Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[telecom] In Hours, Thieves Took $45 Million in A.T.M. Scheme

11 views
Skip to first unread message

Monty Solomon

unread,
May 10, 2013, 1:21:41 AM5/10/13
to

In Hours, Thieves Took $45 Million in A.T.M. Scheme

By MARC SANTORA
May 9, 2013

It was a brazen bank heist, but a 21st-century version in which the
criminals never wore ski masks, threatened a teller or set foot in a
vault.

In two precision operations that involved people in more than two
dozen countries acting in close coordination and with surgical
precision, thieves stole $45 million from thousands of A.T.M.'s in a
matter of hours.

In New York City alone, the thieves responsible for A.T.M.
withdrawals struck 2,904 machines over 10 hours starting on Feb. 19,
withdrawing $2.4 million.

The operation included sophisticated computer experts operating in the
shadowy world of Internet hacking, manipulating financial information
with the stroke of a few keys, as well as common street criminals, who
used that information to loot the automated teller machines.

The first to be caught was a street crew operating in New York, their
pictures captured as, prosecutors said, they traveled the city
withdrawing money and stuffing backpacks with cash.

..

http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html

***** Moderator's Note *****

This is sloppy reportage: the story infers that the ATM network was
somehow compromised, and that's not true. The thieves obtained - by
means not yet clear - a database of debit card and PIN numbers. The
rest was logistics and greed, but there was no evil computer genius
"in the shadowy world of Internet hacking".

The New York Times, ISTM, has descended into the shadowy world of
fear-based marketing. With the stroke of a few keys, this reporter is
detroying a reputation that it took the paper a century to build.

Bill Horne
Moderator

danny burstein

unread,
May 10, 2013, 11:30:14 AM5/10/13
to
In <p0624088dcdb233dadbb3@[10.0.1.2]> Monty Solomon <mo...@roscom.com> writes:

>The operation included sophisticated computer experts operating in the
>shadowy world of Internet hacking, manipulating financial information
>with the stroke of a few keys, as well as common street criminals, who
>used that information to loot the automated teller machines.

>The first to be caught was a street crew operating in New York, their
>pictures captured as, prosecutors said, they traveled the city
>withdrawing money and stuffing backpacks with cash.

>..
>http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html

>***** Moderator's Note *****

>This is sloppy reportage: the story infers that the ATM network was
>somehow compromised, and that's not true. The thieves obtained - by
>means not yet clear - a database of debit card and PIN numbers. The
>rest was logistics and greed, but there was no evil computer genius
>"in the shadowy world of Internet hacking".

I saw one story that claimed the thieves had, in fact, gotten
into the banks' programming and reset it to circumvent the
daily limits on withdrawals for the accounts, I don't know
whether that's true or not.

- the various banks tend to set their own policies on how
much money you can pull out of your account via ATM. (And
some ATMs, especially "self standing" ones in stores, will
have their own)

These limits will vary depending on, among other factors,
how the bank "rates" you as a customer. You might be cut
off after $250, or you might be able to go higher. I've
done as much as $1,000 (didn't try any more).




--
_____________________________________________________
Knowledge may be power, but communications is the key
dan...@panix.com
[to foil spammers, my address has been double rot-13 encoded]

Bill Horne

unread,
May 10, 2013, 1:45:40 PM5/10/13
to
On Fri, May 10, 2013 at 03:30:14PM +0000, danny burstein wrote:
> In <p0624088dcdb233dadbb3@[10.0.1.2]> Monty Solomon <mo...@roscom.com> writes:
>
> >The operation included sophisticated computer experts operating in the
> >shadowy world of Internet hacking, manipulating financial information
> >with the stroke of a few keys, as well as common street criminals, who
> >used that information to loot the automated teller machines.
>
> >***** Moderator's Note *****
>
> >This is sloppy reportage: the story infers that the ATM network was
> >somehow compromised, and that's not true. The thieves obtained - by
> >means not yet clear - a database of debit card and PIN numbers. The
> >rest was logistics and greed, but there was no evil computer genius
> >"in the shadowy world of Internet hacking".
>
> I saw one story that claimed the thieves had, in fact, gotten
> into the banks' programming and reset it to circumvent the
> daily limits on withdrawals for the accounts, I don't know
> whether that's true or not.
>
> - the various banks tend to set their own policies on how
> much money you can pull out of your account via ATM. (And
> some ATMs, especially "self standing" ones in stores, will
> have their own)
>
> These limits will vary depending on, among other factors,
> how the bank "rates" you as a customer. You might be cut
> off after $250, or you might be able to go higher. I've
> done as much as $1,000 (didn't try any more).

