Forgot your password?
typodupeerror
Security The Almighty Buck News

Flash Mob Steals $9 Million From ATMs 232

Posted by Soulskill
from the viral-ad-for-ocean's-one-hundred-thirty dept.
Mike writes "A global flash mob of ATM thieves netted $9 million in fraud against ATMs in 49 cities around the world. The computer system for a company called RBS WorldPay was hacked. One service of the company is the ability for employers to pay employees with the money going directly to a debit card that can be used in any ATM. The hacker was able to infiltrate the supposedly secure system and steal the information necessary to duplicate or clone people's ATM cards. Shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack on ATMs around the world. Over 130 different ATMs in 49 cities worldwide were accessed in a 30-minute period on November 8. 'We've never seen one this well coordinated,' the FBI said. So far, the FBI has no suspects and has made no arrests (PDF) in this scam."
This discussion has been archived. No new comments can be posted.

Flash Mob Steals $9 Million From ATMs

Comments Filter:
  • cough (Score:5, Funny)

    by easyTree (1042254) on Saturday February 07, 2009 @02:23PM (#26765319)

    in other news a flash mob recovered all the rights that have been stolen from the people by their governments over the last few years

  • by Hieronymus.N (865735) on Saturday February 07, 2009 @02:24PM (#26765327) Homepage
    So, were they on the honor system to funnel the cash back to the 'hacker'? Or was this like winning the lottery?
    • by Gorobei (127755) on Saturday February 07, 2009 @03:00PM (#26765691)

      It was probably structured like a lot of the stolen credit-card number sites: a high-reputation user announces an opportunity, then many other users pay up-front to participate. At the given time, the critical info is released to all, and it's then every man for himself trying to grab as much money as possible.

      • by Gorobei (127755) on Saturday February 07, 2009 @03:15PM (#26765811)

        I went and RTFA. Given 130+ ATMs in 50 cities, definitely looks like the sell-it model, not a massive criminal organization: very high fan-out (50 cities) and low leaf count (about 3 ATMs per second level node.) That shape is never seen in ongoing organized businesses - they should have a much more uniform hierarchical structure (e.g. 50 cities = 2500 ATMs.)

        • by beckerist (985855) on Saturday February 07, 2009 @04:02PM (#26766245) Homepage
          Agreed. This sounds more like the structure of Al-Qaeda or one of those "buy my book that shows you how to sell your own 'how to sell your own book' book!" than any sort of corporate or open scheme.
          • by Gorobei (127755) on Saturday February 07, 2009 @04:15PM (#26766329)

            Two excellent analogies. I've been looking at corporations (in the broad sense) for 30 years, and it took me a long time to realize that you might as well ignore what people say about how they organize, and just look at what the organization actually is. That tells you almost everything you need to know.

          • by Darth_brooks (180756) * <clipper377.gmail@com> on Saturday February 07, 2009 @07:25PM (#26767695) Homepage

            This honestly sounds more like terrorism than anything Bill O'Reilly spouts off about.

            Think of it this way. Say you want to fund the Mumbai attacks ver. 2.0, but are short on cash. This sounds like a great plan straight from the terrorist handbook. All you need is a few willing or even unknowning smurfs and a decent hacker connection. How do you hide the four million dollars you just stole? Have people you don't know steal another five million on top of it. The FBI won't be inundated with false leads to chase, they'll be loaded with dozens of real suspects to chase down.

            The article mentions the cards were cloned then cracked, so a lot of the math can go out the window. I wonder if any of the money was just wire transfered directly to the cards themselves, for later withdrawl or even use a a normal debit card? It doesn't say how much could be taken out at one time, only that there is normally a $500 dollar limit. Though it wouldn't surprise me to hear that the FBI is playing coy with the numbers. They've apparently been sitting on the story for three+ months.

            This money will probably find its way back to the hands of the genuinely bad people of the world.

    • by denzacar (181829) on Saturday February 07, 2009 @03:01PM (#26765717) Journal

      They don't look like someone who just won a lottery to me.

