Flash Mob Steals $9 Million From ATMs 232
Mike writes "A global flash mob of ATM thieves netted $9 million in fraud against ATMs in 49 cities around the world. The computer system for a company called RBS WorldPay was hacked. One service of the company is the ability for employers to pay employees with the money going directly to a debit card that can be used in any ATM. The hacker was able to infiltrate the supposedly secure system and steal the information necessary to duplicate or clone people's ATM cards. Shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack on ATMs around the world. Over 130 different ATMs in 49 cities worldwide were accessed in a 30-minute period on November 8. 'We've never seen one this well coordinated,' the FBI said. So far, the FBI has no suspects and has made no arrests (PDF) in this scam."
Re:cough (Score:3, Interesting)
Re:How's this a flash mob? (Score:5, Interesting)
I thought flash mobs are groups of people in the same place at the same time. Not all over the world?
By the name, I suppose a flash mob suggests a mob of people doing something 'in a flash' (in a short period of time).
A mob doesn't necessarily have to be in the same spot, at least it doesn't have to be the way I understand it.
Perhaps in the past a mob would have to be in the same location, but due to the way the world is all interlinked nowadays someone can affect something on the otherside of the world, meaning the world has gotten a lot 'smaller' as such.
Re:How's this a flash mob? (Score:3, Interesting)
You're are right. And they make some people nervous. So not TPTB are working to associate flash mobs with crime so they can make them illegal.
This looks like a job for... (Score:3, Interesting)
Since the M in ATM stands for Machine, saying ATM Machine is redundant.
Re:And the money went where? (Score:5, Interesting)
It was probably structured like a lot of the stolen credit-card number sites: a high-reputation user announces an opportunity, then many other users pay up-front to participate. At the given time, the critical info is released to all, and it's then every man for himself trying to grab as much money as possible.
Comment removed (Score:4, Interesting)
Re:And the money went where? (Score:5, Interesting)
Two excellent analogies. I've been looking at corporations (in the broad sense) for 30 years, and it took me a long time to realize that you might as well ignore what people say about how they organize, and just look at what the organization actually is. That tells you almost everything you need to know.
RBS (Royal Bank of Scotland) (Score:5, Interesting)
So if you use Worldpay on your website, I would get shot of it sharpish. They are the kind of outfit that will have multiple holes in their security. (I used to use their payment processor back in 2002.)
Re:Looking at their photos... (Score:5, Interesting)
Re:Inside job (Score:2, Interesting)
Interesting question.. I would guess the cameras got pictures of them, but they haven't been caught yet. I guess it's possible the participants were far from home, got pretty far within a few days, and didn't look suspicious to any law enforcement.
It's probable they'll eventually get caught in that case, as facial recognition technology becomes more widespread, they may be identified automatically in 3 or 4 years, when they eventually pass through a public place that's closely monitored
The world is a big place and it can take a long time to capture someone based on a picture from an ATM camera.
Or maybe they had scoped out in advance where there were ATMs not very effectively monitored by cameras, and taken measures to prevent a camera from definitively identifying them in any way.
There are more than a few possibilities of ways information from cameras alone might not be useful.
Re:Directly to a debit card? (Score:3, Interesting)
I got one so I could make sure my wife had some spare cash around... dropped it after a while though, as they charged 12% of all deposits and 7.5% of all withdrawls - it's about the most expensive way of handling money there is (and that was the cheapest one available).
130 ATMs? (Score:4, Interesting)
Hang on a second: That works out to over $69000 per ATM. Do they really have that much cash loaded in each one? I'd be surprised if that's true.
Re:Looking at their photos... (Score:4, Interesting)
You sound like someone who's never spent any time in jail.
Good for you. Strangely, though, most homeless people don't think of jail as a preferable housing opportunity. That's just one more of the sad Republican fantasies: that jail is such a great place to be. Fortunately for us, many of them have gotten to experience it first hand in the last several years, and with luck, many more will have that opportunity, including the doped-up fatso who coined the term "Club Gitmo".
Funniest ATM theft I've heard of (Score:5, Interesting)
The funniest ATM theft I've heard of took place in Saskatchewan, Canada. This took place on a long weekend in a sleepy little rural town.
4:00 AM sees our thieves breaking into the local gravel contractor. After breaking through the gate they steal a gravel truck and an oxy-acetelene torch. Next stop is the post treating plant about 1/2 mile (1 km) down the highway. They steal a loader. This is what is used to load poles and posts onto semi-trailors.
By now its about 4:15 or so. Did they make noise? Well - a diesel truck and 350 HP diesel loader will make some noise I suppose. It woke some of the locals up.
Around the corner from the bank about one (1) block away is the local police station which is manned 24x7. The police are at their desks thinking the gravel contractor must be getting an early start this morning.
So the thieves drive the loader over to the bank. The reach in through the roof totally demolishing the building and grab the ATM which is firmly bolted to the concrete floor and footings. Seems the concrete wasn't much of a match for the 350 HP loader because the ATM was cleanly plucked through the gapping hole and dropped into the back of the dump truck.
By now the cops were heading for their cars thinking there must have been a big accident on Main Street.
Our thieves meanwhile shut off the loader and hopped into the dump truck and took off.
A few miles south of town they stopped at an abandoned farm yard and took their time with the oxy-acetelene torch and chopped the ATM apart.
