Slashdot Mirror
Coordinated, Global ATM Heist Nets $13 Million
An anonymous reader writes "An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards. 'Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period. Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.' The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."
When I first read the headline, I thought they meant heist as in leaving a hole in the wall. Would have been much more spectacular.
Science advances one funeral at a time- Max Planck
Over there at least.
I swear to God...I swear to God! That is NOT how you treat your human!
Many banking systems only talk to each-other in nightly batches. It's mostly done that way because that's the way it's always been done, and to save money on entirely new systems. The every-24-hours style is less secure, slow, and inefficient. This is 2011 and there's no real excuse for it.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
Yeah. I wouldn't go so far as to say they deserve it, since nobody really deserves to have stuff stolen from them, but if that's how they were set up, someone had to have know this would happen.
"The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."
Would you try to steal $9.4M by nonviolent means if you knew that the penalty for being caught was probation? Be honest.
In soviet Russia, bribes pay you!
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
plan a heist of Russian and former soviet block countries banks and financial institutions. So they realize the real damage caused by letting these people off lightly. IMHO Russia now takes enjoyment out of these hits, since they see it as a way to inflict damage on the west by way of proxy. Need a global effort to eliminate such criminals.
Did the attack take place over the internet ? Or was an android used to execute the attacks ? No ? Then it is NOT cybercrime. It's not cyber-anything!
This was a meatspace attack, the kind any 12 year old can perform with a card cloner - you know, a small, simple electronic device consisting of about $15 worth of components and a few hundred bytes of PIC code. I figure all they did was run the same cards simultaneously at different ATMs, exploiting a probably very huge gaping race condition in the bank's software. More importantly, I wouldn't be surprised if many other banks were also vulnerable to this type of attack, with no intentions to fix it. The only reason we don't hear about it more often is because most of us in the western world don't have dozens of sketchy friends with the nerves to coordinate this sort of attack yet still remain trustworthy. We also tend to have more to lose from getting caught, than the few thousand dollars gained in a successful attack. Is it worth risking a criminal record and incarceration for the sake of a year's salary ? For most of us the answer is no. We aren't criminals, not because we're "good people", but because it is simply not worth the risk. If the take were larger by an order of magnitude, you'll find allegedly honest people are suddenly far more interested in taking that risk.
-Billco, Fnarg.com
exploiting a probably very huge gaping race condition in the bank's software. . .
hence "cyber".
Well, I read the article and it mentions that the attackers were able to reload a card. So they basically just kept reloading the cards and taking money out. The bit about the withdrawal limits was simply so that they could withdraw as much as possible before the banks caught on.
"several major cities across Europe, Russia and Ukraine."
I thought that G;onal would be bigger than Europe (Russia was once considered part of Eastern Europe)
I know that i have withdrawn too much on my card when visiting another continent.. Forgot to transfer some funds but where able to withdraw about 500EUR more than actually in the account... So maybe the visa/mastercard etc just have a flag saying "this card is not over the limit" and then syncing this with the bank from time to time...
Irritating to get a overdraw fee when you have money sitting on the next account...
Depends on the size of your institution. The one I work at uses live, current balances. Then again, we're a not-for-profit credit union, so we actually care about our members and their accounts. (And we don't make a profit, we give it back at the end of the year as a nice random deposit into your savings, divided by the total number of members.)
Local music(to upstate NY). http://gnarfel.com/ radio.
Off-topic, but:
Why is it "eerily similar" and not just "similar"? Even "suspiciously similar" I could understand, if that was the point. But what was "eerie" about it?
Science is all about firing a drunk pig out of a cannon just to see what happens.
Nope, that's it. They waited until the bank was closed to pull their dirty tricks. On Monday morning, the bank auditors performed their careful monitoring of their cash outflows and found a 13 million dollar problem in the form of a bunch of deposits on the electronic books that were not backed by actual money.
hey, the money in the next account is probably pulling a different interest rate. that rate is based on the bank's expected availability of the money for lending to other people. if you wanted that money more readily available for yourself, and less available to the bank for lending, then you should have put it in that account and taken the lesser interest rate for the benefit. you can't expect to have both. so they hit you for it.
"Need a global effort to eliminate such criminals."
There is no way to eliminate "such criminals". There will always be criminals and some will try this sort of thing if it is possible.
The attack was against one financial institution in the US. The financial institutions could change to make this sort of crime harder or maybe even impossible to pull off. But, as other posters have pointed out, this would cost orders of magnitude more than $13 million. Eventually, it will be worth it.
But to even try to "eliminate such criminals", what can be done? Off hand, I would imagine that the only way would be to try to detect the conspiracy before the crime happened. The only way to do this would be to massively increase the degree of government surveillance. IMHO, this "cure" (to the extent it helped at all) would be worse than the disease.
"When the going gets weird, the weird turn pro" -- HST
I would drop that bank...sounds like a bad bank if they can't even keep the digital balance up to date. My credit union is awesome.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
The breaches are happening at the ATM processor, which in the ATM's point of view is a trusted network. It's not usually the ATM's fault. However, retarded ATM deployers often leave the ATM's management password as default and don't bother changing the physical locks from the generic one-size-fits-all key, which makes compromising an ATM easy, it's just not nearly as profitable as compromising a whole network all at once.
I have had something similar happen to me.
I had some charge, (it was a subscription to WoW I think, back when I used to play it), that automatically went through. It was sent as a credit transaction though. So it went onto my account, then disappeared for two days. Then, two days later, it came out of my account, and sure enough, any transaction that was smaller was run after, and I was charged $700 in fees for $34 in overage.