      They look more like homeless people.
      Which brings up the question - why aren't there more homeless people robbing banks out there?

      I mean... they are in a clear advantage.
      They are invisible AND they have nothing to lose.
      Worst case scenario - they get sent to a jail. HA!
      3 meals a day, clothing, housing and health-care at the cost of the society.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        It's okay. Many homeless are mentally ill, possibly from the PTSD they got from Vietnam. They got so screwed up in our nation's defense that they couldn't come up with such an elaborate scheme. So we really have nothing to worry about! All is as it should be in America.

      • Homeless do rob banks. When I was on vacation in Hawaii few years back, I remember reading in local paper that a homeless person robbed a bank (lot of homeless there). Of course they were caught jsut like about everyone else.
        • by PopeRatzo (965947) *

          Of course they were caught jsut like about everyone else.(sic)

          Bank robbery is one of the major crimes with the fewest perpetrators caught. It's a well-kept secret but nowhere near "jsut about every" bankrobber gets caught.

          • Re: (Score:3, Insightful)

            by AK Marc (707885)
            It's a well-kept secret but nowhere near "jsut about every" bankrobber gets caught.

            They get caught in Alaska, and I'd imagine in Hawaii too.
      • by c6gunner (950153)

        Which brings up the question - why aren't there more homeless people robbing banks out there?

        Because robbing banks requires at least a modicum of ability, some organizational skill, and a bit of motivation. If you've got all of the above, you're unlikely to be homeless in the first place.

        • by brusk (135896)

          A getaway car helps too.

        • by Guido von Guido (548827) on Saturday February 07, 2009 @05:14PM (#26766797)

          Which brings up the question - why aren't there more homeless people robbing banks out there?

          Because robbing banks requires at least a modicum of ability, some organizational skill, and a bit of motivation. If you've got all of the above, you're unlikely to be homeless in the first place.

          Gotta disagree. Homelessness doesn't correlate well with a lack of ability or organizational skill, or even lack of motivation. It does, however, correlate well with heavy addiction and mental illness, both of which make it pretty damn hard to use one's ability or organizational skills.

          • by PopeRatzo (965947) *

            It does, however, correlate well with heavy addiction and mental illness

            Did it ever occur to you that it's possible that being homeless contributes to one's becoming an addict or mentally ill? Correlation doesn't indicate causation, you know.

            I have met more than one homeless person who was not addicted or mentally ill, but certainly at risk for becoming so as long as they stayed on the street. Funny, I started volunteering at a local shelter, where I raised the money to set up a tiny computer lab (since l

      • by jschen (1249578) on Saturday February 07, 2009 @04:40PM (#26766557)
        Reminds me of a news story where someone held up a bank for $20, then waited for the police and turned himself in. In court, he asked to be put in prison until the end of the year in order to save money. In the news article I read, the judge said something to the effect of "It's not the best financial planning, but at least there's a plan."
        • by PopeRatzo (965947) *

          Reminds me of a news story...

          Sounds like a Snopes candidate to me.

        • Re: (Score:3, Interesting)

          by DarthVain (724186)

          Reminds me of a story a friend told me. Someone I knew from high school was hitchhiking across Canada, again... and in case you are not in the know, that's a long way.

          Anyhow I have been told by those that do this that apparently there are places called "dead zones" that can really suck if you get caught in them. Usually remote rural communities, that if you get dropped off there they are really hard to get out of. Oh and it is also cold up here.

          Anyway my friend, hit one of these dead zones and got stuck. He

      • by PopeRatzo (965947) * on Saturday February 07, 2009 @06:09PM (#26767123) Homepage Journal

        3 meals a day, clothing, housing and health-care at the cost of the society.

        You sound like someone who's never spent any time in jail.

        Good for you. Strangely, though, most homeless people don't think of jail as a preferable housing opportunity. That's just one more of the sad Republican fantasies: that jail is such a great place to be. Fortunately for us, many of them have gotten to experience it first hand in the last several years, and with luck, many more will have that opportunity, including the doped-up fatso who coined the term "Club Gitmo".

