security hole fairly minor ($13 mil sounds like a lot, but to a large bank it's pretty much pocket change. With lots of people involved it would give fairly mediocre payouts).
  Also, if you read TFA it sounds like they actually reloaded the cards using direct access to the bank's card system, so I'm guessing this really was a cyber-attack in addition to the meatspace one.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
4. Re:Not cybercrime by colesw · 2011-08-26 07:42 · Score: 2
  
  I know reading the article means I'm new and all, but it was based on both meatspace and cyber.
  "Armed with unauthorized access to FISâ(TM)s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero."
  This was coordinated between people at the ATM and to someone on the FIS network reloading the cards.
5. Re:Not cybercrime by Syberz · 2011-08-26 07:44 · Score: 1
  
  I dunno, hacking into FIS's network to remotely remove or increase the withdrawal limits and reload the debit cards sounds like a cybercrime to me...
  
  --
  ~Syberz
6. Re:Not cybercrime by bioster · 2011-08-26 07:46 · Score: 1
  
  Sure, it was meatspace... all except for a key part of their plan:
  
  Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.
  Your other guesses are likewise incorrect. Basically they figured out a way to reload their cards and then ran around emptying ATMs as frantically as possible before the banks caught on.
  
  So uh... did you RTFA?
7. Re:Not cybercrime by Anonymous Coward · 2011-08-26 08:05 · Score: 0
  
  Norbert Wiener coined the phrase "cybernetics" to mean the study of "technological mechanism" back in 1948 (Plato had used it to mean government back in the day). Gibson coined cyberspace to mean what we now call the internet. I think you're confusing the two. To my mind, which is quite linguistically focused, anything involving technology of any sort could have a cyber- prefix.
  Even though part of the attack was in meat-space, and involved physical ATMs; cyber would fit with the above justification.
  Even putting that aside and taking cyber to mean only internet based, I suspect that the removal of limits from the cards was most likely carried out over a network - most likely the network of networks we call the internet.
  So in either case, cyber would be allowed. Away and boil your head as my dear old grandmother would have said.
8. Re:Not cybercrime by AdamThor · 2011-08-26 08:05 · Score: 1
  
  ($13 mil sounds like a lot, but to a large bank it's pretty much pocket change. With lots of people involved it would give fairly mediocre payouts)
  The profitable part isn't standing there, withdrawing (say) $200... The profitable part is selling the chance to withdraw $200 for $100 through your organized crime network to a few hundred people. "load this track on your card-cloner, use this bank network and this pin, withdraw $200 between 8:00 pm and 8:15 pm on this date." Then you get to make a chunk of change, and also gather a retinue of hacker-thugs who consider you to be "THE BOSS" that provides a payout to feed your criminal mastermind ambitions.
  
  --
  -- "Oh. This guy again."
9. Re:Not cybercrime by Em+Adespoton · 2011-08-26 08:07 · Score: 1
  
  Did the attack take place over the internet ?
  Yes.
  I think this kind of kills the rest of what you said.
  The initial attack was on the back-end systems via compromised online accounts. The withdrawals in meatspace were only the final step, and wouldn't have netted much of a haul without the initial attackers already modifying the limits set on the accounts used.
10. Re:Not cybercrime by sjames · 2011-08-26 08:23 · Score: 1
  
  According to TFA, they hacked in to the bank's network so they could create a series of fake deposits in order to continue withdrawing money from the cards, so yes, cyber.
11. Re:Not cybercrime by avandesande · 2011-08-26 09:08 · Score: 1
  
  What's the difference between manipulating a system with a card reader or a keyboard? Bits are Bits.
  
