Attackers Steal $12.7M In Massive ATM Heist

Within two hours $12.7 million in cash was stolen from 1,400 ATMs located at convenience stores all across Japan, investigators announced Sunday. An anonymous reader quotes a Japanese newspaper: Police suspect that the cash was withdrawn at ATMs using counterfeit credit cards containing account information leaked from a South African bank. Japanese police will work with South African authorities through the International Criminal Police Organization to look into the major theft, including how credit card information was leaked, the sources said.
Over the two hours attackers withdrew the equivalent of $907 in 14,000 different transactions.

Hmm

[wwalker]

Over the two hours attackers withdrew the equivalent of $907 in 14,000 different transactions.

Either these were the dumbest criminals out there to steal only $907 a few cents at a time, or at least a word or two are missing from the sentence above.

Re: Hmm

From TFA,
In each of the approximately 14,000 transactions, the maximum amount of 100,000 yen was withdrawn from Seven Bank ATMs using the fake credit cards, according to the sources.

Guess how much 100,000 yen is in dollars...

Re:Hmm

You can't withdraw 12 mil from one ATM, duh.

Re:Hmm

[wwalker]

Wow, Slashdot. So my comment gets downvoted *twice* to "flamebate" and then a comment "To be fair, the sentence probably should have contained the word "each"." from a different user gets upvoted to +5 (Informative). What am I missing?

Re:Hmm

[stealth_finger]

Wow, Slashdot. So my comment gets downvoted *twice* to "flamebate" and then a comment "To be fair, the sentence probably should have contained the word "each"." from a different user gets upvoted to +5 (Informative). What am I missing?

A snappy username?

Re:$907?

[JustOK]

Clarify your terrible editing

What the hell does that even mean?

Re:$907?

[TigerPlish]

Clarify your terrible reading comprehension:

From TFS:

Over the two hours attackers withdrew the equivalent of $907 in 14,000 different transactions.

$907 x 14,000 = 12,698,000

Re:$907?

[BarbaraHudson]

Come on, it's perfectly understandable as $907 * 14,000 transactions. There's pedantry and then there's whining for the sake of whining.

Re: $907?

If you read the article, you'd know that was the maximum withdrawal amount and that likely over a hundred people participated in this "attack".

However, I agree, that editing is confusing.

Bullcrap. 14000 transactions in two hours...

There is simply know way this happened in this scale over two hours. 14000 transactions across 1400 machines in 2 hours. HOW MANY people required to pull this off, trained, readied and not caught in advance?

Re: Bullcrap. 14000 transactions in two hours...

The theft at convenience store ATMs took place in the morning of May 15 in Tokyo and 16 prefectures across the country, and police believe over 100 people might have coordinated in the unlawful withdrawal.

This took place over two hours, not easy to pull off for sure, but not impossible.

Re: $907?

Why, are you too stupid to figure it out by yourself?

Re:Bullcrap. 14000 transactions in two hours...

[onepoint]

I'm thinking that it's all done via mule teams
so 1400 machines and 14000 transactions = 10 transactions per machine
each transaction should take start to finish 2.5 minutes so we are looking
about 30 minutes for 10 transactions giving time for who knows what.

From this point, I am guessing 3 machines per person ( 30 min to take and 10 min to next machine )
so... 1400 / 3 = 467 members ( round up slightly for time losses so jump to 500 mules )

I am going to state that in Japan, it's doable, they got the team work.

How to discover the team, reverse engineer all bank searches for atm
machines, bet certain group patterns show up.

Re: $907?

[breakermelvin]

14,000 x $907 = $12.7m So where do you join this gang of 1400 fantastically well coordinated thieves?

Too many people

Too many people involved for them to get away clean. And I bet they cased out the atms that had no people around first, so they could wear a mask. I give them 2 weeks to enjoy their heist.

Re:Too many people

The mules do not know the guys at the top of the hierarchy. The guys who got most of the cash will not appear on any footage. At best the police will catch some of the idiots who thought it was easy cash and some of their handlers.

Re: Bullcrap. 14000 transactions in two hours...