YMMV, but the banks I've dealt with in the past don't have a "real
time" method of checking bank balances: the ATM network, which is
separate from the participating banks' internal systems, will
sometimes dispense money based on the limits that are encoded into
debit cards, with no other knowledge of the customer.

It gets worse: there is more than one ATM system, and they don't
always talk to each other. They report withdrawals to the
participating banks, but that process can lag the event by as much as
a day.

My knowledge is, however, a few years old, so the bankers may have
improved their security and record-keeping since I found these things
out the hard way. I certainly hope so, but I've got 45,000,000 reasons
to think not.

--
Bill Horne
Moderator

Gary

unread,
May 10, 2013, 6:57:25 PM5/10/13
to
On 5/10/2013 1:21 AM, Monty Solomon wrote:
>
> In Hours, Thieves Took $45 Million in A.T.M. Scheme
>
> By MARC SANTORA
> May 9, 2013
...
> The operation included sophisticated computer experts operating in the
> shadowy world of Internet hacking, manipulating financial information
> with the stroke of a few keys, as well as common street criminals, who
> used that information to loot the automated teller machines.

What this article didn't say is that this theft was greatly aided by
easily duplicated mag strip cards. Once the "sophisticated computer
experts" had the compromised account numbers, it was really easy for the
street thieves to create cards with this stolen account information on
the mag stripe.

If we were all using smart cards, it would be much harder (impossible?)
to create duplicate cards.

Maybe now the banks in the US will get serious about switching to smart
cards.

-Gary

danny burstein

unread,
May 10, 2013, 4:22:10 PM5/10/13
to
Telecom Digest Moderator wrote:

> This is sloppy reportage: the story infers that the ATM network was
> somehow compromised, and that's not true. The thieves obtained - by
> means not yet clear - a database of debit card and PIN numbers. The
> rest was logistics and greed, but there was no evil computer genius
> "in the shadowy world of Internet hacking".

Note the Department of Justice press release includes a claim that the
thieves got into the bank systems.

[DOJ press release]

These defendants allegedly formed the New York-based cell of an
international cybercrime organization that used sophisticated
intrusion techniques to hack into the systems of global financial
institutions, steal prepaid debit card data, and eliminate
withdrawal limits.

....

The "Unlimited Operation" begins when the cybercrime organization
hacks into the computer systems of a credit card processor,
compromises prepaid debit card accounts, and essentially eliminates
the withdrawal limits and account balances of those accounts. The
elimination of withdrawal limits enables the participants to
withdraw literally unlimited amounts of cash until the operation is
shut down.

====

rest:
http://www.justice.gov/usao/nye/pr/2013/2013may09.html

Bill Horne

unread,
May 10, 2013, 11:20:16 PM5/10/13
to
The press release also contains this quote:

"To date, the United States has seized hundreds of thousands of
dollars in cash and bank accounts, two Rolex watches and a Mercedes
SUV, and is in the process of forfeiting a Porsche Panamera."

... or, in other words, the feds recovered a small percentage of the
total. The rest is probably being squirreled away in counting rooms
guarded by lots of men with guns, which is the method that criminals,
unlike bankers, know to be secure.

That small percentage of recoverd money isn't a record to be proud of:
the press release, which is long on self-congratulatory back-slapping
but short on results, indicates that a few low-level mules were
apprehended, but does not even begin to address the larger question of
*how* the data was "compromised", and what safeguards, if any, will be
put in place to prevent a recurrence.

