Slashdot Log In
Flash Mob Steals $9 Million From ATMs
Posted by
Soulskill
on Sat Feb 07, 2009 01:21 PM
from the viral-ad-for-ocean's-one-hundred-thirty dept.
from the viral-ad-for-ocean's-one-hundred-thirty dept.
Mike writes "A global flash mob of ATM thieves netted $9 million in fraud against ATMs in 49 cities around the world. The computer system for a company called RBS WorldPay was hacked. One service of the company is the ability for employers to pay employees with the money going directly to a debit card that can be used in any ATM. The hacker was able to infiltrate the supposedly secure system and steal the information necessary to duplicate or clone people's ATM cards. Shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack on ATMs around the world. Over 130 different ATMs in 49 cities worldwide were accessed in a 30-minute period on November 8. 'We've never seen one this well coordinated,' the FBI said. So far, the FBI has no suspects and has made no arrests (PDF) in this scam."
Related Stories
Submission: Flash Mob Steals $9 Million From ATMs by Anonymous Coward
[+]
IT: Researcher Discovers ATM Hack, Gets Silenced 229 comments
Al writes "A researcher working for networking company Juniper has been forced to cancel a Black Hat presentation that would have revealed a way to hack into ATMs. The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago. The article mentions a growing trend in ATM hacking: In November 2008 thieves stole nearly $9 million from more than 130 cash machines in 49 cities worldwide. And earlier this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions."
[+]
$9 Million ATM Hacking Ring Indicted 86 comments
Trailrunner7 writes "US and international prosecutors have indicted a criminal ring that they allege was responsible for an ATM scam last November that stole about $9 million from RBS WorldPay. The criminals cracked payroll debit cards and withdrew money from ATMs in hundreds of cities around the world. A federal grand jury in Atlanta has indicted eight men in connection with the scheme, including five Estonians, one Russian, one Moldovan, and one unidentified man. Prosecutors allege that the men 'used sophisticated hacking techniques' to defeat the company's encryption system. The scam involved an elaborate plan in which the attackers first bypassed the encryption on the debit cards, which RBS WorldPay issues to customers for employee payroll purposes. They then raised the limits on the accounts attached to the cards, then provided a network of 'cashers' with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours; 130 different ATMs in 49 cities were hit within one 30-minute period."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
cough (Score:5, Funny)
in other news a flash mob recovered all the rights that have been stolen from the people by their governments over the last few years
Re: (Score:3, Interesting)
Re:cough (Score:5, Funny)
Parent
And the money went where? (Score:5, Insightful)
Re:And the money went where? (Score:5, Interesting)
It was probably structured like a lot of the stolen credit-card number sites: a high-reputation user announces an opportunity, then many other users pay up-front to participate. At the given time, the critical info is released to all, and it's then every man for himself trying to grab as much money as possible.
Parent
Re:And the money went where? (Score:5, Informative)
I went and RTFA. Given 130+ ATMs in 50 cities, definitely looks like the sell-it model, not a massive criminal organization: very high fan-out (50 cities) and low leaf count (about 3 ATMs per second level node.) That shape is never seen in ongoing organized businesses - they should have a much more uniform hierarchical structure (e.g. 50 cities = 2500 ATMs.)
Parent
Re:And the money went where? (Score:4, Interesting)
Parent
Re:And the money went where? (Score:5, Interesting)
Two excellent analogies. I've been looking at corporations (in the broad sense) for 30 years, and it took me a long time to realize that you might as well ignore what people say about how they organize, and just look at what the organization actually is. That tells you almost everything you need to know.
Parent
Re:And the money went where? (Score:4, Interesting)
This honestly sounds more like terrorism than anything Bill O'Reilly spouts off about.
Think of it this way. Say you want to fund the Mumbai attacks ver. 2.0, but are short on cash. This sounds like a great plan straight from the terrorist handbook. All you need is a few willing or even unknowning smurfs and a decent hacker connection. How do you hide the four million dollars you just stole? Have people you don't know steal another five million on top of it. The FBI won't be inundated with false leads to chase, they'll be loaded with dozens of real suspects to chase down.