$12.7m * 110 JPY/USD / 100000= 139.7

Someone writing the script for Ocean's One Hundred Forty Tokyo Drift

Re: $907?

[ShanghaiBill]

14,000 x $907 = $12.7m So where do you join this gang of 1400 fantastically well coordinated thieves?

$907 is exactly 100,000 Yen, which is the transaction limit.

This proves them wrong

[JustAnotherOldGuy]

And they say crime doesn't pay.

Re:$907?

[JustAnotherOldGuy]

What the hell does that even mean?

It means he is unable to comprehend simple sentences or basic mathematics.

Re:Bullcrap. 14000 transactions in two hours...

[TechyImmigrant]

A team that big wouldn't work.
Just offer anonymity, immunity and a reward > $12,000,000/467.

Only the first to squeal gets the offer.
 

Massive ATM Heist?

[Gravis+Zero]

Why did they put $12.7M in one massive ATM? come on, that's just stupid! #OnlyReadTheHeadline

Re:Massive ATM Heist?

[AmiMoJo]

$907 in 14,000 different transactions seems like a rather inefficient way of stealing money. Or maybe EditorDavid's prone to typos when it comes to large amounts of money for some reason.

Re:Massive ATM Heist?

Because the intern didn't want to have to keep refilling the stupid ATM every morning

Re:Massive ATM Heist?

Don't the ATMs in your country have a limit for how much money can be drawn out per transaction?

Perhaps in AmiMoJoLand, you can stride up to an ATM and withdraw a million bucks, and it all just piles up in front of the machine. Then you use a shovel to put it in your car.

Re:$907?

[Hognoxious]

To be fair, the sentence probably should have contained the word "each".

typical!

[Gravis+Zero]

When are these fools going to learn to only deploy massless ATMs? #OnlyReadTheHeadline

Re: $907?

[Type44Q]

So where do you join this gang of 1400 fantastically well coordinated thieves?

Not sure how much good it'll do you but I suppose you can start here.

Re:Bullcrap. 14000 transactions in two hours...

[sjames]

And all he knows is a few vague details of his contact and that he will die shortly for squeeling.

Re:$907?

[Hognoxious]

It could equally mean $907 / 14000 = 6.5 cents.

Crowd sourcing?

[Camel+Pilot]

Crowd sourcing white collar crime.

I don't know why

I always root for the guys who rob banks and ATMs.

Re:Bullcrap. 14000 transactions in two hours...

[lgw]

It was in fact a team of "over 100". Japan is Japan.

Interesting juxtaposition of stories on the Slashdot front page today. Guy discovers a vulnerability, tells the police, gets busted, his computers taken, and a 15 month suspended sentence. Guy discovers a vulnerability, goes black hat, steals $12 M in one day.

Kinda hard to miss the incentive system currently in place.

They can do it with just 1 Bitcoin ATM

Even easier with Bitcon.

Yakuza, maybe...

You could have 3-4 people use 100 cards in a cycle at rural 7-11 (these are at 7-11 stores) ATM's, then go down the street 1 km to another store and do it again.

The amazing thing is there was no algorithm trigger to catch this type of event. Well, after living in Japan for 25 years, it's not so amazing.

20 years ago, I walked through a large HQ/manufacturing facility of a major global company with the president, and when we were in the engineering section, I casually asked an engineer about how they backed up all of their design & production data. He smiled as he showed me the CDR in his desk drawer, thinking I'd be impressed.

I took the cigarette lighter off his desk and lit it under the CDR.

And such was the depth of thought about data security...

Re: Yakuza, maybe...

Noone will deliberately burn the backups with a lighter. The reason is cultural. The chances of an employee in Japan deliberately doing this is way lower than in other countries.

Re: Yakuza, maybe...

[EEPROMS]

never has this [WOOOSH] award been so deserving. The act of burning the CDR was "symbolic" in that it showed how a CDR can be easily damaged thus removing the backup as a viable option. The original poster was correct though, the Japanese are seen as the gods of technology but when it comes to software and security you would think their servers were setup by the dumbest IT guy they could find.