        • Re: (Score:3, Interesting)

          by crossmr (957846)

          Where I grew up we had a homeless guy who threw a bottle through a window every year on the first snow. The judge put him in jail until the spring.

      • It is hard for homeless people to maintain the basic equipment for bank robbing. Even if they somehow get their hands on a gun, getting ammo can be hard.

        Even more importantly, a vast number of the homeless are suffering from mental illness in moderate to large degrees. Other than people made homeless temporarily by circumstance (forclosure, etc) who are largely only homeless for short (months at a time) periods and never reach a "rob a bank" level of desperation (they have hope that they can get back on the

  • by Fumus (1258966) on Saturday February 07, 2009 @02:25PM (#26765345)
    I thought flash mobs are groups of people in the same place at the same time. Not all over the world?
    • by bluesatin (1350681) on Saturday February 07, 2009 @02:34PM (#26765425)

      I thought flash mobs are groups of people in the same place at the same time. Not all over the world?

      By the name, I suppose a flash mob suggests a mob of people doing something 'in a flash' (in a short period of time).

      A mob doesn't necessarily have to be in the same spot, at least it doesn't have to be the way I understand it.

      Perhaps in the past a mob would have to be in the same location, but due to the way the world is all interlinked nowadays someone can affect something on the otherside of the world, meaning the world has gotten a lot 'smaller' as such.

      • A flash mob is a phenomenon where people hear about something happening somewhere in the world (either through the "grapevine" or on the news) and all decide to use teleport booths to go there all at the same time. The mob "flashes' into existence and the people can and do often join in on any chaos, causing simple situations to often escalate into full blown riots in the space of a few minutes. Luckily, police recently figured out that they could redirect the teleportation booths into a riot control center

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The world is a single place, it just depends what kind of scale you're on.

    • Re: (Score:3, Informative)

      by Saroset (1383483)
    • by $RANDOMLUSER (804576) on Saturday February 07, 2009 @02:41PM (#26765489)
      They were all in the same place at the same time - cyberspace, Nov 8, 05:00 UTC.
    • Re: (Score:3, Interesting)

      by naoursla (99850)

      You're are right. And they make some people nervous. So not TPTB are working to associate flash mobs with crime so they can make them illegal.

    • Re: (Score:3, Insightful)

      by isaac (2852)

      I believe this is the flash mafia, not a flash mob.

      -Isaac

    • by timeOday (582209) on Saturday February 07, 2009 @05:09PM (#26766753)
      $9M in 49 cities around the world without a trace, but the joke's on them, because we know it wasn't a real flash mob. And isn't that really what matters?
    • by FooGoo (98336)

      The mob converged on the ATM network at roughly the same time. The place does not need to be a physical location.

    • Re: (Score:3, Insightful)

      by Vexar (664860)
      This is just the bumbling FBI coming up with terminology that doesn't fit so they can demonize Flash Mobs in the future and point back to this incident. Honestly, this "we've never seen this kind of organization before" chatter is just a bureaucrat's way of sounding less like a fool to the management than usual. Earlier assessments that this was "pay to prey" sounds about right. No leads, huh? Sounds like RBS (Royal Bank of Scotland, right?) is completely naive. If they had the right information securi
  • $9 Million? (Score:4, Insightful)

    by Anonymous Coward on Saturday February 07, 2009 @02:29PM (#26765381)

    $9 Million stolen from a bank? Peanuts compared to the next $900 Billion the banks are stealing back again - a hundred thousand times more.... I can't even get to grips with that scale of money....

    • Re:$9 Million? (Score:5, Insightful)

      by Samschnooks (1415697) on Saturday February 07, 2009 @02:48PM (#26765571)

      $9 Million stolen from a bank? Peanuts compared to the next $900 Billion the banks are stealing back again - a hundred thousand times more.... I can't even get to grips with that scale of money....

      There's a BIG difference. One group was a bunch of unimaginative, unethical, thieving liars and cowards. The other group had the imagination to do something and take advantage of a weak poorly designed system that gets the guys with the badges and guns after you.