Having done this they took the money and casually left the scene of the crime. So far no one has been caught! So far apparently these thieves are keeping their mouths closed. Apparently there are no leads.
The best part of this story is the locals still laugh about their bank robbery! When you live in a sleepy Saskatchewan rural town then once in a while a little excitement spices up an otherwise dreary life.
Re:And the money went where? (Score:4, Interesting)
This honestly sounds more like terrorism than anything Bill O'Reilly spouts off about.
Think of it this way. Say you want to fund the Mumbai attacks ver. 2.0, but are short on cash. This sounds like a great plan straight from the terrorist handbook. All you need is a few willing or even unknowning smurfs and a decent hacker connection. How do you hide the four million dollars you just stole? Have people you don't know steal another five million on top of it. The FBI won't be inundated with false leads to chase, they'll be loaded with dozens of real suspects to chase down.
The article mentions the cards were cloned then cracked, so a lot of the math can go out the window. I wonder if any of the money was just wire transfered directly to the cards themselves, for later withdrawl or even use a a normal debit card? It doesn't say how much could be taken out at one time, only that there is normally a $500 dollar limit. Though it wouldn't surprise me to hear that the FBI is playing coy with the numbers. They've apparently been sitting on the story for three+ months.
This money will probably find its way back to the hands of the genuinely bad people of the world.
How about... Hacking the ATM from the ATM? (Score:5, Interesting)
May I be so bold to suggest that there was no actual "hacking" taking place at all?
By "hacking" I mean the stuff that movies and TV tells us that hacking looks like.
A bespectacled nerd in his teens or early twenties, furiously typing something at his green and black screen filled with lines upon lines of scrolling text, uttering "Come on... come on..." until he suddenly "hacks the Gibson" and a welcome screen appears, upon which he jumps up yelling "YES! I AM INVINCIBLE!".
TFA tells us the following:
Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.
- known limit - $500
- 100 ATMcards used
- $9 million gone
That comes out to about 90k per card, right?
Does anyone remember that little issue with Tranax ATMs from couple of years ago? [hackedgadgets.com]
It smells to me that something similar happened here. Someone leaving the ADMIN pass at 55555555 or 12345678.
There was probably no need for hacking cards - they probably left the same limit.
Instead, he/she/or it - just changed the codes for banknotes inside the machine.
So... you just tell the ATM that its 100s are 5s - and then repeatedly ask for 5s.
$500 limit coughs up ~$100.000 +/- couple of earlier withdrawals that already left the machine a few 100s short.
In other words - about $90.000 per card.
The beauty of it?
Those suspects in the photos may be regular Joes and Janes who came later, found the machine giving 100s for 5s - and got caught on camera.
The crime might not be theft ... (Score:4, Interesting)
Anyone hoping to pocket a percentage of $9,000,000 by giving a bunch of passwords to a bunch of people you don't know, and then assuming you won't get grassed out to the cops is likely making a major mistake.
If the criminal is smart, a better strategy might be to "give" the information away to the right group of people. This might give someone a smug sense of "revenge" against a former employer. Someone could short the stock in the stock market, or the theft could cover up some insider funny business. The initial criminal act may be different than what it appears.
Alternatively, the actual "inside" mastermind may actually be a victim too. Maybe someone conned an insider for information, or access to a laptop, and just sold the information. Maybe someone got hold of the backup tapes. This might actually a fairly low-value theft for the original criminal.
Bias in the Line up? (Score:2, Interesting)
Please arrest me.... (Score:1, Interesting)
I have lived where people have not much to lose. One day our neighbor took it upon himself to
protect his property from a fighting couple that hung around with a 45 caliber handgun. Of course
someone noticed that a man was firing a shiny handgun down the street in the middle of the afternoon
and the police came around shortly thereafter. when our neighbor calmed down (unfortunately he came over
to our house), he walked out with his hands up and gun in his belt.
When we visited him in jail, his attitude was nonchalant, he was taking a short break from
all of the usual crackheads in his life to a tightly controlled atmosphere he felt comfortable in.
He had OG status and nobody fucked with him.
The judge agreed with his right to defend his property, just not the way in which it
was conducted (cowboy style). He came put six months later completely unphased.
I am not saying I agree, I am just saying never assume...
Re:Looking at their photos... (Score:3, Interesting)
Where I grew up we had a homeless guy who threw a bottle through a window every year on the first snow. The judge put him in jail until the spring.
Re:Looking at their photos... (Score:3, Interesting)
Reminds me of a story a friend told me. Someone I knew from high school was hitchhiking across Canada, again... and in case you are not in the know, that's a long way.
Anyhow I have been told by those that do this that apparently there are places called "dead zones" that can really suck if you get caught in them. Usually remote rural communities, that if you get dropped off there they are really hard to get out of. Oh and it is also cold up here.
Anyway my friend, hit one of these dead zones and got stuck. He also had no money. I believe he tried to hit up his parents, but believe they had had a falling out, as they wouldn't wire him any money. Anyway they told him to go to the police and ask to stay the night in jail.
So he did. The police said no. This isn't a hotel. He then told me that he walked to a pay phone, and called the police saying "I have a brick in my hand and I am about to throw it through a shop window, if you wish to come arrest me I am located at X". He then waited for the police to show up, and they arrested him for a minor misdemeanor and threw him in jail for the night and sent him (with breakfast no less) on his way the next day.
Anyway I remembered hearing the story after reading the parent post.