  --
  love is just extroverted narcissism
12. Re:Not cybercrime by Anonymous Coward · 2011-08-26 11:27 · Score: 0
  
  With lots of people involved it would give fairly mediocre payouts
  
  Probably not. That assumes that it's some kind of new-age criminal collective where everyone shares equally in the proceeds.
Re:Not cybercrime - edited by PeanutButterBreath · 2011-08-26 07:39 · Score: 1

exploiting a probably very huge gaping race condition in the bank's software. . .
hence "cyber".
Global? by rossdee · 2011-08-26 07:45 · Score: 1

"several major cities across Europe, Russia and Ukraine."
I thought that G;onal would be bigger than Europe (Russia was once considered part of Eastern Europe)
Diebold by Anonymous Coward · 2011-08-26 08:02 · Score: 0

ATMs are secure, and so are your votes!
1. Re:Diebold by babtras · 2011-08-26 08:28 · Score: 1
  
  The breaches are happening at the ATM processor, which in the ATM's point of view is a trusted network. It's not usually the ATM's fault. However, retarded ATM deployers often leave the ATM's management password as default and don't bother changing the physical locks from the generic one-size-fits-all key, which makes compromising an ATM easy, it's just not nearly as profitable as compromising a whole network all at once.
"eerily similar" by FatLittleMonkey · 2011-08-26 08:13 · Score: 1

Off-topic, but:
Why is it "eerily similar" and not just "similar"? Even "suspiciously similar" I could understand, if that was the point. But what was "eerie" about it?

--
Science is all about firing a drunk pig out of a cannon just to see what happens.
1. Re:"eerily similar" by cyberstealth1024 · 2011-08-26 09:37 · Score: 1
  
  Halloween must be nearby!
2. Re:"eerily similar" by Anonymous Coward · 2011-08-26 12:16 · Score: 1
  
  > But what was "eerie" about it?
  The background music was really creepy.
Eliminate such criminals? by BrianMarshall · 2011-08-26 08:19 · Score: 1

"Need a global effort to eliminate such criminals."
There is no way to eliminate "such criminals". There will always be criminals and some will try this sort of thing if it is possible.
The attack was against one financial institution in the US. The financial institutions could change to make this sort of crime harder or maybe even impossible to pull off. But, as other posters have pointed out, this would cost orders of magnitude more than $13 million. Eventually, it will be worth it.
But to even try to "eliminate such criminals", what can be done? Off hand, I would imagine that the only way would be to try to detect the conspiracy before the crime happened. The only way to do this would be to massively increase the degree of government surveillance. IMHO, this "cure" (to the extent it helped at all) would be worse than the disease.

--
"When the going gets weird, the weird turn pro" -- HST
poor security history by Anonymous Coward · 2011-08-26 09:07 · Score: 0

I used to work for this company when it was under Equifax, one of our main systems you needed to login with... The program resided on a shared drive, the login credentials were in another folder as a excel file, unencrypted. It was funny to me at the time, opening the file and getting the superuser account to elevate my own privledges. im just glad i left before they got hacked so many times. Equifax became Certegy, which had a compromise of accounts from an employee there stealing data. Hopefully they get a good security team in place someday.
not to give you all more details by Anonymous Coward · 2011-08-26 09:08 · Score: 0

details ....but i have known there are other systems where you can pull the pins right out of said network and copy them then to cards....then you can make cards and go about and if you dont use same locations and are nto greedy 300-500 a month nothing will happen ....(went on for a long time until said moron got wasted bragged told howto to DUMMY )
Said dummies got a few people and the way it worked is each individual atm you can pull a few hundred bucks from.
So these idiots went to every atm machine in a single medium sized city grabbed 10 grand and cops now alerted sat at last one and arrested them( AKA you hit one or two move on never to return )
Too my knowledge the system of how that was done is still possible as well....i'm not saying nor will i bother trying it.
13 milion is nothing compared to what by decora · 2011-08-26 10:15 · Score: 3, Insightful

Goldman Sachs and the others just stole from the taxpayers.
have you seen the recent FOIA files released on the 'secret bailout'? billions and billions and billions. and a lot of it went to pay bonuses to those guys at the CDO and mortgage securities departments at those banks. massive, overwhelming fraud, completely unpunished. and we whine about hackers stealing 13 million from an ATM.
13 million would not even cover a year of a bailed-out bank CEO executive bonus. it wouldnt even be a drop in the bucket of the Boards of Directors payments (many of whom do exactly nothing). 13 million is what John Thain wiped his ass with at Merrill Lynch.
wake up folks. wake up. watch The Young Turks for more info
1. Re:13 milion is nothing compared to what by farble1670 · 2011-08-26 11:00 · Score: 1
  
  Goldman Sachs and the others just stole from the taxpayers.
  ya we know. knowing is not the problem. doing something about it is the problem.
2. Re:13 milion is nothing compared to what by dlgeek · 2011-08-26 12:56 · Score: 2
  
  Ok, I know I'm going to get modded way the hell down for this, but why does everyone going nuts over these bonuses?
  