      It takes a REAL criminal mind to lobby the regulatory agencies and Congress with dirty money to make your thieving legal. And it's really a piece of work when those lying thieves walk away with tens of millions of dollars in bonuses for cheating.

      • by neotritium (1009889) on Saturday February 07, 2009 @03:35PM (#26766007)

        There's a BIG difference. One group was a bunch of unimaginative, unethical, thieving liars and cowards. The other group wasn't made up of bank executives.

        ^ Fixed.

    • by bremstrong (523910) on Saturday February 07, 2009 @03:20PM (#26765873)
      Right, $9M is nothing. These guys need to recruit some Chief Ponzi Officers from the Wall St. banks.
    • by Miseph (979059)

      It's not theft, it's enslavement.

      My parents' generation just enslaved mine to the Chinese for several trillion dollars rather than face the prospect that they might have royally fucked themselves in their attempts to extract money from nothing.

      The only way this kind of financial planning makes any sense is if you plan on being dead before the bills come due.

      • My parents' generation just enslaved mine to the Chinese for several trillion dollars rather than face the prospect that they might have royally fucked themselves in their attempts to extract money from nothing.

        You just don't understand zero-point economics! We can extract money from the false vaccum!

    • by symbolic (11752)

      And the $18 BILLION stolen by CEOs of said banks.

    • by jonbryce (703250)

      And saying as Royal Bank of Scotland has been nationalised after going bust, it is my tax payer pounds that will be paying for this.

  • by Bob_Who (926234) <Bob AT who DOT net> on Saturday February 07, 2009 @02:34PM (#26765423) Homepage Journal
    Gee, I guess we can rule out any foul play from the bankers. We can trust their integrity.
  • by chill (34294) on Saturday February 07, 2009 @02:36PM (#26765457) Journal

    The article says over $9,000,000 was stolen using only 100 cards in 49 cities in a 30 minute period. That, boys and girls, is $90,000 per card. The article says the limits on the cards were overridden, using them to make withdrawals in multiple increments of $500 or so. $90,000 / $500 is 180 withdrawals in a 30 minute period, or 6 withdrawals per minute.

    This article doesn't pass the basic sniff test. It reeks of either disinformation or seriously bad math.

    • by caspper69 (548511) on Saturday February 07, 2009 @02:41PM (#26765487)

      The article says over $9,000,000 was stolen using only 100 cards in 49 cities in a 30 minute period. That, boys and girls, is $90,000 per card. The article says the limits on the cards were overridden, using them to make withdrawals in multiple increments of $500 or so. $90,000 / $500 is 180 withdrawals in a 30 minute period, or 6 withdrawals per minute.

      This article doesn't pass the basic sniff test. It reeks of either disinformation or seriously bad math.

      Yes, but it doesn't say how many copies of each card they made.

      • by Anonymous Coward on Saturday February 07, 2009 @03:00PM (#26765695)

        Let's look at it another way.

        $9MM / ($500 / transaction) / 130 ATMs / 30 min = ~4.6 transactions/ATM/min

        Still seems rather high. I suppose I've never timed it, but it always feels like it takes more than 13 seconds to get my money at an ATM...

        • Re: (Score:3, Informative)

          by Splab (574204)

          Depends on the machine I guess, some can be pretty quick, but it still is quite a lot.

          But whats with the $500 marker? Around here max is 9900 DKR = $2000 per transaction. Then we are talking 1 transaction a minute..

        • by iTowelie (1118013) on Saturday February 07, 2009 @05:07PM (#26766735)
          My fastest time is 17 seconds from the time the card goes in until the card comes out. That includes entering my PIN, selecting chequeing/withdrawal, amount of money, dispense money, give me back my card. Not all ATMs will give me that time due to different menus/longer authentication times etc. Don't ask me why I would time something so stupid in my day to day life, but I pride myself at quick withdrawals. Wait a minute...

          iTowelie
        • by guruevi (827432)

          Depends on where you're at. In Europe it's not uncommon to be able to get your cash out in less than 15 seconds. Put your card in, select how much you want, pin and you get it right away. Here in the US for some or another reason it seems like all ATM's still need to dial in on 56k after you typed in your pin. It's also not uncommon to be able to get more than $500/atm. I've been able to get 2000 out of ATM's before.

