Forgot your password?
typodupeerror
Security The Almighty Buck IT

Coordinated, Global ATM Heist Nets $13 Million 122

Posted by Soulskill
from the get-rich-really-really-quick-schemes dept.
An anonymous reader writes "An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards. 'Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period. Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.' The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."
This discussion has been archived. No new comments can be posted.

Coordinated, Global ATM Heist Nets $13 Million

Comments Filter:
  • When I first read the headline, I thought they meant heist as in leaving a hole in the wall. Would have been much more spectacular.
  • by Iamthecheese (1264298) on Friday August 26, 2011 @03:12PM (#37221864)
    Many banking systems only talk to each-other in nightly batches. It's mostly done that way because that's the way it's always been done, and to save money on entirely new systems. The every-24-hours style is less secure, slow, and inefficient. This is 2011 and there's no real excuse for it.
    • by roman_mir (125474)

      I used to do some work for Symcor, AFAIK that's how Canadian banks work.

      It's crazy, I am building my own retail systems right now, the data exchange between the office systems and the stores are batched (because the Internet connection can and does go down sometimes), but when the networks are up, the data is synchronized a few times an hour, we can safely synchronize every 10 minutes. Of-course that's only 15 stores right now, but the difficulties are somewhat similar - while you are synchronizing, you ha

      • by pakar (813627)

        hmm... bank sends -> allow to withdraw up to X amount when the balance is changed. Visa sends amount X withdrawn to bank when card has been used.. If the network connection is down (at the store or something) then the charges are just buffered until it becomes available again...

        Don't think it will be a big problem since they are just simple messages that can be queued at the bank or at visa depending on their server load... If they want to take less risks then just add more server-capacity to handle the

        • by roman_mir (125474)

          No, you didn't get my point. The data comes flooding into the center, it will lock all of the record that are updated (hopefully just records and not entire tables.) There will be not a single moment in time that there will be no updates coming into the banks, unless there is some form of absolute synchronization (possible), but even then, if you synchronize with the center say every 1 hour, that means that once an hour every bank, every buffer that there is out there will send data into the center.

          IF (tha

          • by baegucb (18706)

            When I worked for CIBC in the 70s, in a regional data center, checks came in via messenger 3 or 4 times a day. 99% of the checks were internal to CIBC and there was always a rush to seperate other banks checks. Then the checks would be read in by an IBM 1419 and processed by the IBM mainframe. Cash dispensing machines were done by batch too, similar to how checks were processed. We were told that the penalty for not getting other banks checks back to them on the same day incurred a penalty equal to the face

            • by roman_mir (125474)

              Actually I don't know about this moment in time, but back when I worked for Symcor it didn't process CIBC. It processed RBC, TD and BMO, in fact they spawned the company and outsourced check processing and statement printing to them. But the checks are processed at night.

          • by pakar (813627)

            still, the banks already has real-time systems to handle this... made a purchase on my card today and the amount showed up as reserved on my account in less than 5 minutes... why not extend it to VISA/Mastercard since all the transactions still goes to their servers to be validated..

            Yes, you need some locking for the real account-data.. But for just a "available amount" it should be a lot less critical and that could instead just be checked during the big batch job to correct for any errors....

      • by gl4ss (559668)

        you don't have live checking of balance for debit cards? how would your system have detected to reject these cards?

        (fun fact, visa electron, i think known as maestro in more countries but it's "visa electron" here, often when roaming only checks that there's _some_ money on the account, not that there's enough for the withdrawal, I think it's because it's just hacked on top of the regular visa processing, they're quite effectively the same thing as credit card visa, only that you're supposed to only use the

        • by roman_mir (125474)

          There are on-line and off-line debit cards. In Canada the on-line transactions are handled by Interac. It is a central system.

          But this story is about pre-paid cards. Apparently data about purchases from these cards is synchronized in batches at night.

        • by jonbryce (703250)

          Maestro is the Mastercard equivalent of Visa Debit.

          • by metrix007 (200091)
            It really isn't. A visa debit card lets you use your debit card as a credit card. Maestro does not allow that, it's just an international network like cirrus or plus.
    • But if you think about it from a business standpoint, implementing a system like that would cost far more than $13 million.
      • by roman_mir (125474)

        Oh, definitely. It will be in hundreds of millions, possibly more. Just the hardware upgrades will be in billions probably. The problem is that banks normally close at night, so synchronization does not really have to take into account that there are multiple live transactions going at the same time, so for example it's possible to lock an entire table to do updates (and it's mostly done that way). Imagine having to figure out all of the problems related to frequent synchronization and thus insane perfor

      • by pakar (813627)

        But if you think about it from a business standpoint it would probably cost less to implement than $365 Million for Canada

        http://www.rcmp-grc.gc.ca/scams-fraudes/cc-fraud-fraude-eng.htm [rcmp-grc.gc.ca]

        And they current batch-based systems could still be used for this... just smaller chunks...

        • by roman_mir (125474)

          Don't forget that there is insurance that banks buy for this as well. Of-course from POV of insurance companies it would be a good thing for banks to do, to minimize any sort of vector of attack, so if banks wanted to pay less insurance premiums, they could invest, but likely it would be much more than just a few hundred million dollars.