  First, most of these banks paid back the bailout money early, with interest. It's not like the money went into a black hole. Second, it's not like they were like "Hey, free money!" and started handing out huge bonuses on top of huge salaries. The entire compensation structure of these companies is based on structured performance-based bonuses, and most of them are baked into the contracts.
  
  These people are paid a much smaller salary than the market value of their work. The difference is made up by performance-based compensation. So, instead of giving them a $150,000 salary, they'll get a $70,000 salary and then get a "bonus" between $50,000-100,000 based on how well they do. Most of the bonuses are given out based on a mathematical model tied to their performance (and for bankers, most of the performance is measured based on some quantified and objective standards).
  
  Bonuses are just a good way for merit to be rewarded. If you do good work, you get paid more, if you do crap, you get paid less. Aren't most slashdotters in favor of meritocracies? They are also a part of the compensation package that's negotiated as part of the employment contract - the banks weren't paying them out of the blue, they were paying them as part of their normal compensation proccess. You might as well say "and a lot of it went to pay salaries to those guys at the CDO and mortgage securities departments" - which I'm sure, much of it did, just like any other company would do if it took out a loan to help it meet payroll during a rough time.
3. Re:13 milion is nothing compared to what by ThatsMyNick · 2011-08-26 14:17 · Score: 2
  
  First, most of these banks paid back the bailout money early, with interest. It's not like the money went into a black hole.
  Banks still borrow at practically 0% interest rate from the Fed. How else do you think they paid back the bailout money? Fed low-interest rate loans FTW.
4. Re:13 milion is nothing compared to what by Wiener · 2011-08-26 15:01 · Score: 1
  
  Bonuses are just a good way for merit to be rewarded. If you do good work, you get paid more, if you do crap, you get paid less.
  Somehow I'm thinking the need to be bailed out with taxpayer funds means you did "crap work" and don't deserve a bonus.
5. Re:13 milion is nothing compared to what by purpledinoz · 2011-08-26 19:58 · Score: 1
  
  You see, TARP was just a tiny part of the bailout. Here's what most people don't know. The Federal Reserve set interest rates at almost 0%. The Banks borrow money for ~0% (btw, only specially selected banks have this privilege), then buys Treasury bonds, which yield maybe 2-3% and the banks get to keep the difference. And who pays for this difference? The tax payer.
  This free money is essentially printed out of nothing causing inflation. There's a reason why gold and silver are making record highs. And ever wonder why gas prices are going up even though unemployment is very high? Last time I checked, unemployed people aren't buying more gas then before.
  These Banks also use their free money to skim the market using high-frequency trading. Essentially, they act as the unwanted middle-man taking a small cut of your trade, without you knowing it. Don't listen to those people who say high-frequency trading is good because it increases liquidity. They are either in on the scam or are brainwashed.
  These big banks don't operate in a free market, they are an oligopoly with special privileges and immunity from the law. The sub-prime mortgage crisis was a result of pure fraud. The people who caused it are not in jail, but getting big fat bonuses.
  Do you still think they deserve their bonuses?
6. Re:13 milion is nothing compared to what by Anonymous Coward · 2011-08-29 07:35 · Score: 0
  