Let me put this another way: stealing a car by lifting the keys off a
valet-parking key board is /not/ a defeat of the automaker's
anti-theft safeguards. The banks whose computers were hacked - if they
/were/ hacked, and not simply subverted through bribery or coercion -
bear the burden of having been careless with financial data. The ATM
network performed as it was /designed/ to: it dispensed funds based on
the data supplied to it during uploads from the offline systems at the
issuing banks. The data was compromised /before/ it got to the ATM
network.

If any good is to come out of this debacle, I hope it will be that
electronic funds transfer systems will be, at long last, changed from
their current setup, which is just an overlay of the old face-to-face
recognition security paradigm, to a professionally vetted, hardened
infrastructure where /every/ aspect has been debated, planned,
designed, and implemented as a secure system.

Bill

--
Bill Horne
(Remove QRM from my address to write to me directly)

T

unread,
May 12, 2013, 10:42:55 PM5/12/13
to
In article <kmjtpr$mj7$1...@dont-email.me>, bogus...@hotmail.com says...
We'll never see chip based cards in widespread use in the United States.
They'd have to replace the ENTIRE infrastructure that developed around
mag-stripe. I once saw a cost estimate to do just that and it was
billions of dollars.

And when it comes to security - the dollar wins.

John Levine

unread,
May 12, 2013, 11:25:18 PM5/12/13
to
>We'll never see chip based cards in widespread use in the United States.
>They'd have to replace the ENTIRE infrastructure

Master Card, Visa, and American Express have published their
transition schedule. In October 2015, most merchants will become
liable for fraudulent transactions if they don't have an EMV (chip
card) terminal. A few kinds of terminals, notably gas pumps, have
until 2017.

http://www.emv-connection.com/emv-migration-driven-by-payment-brand-milestones/

R's,
John

tlvp

unread,
May 13, 2013, 11:31:35 AM5/13/13
to
On 13 May 2013 03:25:18 -0000, John Levine wrote:

> Master Card, Visa, and American Express have published their
> transition schedule. In October 2015, most merchants will become
> liable for fraudulent transactions if they don't have an EMV (chip
> card) terminal. A few kinds of terminals, notably gas pumps, have
> until 2017.
>
> http://www.emv-connection.com/emv-migration-driven-by-payment-brand-milestones/

Interesting. With this background, I just phoned up Chase and Capital One,
US credit card issuers, and learned from the first CS rep I encountered at
each that (according to said rep) there are NO current plans to convert any
of their card lines to chip-and-pin or to chip-and-signature -- both
claimed that ALL merchants are -- and, for the foreseeable future, will
remain -- obligated to continue to honor the old-style magstripe cards.

[Of course, other CS reps may have other stories :-) .] Cheers, -- tlvp
--
Avant de repondre, jeter la poubelle, SVP.

Doug McIntyre

unread,
May 13, 2013, 12:29:29 PM5/13/13
to
And the date for ATMs is October 2016 for (at least) Mastercard
transactions, where liability shifts away more from Mastercard.
Money talks. Once the banks are more on the hook, you'll bet they'll
scramble. Planning ahead? Nah..

http://newsroom.mastercard.com/press-releases/mastercard-extends-u-s-emv-migration-roadmap-to-atm-channel/

http://www.mastercard.us/mchip-emv.html

John Levine

unread,
May 13, 2013, 4:11:35 PM5/13/13
to
>> Master Card, Visa, and American Express have published their
>> transition schedule. ...

>Interesting. With this background, I just phoned up Chase and Capital One,
>US credit card issuers, and learned from the first CS rep I encountered at
>each that (according to said rep) there are NO current plans to convert any
>of their card lines to chip-and-pin or to chip-and-signature --

Chase offers chips in many of their travel affiliate cards, described here:

http://creditcardforum.com/blog/chip-and-pin-credit-cards-usa/

As far as I can tell Capital One doesn't offer chip+pin on any of
their US cards.

0 new messages