The article mentions the cards were cloned then cracked, so a lot of the math can go out the window. I wonder if any of the money was just wire transfered directly to the cards themselves, for later withdrawl or even use a a normal debit card? It doesn't say how much could be taken out at one time, only that there is normally a $500 dollar limit. Though it wouldn't surprise me to hear that the FBI is playing coy with the numbers. They've apparently been sitting on the story for three+ months.
This money will probably find its way back to the hands of the genuinely bad people of the world.
Parent
Looking at their photos... (Score:5, Funny)
They don't look like someone who just won a lottery to me.
They look more like homeless people.
Which brings up the question - why aren't there more homeless people robbing banks out there?
I mean... they are in a clear advantage.
They are invisible AND they have nothing to lose.
Worst case scenario - they get sent to a jail. HA!
3 meals a day, clothing, housing and health-care at the cost of the society.
Parent
Re: (Score:3, Insightful)
It's okay. Many homeless are mentally ill, possibly from the PTSD they got from Vietnam. They got so screwed up in our nation's defense that they couldn't come up with such an elaborate scheme. So we really have nothing to worry about! All is as it should be in America.
Re:Looking at their photos... (Score:5, Interesting)
Parent
Re:Looking at their photos... (Score:4, Interesting)
You sound like someone who's never spent any time in jail.
Good for you. Strangely, though, most homeless people don't think of jail as a preferable housing opportunity. That's just one more of the sad Republican fantasies: that jail is such a great place to be. Fortunately for us, many of them have gotten to experience it first hand in the last several years, and with luck, many more will have that opportunity, including the doped-up fatso who coined the term "Club Gitmo".
Parent
Re:Looking at their photos... (Score:5, Insightful)
Because robbing banks requires at least a modicum of ability, some organizational skill, and a bit of motivation. If you've got all of the above, you're unlikely to be homeless in the first place.
Gotta disagree. Homelessness doesn't correlate well with a lack of ability or organizational skill, or even lack of motivation. It does, however, correlate well with heavy addiction and mental illness, both of which make it pretty damn hard to use one's ability or organizational skills.
Parent
How's this a flash mob? (Score:5, Insightful)
Re:How's this a flash mob? (Score:5, Interesting)
I thought flash mobs are groups of people in the same place at the same time. Not all over the world?
By the name, I suppose a flash mob suggests a mob of people doing something 'in a flash' (in a short period of time).
A mob doesn't necessarily have to be in the same spot, at least it doesn't have to be the way I understand it.
Perhaps in the past a mob would have to be in the same location, but due to the way the world is all interlinked nowadays someone can affect something on the otherside of the world, meaning the world has gotten a lot 'smaller' as such.
Parent
Re: (Score:3)
3 and 5 seem to apply.
Re:How is it a mob at all? (Score:5, Insightful)
zoom out.
Parent
Re: (Score:3, Insightful)
The world is a single place, it just depends what kind of scale you're on.
Re: (Score:3, Informative)
Re:How's this a flash mob? (Score:5, Funny)
Parent
Re: (Score:3, Interesting)
You're are right. And they make some people nervous. So not TPTB are working to associate flash mobs with crime so they can make them illegal.
Re: (Score:3, Insightful)
I believe this is the flash mafia, not a flash mob.
-Isaac
Re:How's this a flash mob? (Score:5, Funny)
Parent
$9 Million? (Score:4, Insightful)
$9 Million stolen from a bank? Peanuts compared to the next $900 Billion the banks are stealing back again - a hundred thousand times more.... I can't even get to grips with that scale of money....
Re:$9 Million? (Score:5, Insightful)
$9 Million stolen from a bank? Peanuts compared to the next $900 Billion the banks are stealing back again - a hundred thousand times more.... I can't even get to grips with that scale of money....
There's a BIG difference. One group was a bunch of unimaginative, unethical, thieving liars and cowards. The other group had the imagination to do something and take advantage of a weak poorly designed system that gets the guys with the badges and guns after you.
It takes a REAL criminal mind to lobby the regulatory agencies and Congress with dirty money to make your thieving legal. And it's really a piece of work when those lying thieves walk away with tens of millions of dollars in bonuses for cheating.
Parent
Re:$9 Million? (Score:4, Funny)
There's a BIG difference. One group was a bunch of unimaginative, unethical, thieving liars and cowards. The other group wasn't made up of bank executives.
^ Fixed.
