Flash Mob Steals $9 Million From ATMs 232
Mike writes "A global flash mob of ATM thieves netted $9 million in fraud against ATMs in 49 cities around the world. The computer system for a company called RBS WorldPay was hacked. One service of the company is the ability for employers to pay employees with the money going directly to a debit card that can be used in any ATM. The hacker was able to infiltrate the supposedly secure system and steal the information necessary to duplicate or clone people's ATM cards. Shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack on ATMs around the world. Over 130 different ATMs in 49 cities worldwide were accessed in a 30-minute period on November 8. 'We've never seen one this well coordinated,' the FBI said. So far, the FBI has no suspects and has made no arrests (PDF) in this scam."
Re:How's this a flash mob? (Score:3, Informative)
Not quite... (Score:3, Informative)
Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.
Article DOES NOT say what their per-withdrawal limit was.
What if DOES SAY is that they were able to withdraw money multiple times, with the daily sum being over $500.
It also says that the writer of the article has a daily limit of $500 but that is besides the point.
How is it a mob at all? (Score:1, Informative)
mobâ
noun, adjective, verb, mobbed, mobâ...bing.
â"noun
1. a disorderly or riotous crowd of people.
2. a crowd bent on or engaged in lawless violence.
3. any group or collection of persons or things.
4. the common people; the masses; populace or multitude.
5. a criminal gang, esp. one involved in drug trafficking, extortion, etc.
______
I don't see a crowd here.
Re:And the money went where? (Score:5, Informative)
I went and RTFA. Given 130+ ATMs in 50 cities, definitely looks like the sell-it model, not a massive criminal organization: very high fan-out (50 cities) and low leaf count (about 3 ATMs per second level node.) That shape is never seen in ongoing organized businesses - they should have a much more uniform hierarchical structure (e.g. 50 cities = 2500 ATMs.)
Re:Directly to a debit card? (Score:3, Informative)
There is a bank of some sort backing the debit card, but it's not necessarily a traditional bank.
This is very common with large employers of low-income people, because a significant percentage of their employees don't have a proper bank account.
It's really very similar to the employer opening a checking account for the employee but not providing the ability to write checks or do deposits.
The employees are issued a card, which they continue to use for the duration of their employment. Every payday, additional funds are available on the card. Sometimes it's strictly an ATM card, but I think it's often a dual-usage card, co-branded Visa or MasterCard and one of the debit networks.
The advantage to the employer is the same as direct deposit - lower costs of pay distribution.
The advantage to the employee is they don't typically have any cost to get at their pay. (Contrast this with taking a paper check to a check-cashing store.)
Re:This doesn't sound right (Score:3, Informative)
Depends on the machine I guess, some can be pretty quick, but it still is quite a lot.
But whats with the $500 marker? Around here max is 9900 DKR = $2000 per transaction. Then we are talking 1 transaction a minute..
Lying liars (Score:2, Informative)
I've never used RBS Worldpay, but was notified several weeks ago that my financial records for the past 20 years, as well as SSN, were compromised.
What's incredibly distressing is that RBS Worldpay (part of Citizens Financial Group) shares data with other affiliates. I just have a basic checking account in one of their banks, that's it--no credit cards, no gift cards, no payroll cards.
However, they didn't go public with the news or notify any customers until the day before Xmas eve in December 2008: http://news.prnewswire.com/ViewContent.aspx?ACCT=109&STORY=/www/story/12-23-2008/0004946566&EDATE= [prnewswire.com]
Even more distressing was that when I called them during the first week of January to get information on why my data was exposed even though I don't use RBS Worldpay services, I was told it was just them being careful and 20-30 cards were the sum total of illicitly accessed information to date--clearly a lie.
And it gets even worse--the compromise was identified and recognized by them in June/July 2008!
In other words, they didn't give a shit about exposing their customer data until they lost some large money.
Re:Looking at their photos... (Score:2, Informative)
I've spent some time in jail and I agree....it's not fun. Definitely not a vacation. Also, when your in "jail", you are scared as shit because you don't know what's going to happen to you. You are still in the process of being arraigned, charged, and sentenced. "Jail" is not like the scenes you see on TV and movies of a bunch of laid back criminals playing cards and swapping cigarettes - it's shitting in a tin can with 20 other drunks and wifebeaters.
On the other hand, I have a relative in "prison", he's doing 2 years. It doesn't sound horrible. He's made friends, gets to exercise, and has alot of structure(which he needs).
Not arguing with the poster above, just pointing out that when they say jail is a vacation...maybe they are referring to prison, which isn't nearly as bad as jail. With the exception of things like maximum security, where you are kept in a cage alone for 23 hours a day.
Re:130 ATMs? (Score:3, Informative)
AFAIK UK ATM's have about £250,000 in the big ones in branches. This is one reason banks want to reduce the number of them or charge for them. They lose a wodge of interest on the cash sitting in the machines.
No need to lose money on it. I built a cash-tracking system years ago for a big grocery store chain. Across a thousand large grocery stores there is tens of millions of dollars sitting in safes and cash drawers. The main reasons for the tracking system were to reduce shrinkage and to enable just-in-time inventory management (large stores, especially those that cash checks, treat cash as an orderable inventory item). Even without those issues, however, the chain figured they'd more than pay for the cost of the system by "investing" all that cash.
The way the scheme worked was that the inventory system provided accountants in the home office with a near real-time report on the quantity of cash in the stores. They then used those reports to prove to an investment bank that they had $XX million in liquid assets on hand. The bank loaned them money at a low interest rate (since the loan was guaranteed by on-hand liquid assets), which they invested.
I find it hard to believe that *banks* can't manage to do something similar. They know exactly how much money is in each of those ATMs.