Slashdot Mirror

← Back to Stories (view on slashdot.org)

Coordinated, Global ATM Heist Nets $13 Million

Posted by Soulskill on from the get-rich-really-really-quick-schemes dept.

An anonymous reader writes "An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards. 'Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period. Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.' The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."

17 of 122 comments (clear)

  1. Re:Russian hackers attacking the US are heroes by MetalliQaZ · · Score: 2

    Like if an American kid were to hack China?

    --
    "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
  2. every-24-hour coordination by Iamthecheese · · Score: 5, Interesting

    Many banking systems only talk to each-other in nightly batches. It's mostly done that way because that's the way it's always been done, and to save money on entirely new systems. The every-24-hours style is less secure, slow, and inefficient. This is 2011 and there's no real excuse for it.

    --
    If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
    1. Re:every-24-hour coordination by roman_mir · · Score: 2

      I used to do some work for Symcor, AFAIK that's how Canadian banks work.

      It's crazy, I am building my own retail systems right now, the data exchange between the office systems and the stores are batched (because the Internet connection can and does go down sometimes), but when the networks are up, the data is synchronized a few times an hour, we can safely synchronize every 10 minutes. Of-course that's only 15 stores right now, but the difficulties are somewhat similar - while you are synchronizing, you have to lock the records that are being updated/deleted/inserted and you still have to have enough performance to serve multiple simultaneous reports to office workers and to suppliers and to store directors. It's a hard problem really, not as easy as it seems, even in 2011, but it's doable. Of-course banks just don't do it that way and when they decide to go ahead and try, they'll go through similar set of issues that I had to deal with (record or table locks via multiple running requests, data consistency, etc.)

      --
      You can't handle the truth.
    2. Re:every-24-hour coordination by roman_mir · · Score: 2

      No, you didn't get my point. The data comes flooding into the center, it will lock all of the record that are updated (hopefully just records and not entire tables.) There will be not a single moment in time that there will be no updates coming into the banks, unless there is some form of absolute synchronization (possible), but even then, if you synchronize with the center say every 1 hour, that means that once an hour every bank, every buffer that there is out there will send data into the center.

      IF (that's a big if) the center is only used to collect data and for nothing else, that may be OK. If (and that's the case) the data in the center is constantly used for various transactions, not just printing and check clearing (like what we did in Symcor), but for all sorts of transactions, then those transactions may be blocked by the incoming data.

      If you ask me what kinds of transactions do centers like that handle? I'll tell you exactly, because I was an architect on a number of projects like that. You can download your check images, statements on line, this data is not sitting in every bank! This data is requested from the center (again, I am talking about Symcor) and it is then served to the requester through a number of proxies. The data may not be immediately available (not even sitting on a hard drive,) but there are pretty cool robot storage facilities, with robotic hands spinning around on vertical poles, going up and down, grabbing disks or other types of storage (tape) and bringing them to readers and plugging them in and moving them around, all based on near-real-time requests, this depends on the SLA. Though I worked on it 2001-2004, maybe it's different today, but even if it is different, data needs to be synchronized across multiple storage systems, some are on line, some are not, etc., and it's because some are used for real time or near real time requests.

      It is just not a simple problem, it really is entire infrastructures and ecologies of systems that were built around the principle mainframes, and in many systems (all?) it is assumed, that data comes in at night.

      The expense to switch from that to a more real time system will be horrendous.

      --
      You can't handle the truth.
    3. Re:every-24-hour coordination by babtras · · Score: 2

      Not any more it isn't. WAY back in the past, there was a PIN "Offset" stored on the card, which relies on an ATM having the correct "PIN Verification Key" from the financial institution to validate. However, that's no longer the case. If you look at the track 2 data on any card today, the numbers in the offset field are either random or '0000'.

    4. Re:every-24-hour coordination by jonbryce · · Score: 2

      It is a challenge response system that operates on the card itself. For example, my bank supplies a card reader for online transactions. I enter the pin and an 8 digit number supplied by the bank at the time of the transaction, and get an 8 digit number back which I enter on the website to authenticate the transaction. The card reader will tell me if I have entered the right pin or not, but after 3 incorrect attempts, the chip on the card gets locked, and I have to take the card to the bank to unlock it.

  3. Re:So by Anonymus · · Score: 2, Insightful

    Yeah. I wouldn't go so far as to say they deserve it, since nobody really deserves to have stuff stolen from them, but if that's how they were set up, someone had to have know this would happen.

  4. Honesty by Anonymous Coward · · Score: 4, Insightful

    "The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."

    Would you try to steal $9.4M by nonviolent means if you knew that the penalty for being caught was probation? Be honest.

    1. Re:Honesty by scorp1us · · Score: 4, Funny

      It's still more honest than members of congress. At least with the heist, you know you're getting robbed.

      In America, the government robs you then sends you the bill.

      --
      Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
    2. Re:Honesty by mr1911 · · Score: 3, Funny
      You imply the United States has a functional government.