  Let me explain why people object.
  Right now, we're all playing a largely arbitrary game which is misleadingly called the "free market". The rules are set explicitly to benefit some at the expense of others. Currently the winners of this game are a group of individuals who, partly through effort but partly through privilege and connections and political maneuverings, are capable of demanding a ridiculous amount of money for being good at, among other things, screwing people.
  Yes, you have to admire anyone for being able to play a game well, even if the qualifications seem to be a parasitic attitude and moderate sociopathy. For that matter, I'm sure many top-tier pro sports stars or musicians aren't particularly decent people either, but they're good at what they do too. Then again, when a football player or rock star acts like a spoiled brat, it doesn't destroy the futures of millions and necessitate a taxpayer bailout.
  What people object to, whether they're really aware of it or not, are the rules to the game itself. Society shouldn't reward people for being good at screwing everyone for a fast buck. That's not even sustainable at a business level, unless you have a really myopic perspective.
why should they? by decora · 2011-08-26 10:19 · Score: 1

13 milion is not enough to sneeze at. they just raise the interest rates on credit cards secretly over a weekend and make 26 million, then laugh about it.
why the hell would they want to hire a security team? let the FBI handle it, throw people in jail, dont spend any money fixing the problem.
oh, what about your customers? most companies are not in business for the customers. they are in business for the shareholders and bondholders.
amateur journalism is rather enjoyable. by decora · 2011-08-26 11:15 · Score: 1

editing wikipedia is rather fun sometimes... the more powerful the entity you edit the page about, the more fun it is. the highest form of fun is when you add boring, banal facts, and watch people go apeshit over them.
also fun? submitting stories to slashdot.
more fun? FOIA requests.
fun fun fun!
Figures by tsotha · 2011-08-26 13:11 · Score: 1

These kinds of stories piss me off. When I need over-limit money from the ATM I'm SOL. But I know that if somebody stole my card they'd be able to clean out my entire account in, like, ten minutes.
Reap what you sow. by tqk · 2011-08-26 17:06 · Score: 1

Expecting cluefulness from banks, indeed from the entire accounting profession, is the height of stupidity in my books. Let me count the ways:
- In the 21st Century, it *still* can take up to three days to transfer money from one acct. to another on their "secure", non-Internet connected network.
- They expend vast amounts of effort on checking, then rolling back, bad transactions and seemingly nothing on ensuring bad transactions can't happen. Vis. TFA. Monday, they discovered they'd been owned!
- I've watched as accredited accountants manually copied (via hunt and peck) numbers from a speadsheet into a non-attached calculator in order to sum them up. Data corruption, anyone? How about right click on the column, then sum? Beyond their capabilities.
They're idiots! Everything about accounting and the banking system is grounded in centuries old tech. (double entry bookkeeping, FFS! as an error correction method!), and they don't need to care, because "The bank doesn't pay!"
Lawyers + accountants == our current financial system, and that's okay?
Insane!

--
"Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
Actually they stole papers (not gold). by luk3Z · 2011-08-26 21:49 · Score: 0

Actually they stole papers (not gold). Paper is worthless today.

--
Recipes for USA bankrupt - http://tinypaste.com/0d66f dd = dollar deluge (printed in the infinity)
Australia Post prepaid VISA by Anonymous Coward · 2011-08-26 22:25 · Score: 0

I don't know about other people in Australia, but I have found that it is possible to buy well over $100 dollars worth of stuff online with Australia Post's $100 prepaid VISA when buying multiple items in a small time period. The eerie part is that you don't have to give your name or anything when you buy them, and if you pay by cash it's virtually untraceable.
This may be relating to a completely different glitch to what was exploited in TFA, but if I was selling prepaid VISA's I would be keeping a lot tighter tabs on them. Just wondering if anyone (in Australia or abroad) has noticed similar glitches with prepaid cards?
If anyone cares, I managed to rack up about $150 of successful purchases on one, before stopping because I felt bad.
(Posting as AC just in case)
Oceans 14 by hesaigo999ca · 2011-08-29 01:35 · Score: 1

I guess this would be great commercial if it were for Oceans 14!!!
Check out what else FIS does by Anonymous Coward · 2011-08-29 12:21 · Score: 0

www.fisglobal.com - They make the core software that runs banks. They also provide turnkey banking solutions for smaller financial institutions. It's not so much the thirteen million bucks. What if their source code was stolen or compromised? Or they were APT'd? Could this become another RSA where their customers are now at risk? If so, that 13 mil is nothing.