          Think about this: a tiny project in a bank costs maybe around 250K. That's small time peanuts, and that's software only.

          Now think about this: there are thousands of systems

          • by pakar (813627)

            So a normal withdrawal that is linked directly into the account could not be used?? I can see a withdrawal within a few minutes later on my account... If i withdraw an amount from any ATM here i can see that the amount has been withdrawn from the account from any other ATM (different banks) ... Seems a bit strange to not reuse existing infrastructure that already handles this type of thing...

            I think there is a more hidden agenda about wanting delays, and that is that they are making big bucks on those that

            • by roman_mir (125474)

              I am not talking about synchronizing only the withdrawals, that is actually done by Interac in Canada. I am talking about synchronizing all account data. But in case of the pre-paid debit cards the data can be waiting anywhere in the world, it's collected at night from whatever local branches and buffers.

            • Yes,
                  And banks make more off accidental overages than they lose on scams that exploit this. Think about the complexity to actually pull off the scam. The principal of this scam is simple, execution is not.
              -nB

      • by sjames (1099)

        But it would only cost that once.

      • Ever had to wait a day before your money was available to your credit card even if the money was deposited? It's not that big of a deal but the entire system is riddled with inefficiencies due to these batch jobs.
         

    • by MWoody (222806)

      Wait, so how does an ATM that only synchronizes once a day know that I just put in the right pin number? Does every ATM on the planet download a list of every ATM card and PIN in existence?

      I'm not trying to be sarcastic or glib, I'm just trying to understand how the system you describe could function.

    • by babtras (629678)
      To clarify, transactions are mostly authorized in realtime by the bank that issued the card (*some* credit card transactions can be done "offline" but not normally at an ATM unless there's a network problem). The nightly batches are settlement processes where the bank actually pays the ATM owner for the cash they gave to the bank's customer. Authorization happens in realtime, money shuffling between financial institutions happens at night.
    • by Solandri (704621)
      Heaven forbid they use the money from ATM fees to actually improve the ATM network, rather than pocketing it as pure profit.
    • The banks that were affected were SunTrust.... which is the most poorly secured bank in Florida, at least...

    • by Eil (82413)

      Many banking systems only talk to each-other in nightly batches. It's mostly done that way because that's the way it's always been done, and to save money on entirely new systems. The every-24-hours style is less secure, slow, and inefficient. This is 2011 and there's no real excuse for it.

      (Disclaimer: I used to work in financial I.T. But don't worry, I got better.)

      At the end of the banking day, the backend systems of every decent-sized financial institution begin churning through the day's data to settle t

  • Honesty (Score:4, Insightful)

    by Anonymous Coward on Friday August 26, 2011 @03:15PM (#37221886)

    "The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."

    Would you try to steal $9.4M by nonviolent means if you knew that the penalty for being caught was probation? Be honest.

  • In soviet Russia, bribes pay you!
  • plan a heist of Russian and former soviet block countries banks and financial institutions. So they realize the real damage caused by letting these people off lightly. IMHO Russia now takes enjoyment out of these hits, since they see it as a way to inflict damage on the west by way of proxy. Need a global effort to eliminate such criminals.
    • Except that if they catch you, they won't bother with a trial. They'll torture you, then shoot you and your entire family. Like other organized crime groups in the good old days.

    • "Need a global effort to eliminate such criminals."

      There is no way to eliminate "such criminals". There will always be criminals and some will try this sort of thing if it is possible.

      The attack was against one financial institution in the US. The financial institutions could change to make this sort of crime harder or maybe even impossible to pull off. But, as other posters have pointed out, this would cost orders of magnitude more than $13 million. Eventually, it will be worth it.

      But to even try

  • Did the attack take place over the internet ? Or was an android used to execute the attacks ? No ? Then it is NOT cybercrime. It's not cyber-anything!

    This was a meatspace attack, the kind any 12 year old can perform with a card cloner - you know, a small, simple electronic device consisting of about $15 worth of components and a few hundred bytes of PIC code. I figure all they did was run the same cards simultaneously at different ATMs, exploiting a probably very huge gaping race condition in the bank'

    • Hence, "cyber".

    • exploiting a probably very huge gaping race condition in the bank's software. . .

      hence "cyber".

    • by Baloroth (2370816)

      If the take were larger by an order of magnitude, you'll find allegedly honest people are suddenly far more interested in taking that risk.

      And you'd find the hole being plugged very quickly. This sort of attack is rather tricky to pull off (you need someone to physically be at each ATM, meaning hundreds or possibly thousands of people), and that coupled with the fact that most ATMs have cameras makes this security hole fairly minor ($13 mil sounds like a lot, but to a large bank it's pretty much pocket change. With lots of people involved it would give fairly mediocre payouts).