      Amusing, but this is the same as every other country with a dysfunctional government.

      FTFY

      --
      This post comes with a double-your-money-back guarantee!
      Any offense taken to this post is at your sole discretion.
  5. Re:Not cybercrime by colesw · · Score: 2

    I know reading the article means I'm new and all, but it was based on both meatspace and cyber.
    "Armed with unauthorized access to FISâ(TM)s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero."
    This was coordinated between people at the ATM and to someone on the FIS network reloading the cards.

  6. Re:Sounds like we're not getting the whole story by babtras · · Score: 2

    That's why these attacks are coordinated across multiple cities. Pull as much money out as you can before the anomaly is investigated and stopped.

  7. Re:So by dissy · · Score: 2

    I would drop that bank...sounds like a bad bank if they can't even keep the digital balance up to date. My credit union is awesome.

    I'm not the AC, but I too am in Columbus and have had dealings with Bank One.
    They really are that bad.

    I only used them for about a year (admittedly a little over 10 years ago) but had all the same problems with 23 hour delays on updating your online balance (As in on their website online balance!) ATM balances were fairly delayed too, though only a couple hours.

    I had a similar problem as the anon GP. I was 17 and in college, just lost my crappy job at the local computer stores stock room not two weeks before classes started, and was basically only eating every three days or so due to lack of funds.
    One day I decided screw it, I'll write a check for groceries and just deal with the check-bounce fee later once classes started back up and I had my student loan leftover money. Turns out Bank One didn't charge $60 per NSF like they say, it's $60 PER DAY until you bring your account positive.
    That was the most expensive $40 grocery check I ever wrote, coming up to over $700.

    I spent a few days trying to close my account out, which of course they wouldn't allow while it was negative so it could keep adding fees until it was enough to send to collections.
    Ironically, they never did send me to collections. They called to bug me about it for a few months and eventually gave up and wrote it off. It's not on my credit report or anything.
    I think they know such things are not legal and just try to scare people into paying for that crap.

    Long story short, Bank One was horrible, and from what I hear is still almost as bad.

  8. Re:So by NormalVisual · · Score: 2

    This brings up an interesting topic - why is it that banks don't/won't show a persistent record of the authorizations against credit/debit cards on your monthly statement? I can see the authorizations when they're active, but as soon as they time out, they're gone from my online statement and never show up anywhere else. It would certainly be nice to be able to easily reconcile authorizations against the actual charges without having to do a lot of extra record-keeping.

    --
    Please stand clear of the doors, por favor mantenganse alejado de las puertas
  9. 13 milion is nothing compared to what by decora · · Score: 3, Insightful

    Goldman Sachs and the others just stole from the taxpayers.

    have you seen the recent FOIA files released on the 'secret bailout'? billions and billions and billions. and a lot of it went to pay bonuses to those guys at the CDO and mortgage securities departments at those banks. massive, overwhelming fraud, completely unpunished. and we whine about hackers stealing 13 million from an ATM.

    13 million would not even cover a year of a bailed-out bank CEO executive bonus. it wouldnt even be a drop in the bucket of the Boards of Directors payments (many of whom do exactly nothing). 13 million is what John Thain wiped his ass with at Merrill Lynch.

    wake up folks. wake up. watch The Young Turks for more info

    1. Re:13 milion is nothing compared to what by dlgeek · · Score: 2

      Ok, I know I'm going to get modded way the hell down for this, but why does everyone going nuts over these bonuses?

      First, most of these banks paid back the bailout money early, with interest. It's not like the money went into a black hole. Second, it's not like they were like "Hey, free money!" and started handing out huge bonuses on top of huge salaries. The entire compensation structure of these companies is based on structured performance-based bonuses, and most of them are baked into the contracts.

      These people are paid a much smaller salary than the market value of their work. The difference is made up by performance-based compensation. So, instead of giving them a $150,000 salary, they'll get a $70,000 salary and then get a "bonus" between $50,000-100,000 based on how well they do. Most of the bonuses are given out based on a mathematical model tied to their performance (and for bankers, most of the performance is measured based on some quantified and objective standards).

      Bonuses are just a good way for merit to be rewarded. If you do good work, you get paid more, if you do crap, you get paid less. Aren't most slashdotters in favor of meritocracies? They are also a part of the compensation package that's negotiated as part of the employment contract - the banks weren't paying them out of the blue, they were paying them as part of their normal compensation proccess. You might as well say "and a lot of it went to pay salaries to those guys at the CDO and mortgage securities departments" - which I'm sure, much of it did, just like any other company would do if it took out a loan to help it meet payroll during a rough time.

    2. Re:13 milion is nothing compared to what by ThatsMyNick · · Score: 2

      First, most of these banks paid back the bailout money early, with interest. It's not like the money went into a black hole.

      Banks still borrow at practically 0% interest rate from the Fed. How else do you think they paid back the bailout money? Fed low-interest rate loans FTW.