The main issue was that the online system which did NOT have any kind of disclaimer on it about the accuracy of the account total at the time told me that the account had $X in it, which was wrong.
In the end, I told the bank that I was not asking them, I was telling them that they were going to reverse those charges, or I would spend the $700 they were charging me to file a small-claims action against them since I had by almost pure coincidence all the paper records to prove what had happened. They reversed all of the charges, I closed the account, and I told them I never wanted anything to do with their institution again, and if they attempted to contact me again, my response would be to waste as much of their employee's time as possible.
Interestingly, eventually they did try and contact me to get me back as a customer. I held good on my promise and spent a while explaining to this "account specialist" what had happened. Even more interestingly, he spent the entire time trying to convince me that I just wasn't a very good customer, but they were willing to forgive me my sins if I returned and signed a document saying they could charge me overage charges in the manner they had.
I told him he was a sad excuse for a human being if the level of mindlessness he had sunk to for employment was to convince other people that it was morally wrong for them to not allow a giant banking corporation to steal from them, and that if he had any humanity left in him at all, he should really examine what it was he was doing with his life.
That's why these attacks are coordinated across multiple cities. Pull as much money out as you can before the anomaly is investigated and stopped.
I would drop that bank...sounds like a bad bank if they can't even keep the digital balance up to date. My credit union is awesome.
I'm not the AC, but I too am in Columbus and have had dealings with Bank One.
They really are that bad.
I only used them for about a year (admittedly a little over 10 years ago) but had all the same problems with 23 hour delays on updating your online balance (As in on their website online balance!) ATM balances were fairly delayed too, though only a couple hours.
I had a similar problem as the anon GP. I was 17 and in college, just lost my crappy job at the local computer stores stock room not two weeks before classes started, and was basically only eating every three days or so due to lack of funds.
One day I decided screw it, I'll write a check for groceries and just deal with the check-bounce fee later once classes started back up and I had my student loan leftover money. Turns out Bank One didn't charge $60 per NSF like they say, it's $60 PER DAY until you bring your account positive.
That was the most expensive $40 grocery check I ever wrote, coming up to over $700.
I spent a few days trying to close my account out, which of course they wouldn't allow while it was negative so it could keep adding fees until it was enough to send to collections.
Ironically, they never did send me to collections. They called to bug me about it for a few months and eventually gave up and wrote it off. It's not on my credit report or anything.
I think they know such things are not legal and just try to scare people into paying for that crap.
Long story short, Bank One was horrible, and from what I hear is still almost as bad.
This brings up an interesting topic - why is it that banks don't/won't show a persistent record of the authorizations against credit/debit cards on your monthly statement? I can see the authorizations when they're active, but as soon as they time out, they're gone from my online statement and never show up anywhere else. It would certainly be nice to be able to easily reconcile authorizations against the actual charges without having to do a lot of extra record-keeping.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
Goldman Sachs and the others just stole from the taxpayers.
have you seen the recent FOIA files released on the 'secret bailout'? billions and billions and billions. and a lot of it went to pay bonuses to those guys at the CDO and mortgage securities departments at those banks. massive, overwhelming fraud, completely unpunished. and we whine about hackers stealing 13 million from an ATM.
13 million would not even cover a year of a bailed-out bank CEO executive bonus. it wouldnt even be a drop in the bucket of the Boards of Directors payments (many of whom do exactly nothing). 13 million is what John Thain wiped his ass with at Merrill Lynch.
wake up folks. wake up. watch The Young Turks for more info
Actually that account is just a transfer-account without any interest at all... It's just an account i get my salary on before i pay the bills and manage where to put my money...
13 milion is not enough to sneeze at. they just raise the interest rates on credit cards secretly over a weekend and make 26 million, then laugh about it.
why the hell would they want to hire a security team? let the FBI handle it, throw people in jail, dont spend any money fixing the problem.
oh, what about your customers? most companies are not in business for the customers. they are in business for the shareholders and bondholders.
But ATM skimmers steal from the banks other customers. This story is about stealing directly from the bank. Slightly different situation.
...the future crusty old bastards are already drinking the Kool-Aid.
editing wikipedia is rather fun sometimes... the more powerful the entity you edit the page about, the more fun it is. the highest form of fun is when you add boring, banal facts, and watch people go apeshit over them.
also fun? submitting stories to slashdot.
more fun? FOIA requests.
fun fun fun!
These kinds of stories piss me off. When I need over-limit money from the ATM I'm SOL. But I know that if somebody stole my card they'd be able to clean out my entire account in, like, ten minutes.
Expecting cluefulness from banks, indeed from the entire accounting profession, is the height of stupidity in my books. Let me count the ways:
- In the 21st Century, it *still* can take up to three days to transfer money from one acct. to another on their "secure", non-Internet connected network.
- They expend vast amounts of effort on checking, then rolling back, bad transactions and seemingly nothing on ensuring bad transactions can't happen. Vis. TFA. Monday, they discovered they'd been owned!
- I've watched as accredited accountants manually copied (via hunt and peck) numbers from a speadsheet into a non-attached calculator in order to sum them up. Data corruption, anyone? How about right click on the column, then sum? Beyond their capabilities.
They're idiots! Everything about accounting and the banking system is grounded in centuries old tech. (double entry bookkeeping, FFS! as an error correction method!), and they don't need to care, because "The bank doesn't pay!"
Lawyers + accountants == our current financial system, and that's okay?
Insane!
"Tongue tied and twisted, just an Earth bound misfit
"deposits ... not backed by actual money"
You realize that banks do this daily -- all our money is loaned into existence and deposited in the borrower's account.
What changed under Obama? Nothing Good
I guess this would be great commercial if it were for Oceans 14!!!