Slashdot Mirror

← Back to Stories (view on slashdot.org)

ATMs Compromised, $45M Taken

Posted by Soulskill on from the designed-for-redundancy-not-security dept.

An anonymous reader sends this news from the Associated Press: "A worldwide gang of criminals stole a total of $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then draining cash machines around the globe, federal prosecutors said Thursday. ... Here’s how it worked: Hackers got into bank databases, eliminated withdrawal limits on prepaid-debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes."

14 of 196 comments (clear)

  1. I wonder how much was skimmed by the bag men by gatkinso · · Score: 4, Insightful

    I mean, can you really trust that some guy half way around the world is going to turn over the cash he just stole for you?

    --
    I am very small, utmostly microscopic.
    1. Re:I wonder how much was skimmed by the bag men by Anonymous Coward · · Score: 5, Insightful

      They had the bank's database, its possible that they could tell pretty easily exactly how much they had withdrawn.

  2. Ocean's eleven by vikingpower · · Score: 3, Insightful

    Media all around the world are comparing this heist to Ocean's Eleven. Funny, but prolly not the first time that a movie yields the cultural background material for understanding viz. interpreting a crime...

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
  3. Petty thieves by 140Mandak262Jamuna · · Score: 5, Insightful

    This is not how bank fraud should be done. The right and proper way is to become too big to fail, to big to jail, rig the LIBOR rates, create systematic rigging, award oneself huge salaries and bonuses, threaten worldwide economic collapse, hold governments to ransom and get huge bail out money. The master criminals running the banks are dismayed by petty criminals stealing from them.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Petty thieves by Overzeetop · · Score: 3, Insightful

      Seriously. Isn't this "heist" considered rounding error for financial CEO bonuses?

      --
      Is it just my observation, or are there way too many stupid people in the world?
    2. Re:Petty thieves by dkleinsc · · Score: 5, Insightful

      On several documented occasions, they've foreclosed on people who had no mortgage whatsoever. They've foreclosed on people that lived next door to people they were intending to foreclose on due to typos. They've foreclosed on people who have paid their mortgage on time but the paperwork got mixed up by a servicer.

      The victims aren't just victims of their own stupidity.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
  4. Not ATMs, the debit card system by RichMan · · Score: 5, Insightful

    ATMs themselves were not compromised. The authentication system for debit cards was. Sure the money came from ATMs but the authentication that came from it was the backend systems.

    It was the backend banking system that was compromised, not ATMs. The ATMs worked perfectly and gave out cash only to authorized cards. There was no problem with the ATMs.

    1. Re: Not ATMs, the debit card system by thinuspollard · · Score: 3, Insightful

      ATMs are dumb devices. All transactions are autorised by the upstream system, which typically include fraud detection systems. If the upstream system authorise a transaction and instructs the ATM to dispense, the ATM dispenses. There is zero intelligence in an ATM. None. Everything gets done from the upstream host. These guys had access to the authorising host where they modified the authorising pipeline to ignore the limits that were placed on cash withdrawals. I work in the industry. It's complicated

  5. Re: Surely this sort of thing is better than Bitco by bondsbw · · Score: 1, Insightful

    The problem is that if Bitcoin takes off, banks will still treat it like regular currency. Once you make a deposit, the bank will add it to a pool, and withdrawals will come from that pool. Your account holdings will still be a decimal formatted number in a database somewhere.

    Banks and creditors need a new transaction system built on cryptography, single use keys, and enhanced by Internet connectivity, to protect their customers. And they needed it yesterday.

    --
    All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  6. I guess US banks will re-evaluate.. by strangeattraction · · Score: 3, Insightful

    I guess US banks will re-evaluate the use the more secure smart carts. They have been reluctant to use them because the cost of adoption was greater than their projected losses due to theft. So much for that theory. Another failure to predict the risk.

  7. Re:honeypasswords? by bws111 · · Score: 4, Insightful

    It comes down to which costs more: fixing the security problems, or losses due to security problems. My guess is that fixing the security problems would cost far more, so don't think anything is going to change.

  8. Re:Who pays? by alexander_686 · · Score: 4, Insightful

    What I think AC is trying to say is that yes, the banks are on the hook for the funds. Having lost the money the banks will try to make up for it by raising fees and interest, so it all tricks back down to the consumer.

  9. Re: Surely this sort of thing is better than Bitco by Procrasti · · Score: 3, Insightful

    Could you please explain how this is impossible with Bitcoin?

    The banks were doing it back in the days of gold. They held a vault full of gold and kept an account of who owned what gold on a ledger. Then they lent out some of that gold, or rather, they lent out notes for gold which they still kept in the vault, in fact, they lent out more gold than they actually had in the vault. This works fine as long as the number of people withdrawing real gold from the vaults doesn't exceed deposits.

    There is no reason they can't run a fractional reserve system with bitcoin. Of course the bank's bitcoin holdings will be stored in the bitcoin transaction log, but their customer accounts valued in bitcoins will be stored in an entirely different log altogether, a log held by the bank.

    Do you think that bitcoins traded on MtGox are recorded in the bitcoin transaction log too? Then you do not understand either bitcoin or finance. No, the only transactions in the bitcoin log are for deposits or withdrawals too and from MtGox... MtGox tracks your holdings completely separately.

    While I think bitcoin is a great idea, not being able to run a fractional reserve lending system based on them is not one of its advantages. Infact, when they go mainstream, I think this is inevitable. The virtual supply of bitcoins (held by depositors in bank accounts) will then be far greater than the actual supply limit of 21M bitcoins recorded in the bitcoin log.

    This is no different to the fact that the amount of money sitting in bank accounts now far exceeds the amount of money that exists in actual currency. You've just come to think of them as being the same thing. They are not.

  10. Doesn't add up by mypalmike · · Score: 4, Insightful

    "In New York alone, eight people hit 2,904 ATMs in 10 hours, withdrawing $2.4 million."

    OK, if they split up and worked individually, that means 363 ATMs per person in 10 hours, which is around 36 ATMs per person per hour. Each of those 8 people would have to average under 2 minutes per ATM over the course of 10 full hours without interruption. Even if you had a really well-planned route, that seems like an impossible pace.

    --
    There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.