Re:Bullcrap. 14000 transactions in two hours...

[onepoint]

Dude, it's the Japanese Mafia, they don't have rat's, they got it down pat to have no issues from everything I've ever read.

Re:$907?

[JustAnotherOldGuy]

To be fair, the sentence probably should have contained the word "each".

Perhaps, but I think it would be pretty obvious to anyone who thought about it for a moment.

Bitcoins

Surely this would not have happened with Bitcoins.

Oh wait.

Re:$907?

Why 907$ times 14 000 and not 900$ times 14 100 or even 1000$ times 12 700? The answer was given above, 907$ is 100 000 yen, which is the withdraw daily limit on an account from an ATM.

Re: How much is the Jap $ compared to say Amer $?

Â¥100 is about $0.908

Re:$907?

[John+Bresnahan]

Over the two hours attackers withdrew the equivalent of $907 in 14,000 different transactions.

It should say something like "Over the two hours, attackers withdrew the equivalent of $907 in each of 14,000 different transactions.

As is, it is terribly unclear.

Re: $907?

Pick any Yakuza branch. The police won't trouble you but the other branches will.

Re: $907?

Oh FFS it was plenty clear to anyone with the cognitive capacity higher than a desk lamp.

Re:How much is the Jap $ compared to say Amer $?

[Buchenskjoll]

Japanese dollars? Seriously? Have you ever heard of currencies that are not dollars? Such as yen?

Re:$907?

Oh Gosh, this is SlashDot.
Did you forget where you were?
Nits and Pickers are join in ethereal bliss on SlashDot.

Re:How much is the Jap $ compared to say Amer $?

I ain't trying to hear about no monopoly money, Sir.

Re:Bullcrap. 14000 transactions in two hours...

[esperto]

ATM heist level asian!

I bet it was done by half that number of people and they did it while playing some dance game.

Re: $907?

[rednip]

I suspect that each thief used multiple accounts until each of the ATMs was out of money, then moved to the next one. Perhaps 10 or twenty large withdraws each one might take 10 to 20 minutes. Five to ten minutes to get to the next ATM would give four to eight 'sessions' over two hours, so I'd guess that each one worked 40 to 160 transactions, lets say 100 each for lack of better data. Meaning about 140 crooks for the 'back of napkin estimate', I'm no expert on the Yakuza, but that number seems really 'doable'.

Limits

[manu0601]

I wonder why it did not hit any overdraft limit at the stolen account.

Re:Limits

The South African bank authorizing the transactions must have had shit fraud detection software which should have detected the massive surge in withdrawals in real time.

Re:Limits

[rtb61]

The whole operations positively screams inside job. That many transactions without failure in that short time, it means all those accounts were specifically chosen. No alarms, means those account were specifically chosen, and chosen well in advance. There will be a hack left in the system to hide the hackers and not expose those who had full access. Simply over the top operation, they might have trouble legally proving who did it but they will be able to work out who did it in short order and those on foot will be caught up in security camera footage, too many locations to escape repeated detection.

Re: Limits

[ytene]

Whilst I agree with your first statement, in that some knowledge of how to create a fake card would be required, the rest of your theory may not follow. In the UK, the big retail supermarkets do not validate every card transaction with the issuing bank in real time. Instead they sample a smaller number of transactions through their trading day, then batch and bulk submit the majority of transactions every few days. Obviously they can keep a history of card numbers previously used successfully and may use historical transaction data to decide which cards to trust.

They do this because banks charge fees per transaction. The system works for the retailers because the amount of fraud they suffer is less than the reduction in fees they are charged by the banks.

The OP and article mention that the accounts were South African and used in Japan. This strikes me as exactly the sort of scenario where the chain of processing agents would attach fees, including currency conversion. With everyone taking their cut, you can understand how there would be an incentive to minimize those fees. So maybe another way of describing this heist would be to say that the card issuer and processing banks might have been stung by their own greed.