      Also, if you read TFA it sounds like they actually reloaded the c

      • by AdamThor (995520)

        ($13 mil sounds like a lot, but to a large bank it's pretty much pocket change. With lots of people involved it would give fairly mediocre payouts)

        The profitable part isn't standing there, withdrawing (say) $200... The profitable part is selling the chance to withdraw $200 for $100 through your organized crime network to a few hundred people. "load this track on your card-cloner, use this bank network and this pin, withdraw $200 between 8:00 pm and 8:15 pm on this date." Then you get to make a chunk of c

    • by colesw (951825)
      I know reading the article means I'm new and all, but it was based on both meatspace and cyber.
      "Armed with unauthorized access to FISâ(TM)s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero."
      This was coordinated between people at the ATM and to someone on the FIS network reloading the cards.
    • by Syberz (1170343)
      I dunno, hacking into FIS's network to remotely remove or increase the withdrawal limits and reload the debit cards sounds like a cybercrime to me...
    • by bioster (2042418)
      Sure, it was meatspace... all except for a key part of their plan:

      Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.

      Your other guesses are likewise incorrect. Basically they figured out a way to reload their cards and then ran around emptying ATMs as frantically as possible before the banks caught on.

      So uh... did you RTFA?

    • Did the attack take place over the internet ?

      Yes.

      I think this kind of kills the rest of what you said.

      The initial attack was on the back-end systems via compromised online accounts. The withdrawals in meatspace were only the final step, and wouldn't have netted much of a haul without the initial attackers already modifying the limits set on the accounts used.

    • by sjames (1099)

      According to TFA, they hacked in to the bank's network so they could create a series of fake deposits in order to continue withdrawing money from the cards, so yes, cyber.

    • What's the difference between manipulating a system with a card reader or a keyboard? Bits are Bits.

  • "several major cities across Europe, Russia and Ukraine."

    I thought that G;onal would be bigger than Europe (Russia was once considered part of Eastern Europe)

  • Off-topic, but:
    Why is it "eerily similar" and not just "similar"? Even "suspiciously similar" I could understand, if that was the point. But what was "eerie" about it?

  • by decora (1710862) on Friday August 26, 2011 @06:15PM (#37223544) Journal

    Goldman Sachs and the others just stole from the taxpayers.

    have you seen the recent FOIA files released on the 'secret bailout'? billions and billions and billions. and a lot of it went to pay bonuses to those guys at the CDO and mortgage securities departments at those banks. massive, overwhelming fraud, completely unpunished. and we whine about hackers stealing 13 million from an ATM.

    13 million would not even cover a year of a bailed-out bank CEO executive bonus. it wouldnt even be a drop in the bucket of the Boards of Directors payments (many of whom do exactly nothing). 13 million is what John Thain wiped his ass with at Merrill Lynch.

    wake up folks. wake up. watch The Young Turks for more info

    • Goldman Sachs and the others just stole from the taxpayers.

      ya we know. knowing is not the problem. doing something about it is the problem.

      • editing wikipedia is rather fun sometimes... the more powerful the entity you edit the page about, the more fun it is. the highest form of fun is when you add boring, banal facts, and watch people go apeshit over them.

        also fun? submitting stories to slashdot.

        more fun? FOIA requests.

        fun fun fun!

    • by dlgeek (1065796)
      Ok, I know I'm going to get modded way the hell down for this, but why does everyone going nuts over these bonuses?

      First, most of these banks paid back the bailout money early, with interest. It's not like the money went into a black hole. Second, it's not like they were like "Hey, free money!" and started handing out huge bonuses on top of huge salaries. The entire compensation structure of these companies is based on structured performance-based bonuses, and most of them are baked into the contracts.
      • First, most of these banks paid back the bailout money early, with interest. It's not like the money went into a black hole.

        Banks still borrow at practically 0% interest rate from the Fed. How else do you think they paid back the bailout money? Fed low-interest rate loans FTW.

      • by Wiener (36657)

        Bonuses are just a good way for merit to be rewarded. If you do good work, you get paid more, if you do crap, you get paid less.

        Somehow I'm thinking the need to be bailed out with taxpayer funds means you did "crap work" and don't deserve a bonus.

      • You see, TARP was just a tiny part of the bailout. Here's what most people don't know. The Federal Reserve set interest rates at almost 0%. The Banks borrow money for ~0% (btw, only specially selected banks have this privilege), then buys Treasury bonds, which yield maybe 2-3% and the banks get to keep the difference. And who pays for this difference? The tax payer.

        This free money is essentially printed out of nothing causing inflation. There's a reason why gold and silver are making record highs. And ever

  • These kinds of stories piss me off. When I need over-limit money from the ATM I'm SOL. But I know that if somebody stole my card they'd be able to clean out my entire account in, like, ten minutes.
  • Expecting cluefulness from banks, indeed from the entire accounting profession, is the height of stupidity in my books. Let me count the ways:

    - In the 21st Century, it *still* can take up to three days to transfer money from one acct. to another on their "secure", non-Internet connected network.

    - They expend vast amounts of effort on checking, then rolling back, bad transactions and seemingly nothing on ensuring bad transactions can't happen. Vis. TFA. Monday, they discovered they'd been owned!

    - I've wat

  • I guess this would be great commercial if it were for Oceans 14!!!

Surprise your boss. Get to work on time.

Working...