Parent
Re:$9 Million? (Score:4, Funny)
Parent
Its the NEW STIMULUS PACKAGE!!! (Score:3, Funny)
This doesn't sound right (Score:4, Insightful)
The article says over $9,000,000 was stolen using only 100 cards in 49 cities in a 30 minute period. That, boys and girls, is $90,000 per card. The article says the limits on the cards were overridden, using them to make withdrawals in multiple increments of $500 or so. $90,000 / $500 is 180 withdrawals in a 30 minute period, or 6 withdrawals per minute.
This article doesn't pass the basic sniff test. It reeks of either disinformation or seriously bad math.
Re:This doesn't sound right (Score:5, Insightful)
The article says over $9,000,000 was stolen using only 100 cards in 49 cities in a 30 minute period. That, boys and girls, is $90,000 per card. The article says the limits on the cards were overridden, using them to make withdrawals in multiple increments of $500 or so. $90,000 / $500 is 180 withdrawals in a 30 minute period, or 6 withdrawals per minute.
This article doesn't pass the basic sniff test. It reeks of either disinformation or seriously bad math.
Yes, but it doesn't say how many copies of each card they made.
Parent
Re:This doesn't sound right (Score:5, Insightful)
Let's look at it another way.
$9MM / ($500 / transaction) / 130 ATMs / 30 min = ~4.6 transactions/ATM/min
Still seems rather high. I suppose I've never timed it, but it always feels like it takes more than 13 seconds to get my money at an ATM...
Parent
Re:This doesn't sound right (Score:4, Funny)
iTowelie
Parent
Not quite... (Score:3, Informative)
Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.
Article DOES NOT say what their per-withdrawal limit was.
What if DOES SAY is that they were able to withdraw money multiple times, with the daily sum being over $500.
It also says that the writer of the article has a daily limit of $500 but that is besides the point.
Need new friends (Score:3, Funny)
I need more friends willing to say "Here's this ATM card. At midnight tonight, make as many $500 withdrawals as you can in 30 minutes and put them onto this card. You get to keep half of what's on the card."
Where do you find friends like that?
/humor
Re:This doesn't sound right (Score:5, Funny)
Here we have $9,000,000 listed as the retail value of the loss, the actual paper money they got is nearly worthless, because ATMs only issue "bank notes", nothing more.
Parent
Re:This doesn't sound right (Score:5, Funny)
Parent
This looks like a job for... (Score:3, Interesting)
Since the M in ATM stands for Machine, saying ATM Machine is redundant.
And his sidekick. . . (Score:5, Funny)
Redundant Boy!
Also, since the N in PIN stands for Number, saying PIN number is redundant. TFA didn't make this mistake, but since they go together so often I though I'd point it out for completeness.
One time I heard a friend say "I want to get some cash out of the ATM Machine, but I can't remember my PIN Number."
He's dead now.
Parent
Holy Bonus Batman! (Score:5, Funny)
That's almost as much as John Thain (of Merrill Lynch) thought he should get for securing the bailout funds!
Re:Holy Bonus Batman! (Score:5, Insightful)
This is such an insightful comment.
I believe that banking institutions are more dangerous to our liberties than standing armies. — Thomas Jefferson
and I still had mod points just yesterday...
Parent
I wonder (Score:5, Funny)
Did they hack the ATM machines after stealing the PIN numbers?
I have to go work in some CSS style sheets for a web site that links ISBN numbers to UPC codes. I hope they don't make me redundant.
ATM Machines? (Score:5, Funny)
I wonder what the PIN Number was that they all used in those ATM Machines. Maybe they used a custom PCB Board to prototype the hack. Then they downloaded the plans onto a CD Disc. I'll bet they literally died after they got away with all the cash.
Anyways, I could care less.
RBS (Royal Bank of Scotland) (Score:5, Interesting)
So if you use Worldpay on your website, I would get shot of it sharpish. They are the kind of outfit that will have multiple holes in their security. (I used to use their payment processor back in 2002.)
130 ATMs? (Score:4, Interesting)
Hang on a second: That works out to over $69000 per ATM. Do they really have that much cash loaded in each one? I'd be surprised if that's true.
Funniest ATM theft I've heard of (Score:5, Interesting)
The funniest ATM theft I've heard of took place in Saskatchewan, Canada. This took place on a long weekend in a sleepy little rural town.