Re:Limits

The South African bank authorizing the transactions must have had shit fraud detection software

Just had to read The Fine Article to find out which bank it was, as I'm South African. Unfortunately it doesn't say. Then again, I imagine they are all quite useless and incompetent.

Re: Limits

[rtb61]

You have a large number of transaction targeted at a foreign country from a questionable country with low income, where the majority of credit card holders will simply not be able do maximum withdrawals. So those credit cards details were filtered for success. So long term planning and analysis of account details. Statistically speaking based upon the country of origin most of those card numbers should have failed a maximum withdrawal and quite a few should have trigged alarms for out of country, irregular transactions and that does not include the random statistic of credit cards already at or near their limit. That upon the basis that every attempt succeeded. Percentages and statistics indicate a high level inside job.

Re: $907?

[haruchai]

My desk lamp sits on the floor, you insensitive clod!!

Re: $907?

It's probably not the Yakuza because such actions draw way too much attention.
It's more likely a foreign criminal organization.
Japanese conveniance stores are everywhere in big cities so one person can hit a new conveniance store every few minutes.
So it probably wasn't 1400 people, more likely 100 or so.

Re:Bullcrap. 14000 transactions in two hours...

Dude, it's the Japanese Mafia, they don't have rat's, they got it down pat to have no issues from everything I've ever read.

Fair enough. Maybe it will encourage the Japanese banks to switch from plaintext card credentials to a secure system of payment.

Re:$907?

[Hognoxious]

If you have to analyse it, it's bad journalism.

Japaneese Banks Haiku

BOJ are all fraud
heist not a feature, but bug
more money, hit print

BONUS: the NSA haiku

with privacy dead
and treason instead
exploit the database

It's been brought to my attention .
aren't these haiku's or does Niel Young's rust finally sleep?

Fuck me I share anyway...

Wait what?

They have banks in South Africa? Who knew?

Re:$907?

[stealth_finger]

To be fair, the sentence probably should have contained the word "each".

Perhaps, but I think it would be pretty obvious to anyone who thought about it for a moment.

Only if you've read the previous summary "Over the two hours attackers withdrew the equivalent of $907 in 14,000 different transactions." on it's own says exactly that. There are a bunch of ways to say what they meant but that's not one of them.

Re: $907?

[stealth_finger]

My desk lamp sits on the floor, you insensitive clod!!

Is it not then a floor lamp?

Re: $907?

[haruchai]

My floor IS my desk, you insensitive clod!!

Re:$907?

[JustAnotherOldGuy]

Only if you've read the previous summary "Over the two hours attackers withdrew the equivalent of $907 in 14,000 different transactions."

It was a 5-sentence summary. Who reads the last line without reading the first few sentences?

The last line may have been a little clumsy on its own but if that's all a person can be bothered to read then they deserve to be confused.

Re:$907?

[stealth_finger]

Only if you've read the previous summary "Over the two hours attackers withdrew the equivalent of $907 in 14,000 different transactions."

It was a 5-sentence summary. Who reads the last line without reading the first few sentences?

The last line may have been a little clumsy on its own but if that's all a person can be bothered to read then they deserve to be confused.

That is true. What is also true is that sentence is badly written.

Re:$907?

[JustAnotherOldGuy]

That is true. What is also true is that sentence is badly written.

Yes, but that's a long way from being incomprehensible, as the original AC seemed to think, with his "Clarify your terrible editing" comment. Believe me, if you're looking for truly terrible editing you can find lots of more egregious examples in many of the other story summaries.

Poorly written? Yes.
Still comprehensible? Yes.

One doesn't make up for the other, but it's not something that'll keep me awake at night.

Re: $907?

Are join?

Is this another hoax?

[martinfb]

How is it possible to withdraw $907 from an ATM every 1.9 seconds?! How is it possible to withdraw anything from an ATM every 1.9 seconds unless there are thousands working together?! Or, was it all done as e-transfers to another account? Something is amiss: facts are missing, or this is another hoax.

Re:Bullcrap. 14000 transactions in two hours...

[pavelthesecond]

Japan's law system does not have the concept of plea-bargains so there really is no incentive to squeal.