4:00 AM sees our thieves breaking into the local gravel contractor. After breaking through the gate they steal a gravel truck and an oxy-acetelene torch. Next stop is the post treating plant about 1/2 mile (1 km) down the highway. They steal a loader. This is what is used to load poles and posts onto semi-trailors.
By now its about 4:15 or so. Did they make noise? Well - a diesel truck and 350 HP diesel loader will make some noise I suppose. It woke some of the locals up.
Around the corner from the bank about one (1) block away is the local police station which is manned 24x7. The police are at their desks thinking the gravel contractor must be getting an early start this morning.
So the thieves drive the loader over to the bank. The reach in through the roof totally demolishing the building and grab the ATM which is firmly bolted to the concrete floor and footings. Seems the concrete wasn't much of a match for the 350 HP loader because the ATM was cleanly plucked through the gapping hole and dropped into the back of the dump truck.
By now the cops were heading for their cars thinking there must have been a big accident on Main Street.
Our thieves meanwhile shut off the loader and hopped into the dump truck and took off.
A few miles south of town they stopped at an abandoned farm yard and took their time with the oxy-acetelene torch and chopped the ATM apart.
Having done this they took the money and casually left the scene of the crime. So far no one has been caught! So far apparently these thieves are keeping their mouths closed. Apparently there are no leads.
The best part of this story is the locals still laugh about their bank robbery! When you live in a sleepy Saskatchewan rural town then once in a while a little excitement spices up an otherwise dreary life.
Re: (Score:3, Informative)
There is a bank of some sort backing the debit card, but it's not necessarily a traditional bank.
This is very common with large employers of low-income people, because a significant percentage of their employees don't have a proper bank account.
It's really very similar to the employer opening a checking account for the employee but not providing the ability to write checks or do deposits.
The employees are issued a card, which they continue to use for the duration of their employment. Every payday, additiona
Re:Inquiring minds want to know (Score:4, Insightful)
Did he hack the bank across state lines from his home?
That's not a requirement for a federal crime in the US; theft from any federally insured bank (which is almost all of them) is a U.S. federal crime, even if the crime occurred in only one state and even if the bank operates under a state charter.
Parent
How about... Hacking the ATM from the ATM? (Score:5, Interesting)
May I be so bold to suggest that there was no actual "hacking" taking place at all?
By "hacking" I mean the stuff that movies and TV tells us that hacking looks like.
A bespectacled nerd in his teens or early twenties, furiously typing something at his green and black screen filled with lines upon lines of scrolling text, uttering "Come on... come on..." until he suddenly "hacks the Gibson" and a welcome screen appears, upon which he jumps up yelling "YES! I AM INVINCIBLE!".
TFA tells us the following:
Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.
- known limit - $500
- 100 ATMcards used
- $9 million gone
That comes out to about 90k per card, right?
Does anyone remember that little issue with Tranax ATMs from couple of years ago? [hackedgadgets.com]
It smells to me that something similar happened here. Someone leaving the ADMIN pass at 55555555 or 12345678.
There was probably no need for hacking cards - they probably left the same limit.
Instead, he/she/or it - just changed the codes for banknotes inside the machine.
So... you just tell the ATM that its 100s are 5s - and then repeatedly ask for 5s.
$500 limit coughs up ~$100.000 +/- couple of earlier withdrawals that already left the machine a few 100s short.
In other words - about $90.000 per card.
The beauty of it?
Those suspects in the photos may be regular Joes and Janes who came later, found the machine giving 100s for 5s - and got caught on camera.
Parent
The crime might not be theft ... (Score:4, Interesting)
Anyone hoping to pocket a percentage of $9,000,000 by giving a bunch of passwords to a bunch of people you don't know, and then assuming you won't get grassed out to the cops is likely making a major mistake.
If the criminal is smart, a better strategy might be to "give" the information away to the right group of people. This might give someone a smug sense of "revenge" against a former employer. Someone could short the stock in the stock market, or the theft could cover up some insider funny business. The initial criminal act may be different than what it appears.
Alternatively, the actual "inside" mastermind may actually be a victim too. Maybe someone conned an insider for information, or access to a laptop, and just sold the information. Maybe someone got hold of the backup tapes. This might actually a fairly low-value theft for the original criminal.
Parent