        • by jandrese (485)
          It doesn't seem impossible if they're at ATMs that ask you "another transaction?" after you finish one, so you don't have to swipe and enter your PIN again. Presumably they're hitting ATMs that are stocked with 100s so it doesn't spend precious minutes counting out 20s. Plus, after you do it a couple of times you'll have the button presses down pretty quick, and it's not like these guys were going to read every screen.

          I only wish the people ahead of me at the ATM were this fast. It always seems like th
    • Not quite... (Score:3, Informative)

      by denzacar (181829)

      Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.

      Article DOES NOT say what their per-withdrawal limit was.
      What if DOES SAY is that they were able to withdraw money multiple times, with the daily sum being over $500.

      It also says that the writer of the article has a daily limit of $500 but that is besides the point.

    • I need more friends willing to say "Here's this ATM card. At midnight tonight, make as many $500 withdrawals as you can in 30 minutes and put them onto this card. You get to keep half of what's on the card."

      Where do you find friends like that?
      /humor

      • by Lumpy (12016)

        The same friends that get you a 52" plasma TV that "fell off a truck" for $100.00.. he has 20 that fell of that truck.

        If you lived in chicago I'd introduce you to a few if you're worthy.

        P.S. if you talk too much, you dont just lose your card in the club.....

        I hear that in NY there are these kinds of "friends" as well. not that I know any myself. I just heard of them. you know?

    • by NotQuiteReal (608241) on Saturday February 07, 2009 @02:59PM (#26765683) Journal
      Maybe it is like the "street value" quoted in a drug bust, or like an RIAA accounting for music "theft".

      Here we have $9,000,000 listed as the retail value of the loss, the actual paper money they got is nearly worthless, because ATMs only issue "bank notes", nothing more.
      • by iknowcss (937215)
        I've always wondered what the street value of a $100 federal reserve note was ...
      • That's actually a very interesting point. With fractional reserve lending, the monetary system we currently use, an original $1,000 deposit into a bank balloons into [chrismartenson.com] $10,000 of real money. So they theoretically _could_ use the RIAA tactic as a $9M potential is essentially removed with the withdrawal of $900,000.

        Going back to the OP, that would mean 18 withdrawals per card over a 30-minute period, or just under two minutes per transaction. We are now in the domain of the eminently plausible.

    • by jschen (1249578)
      That's $90,000 average per card! How did they find accounts where people are keeping that much cash in an account with a debit/ATM card? Or did the hack go to the extent of even allowing withdrawals once accounts went to zero?
  • by FFCecil (623749) on Saturday February 07, 2009 @02:46PM (#26765553)
    Obvious Man! [joshreads.com]

    Since the M in ATM stands for Machine, saying ATM Machine is redundant.
  • by Overzeetop (214511) on Saturday February 07, 2009 @02:49PM (#26765577) Journal

    That's almost as much as John Thain (of Merrill Lynch) thought he should get for securing the bailout funds!

  • I wonder (Score:5, Funny)

    by hibiki_r (649814) on Saturday February 07, 2009 @03:26PM (#26765933)

    Did they hack the ATM machines after stealing the PIN numbers?

    I have to go work in some CSS style sheets for a web site that links ISBN numbers to UPC codes. I hope they don't make me redundant.

  • by JerkBoB (7130) on Saturday February 07, 2009 @03:30PM (#26765959)

    I wonder what the PIN Number was that they all used in those ATM Machines. Maybe they used a custom PCB Board to prototype the hack. Then they downloaded the plans onto a CD Disc. I'll bet they literally died after they got away with all the cash.

    Anyways, I could care less.

  • Inside job (Score:2, Insightful)

    by zymano (581466)

    and where are the cameras on these Atm's?

    • Re: (Score:2, Interesting)

      by mysidia (191772)

      Interesting question.. I would guess the cameras got pictures of them, but they haven't been caught yet. I guess it's possible the participants were far from home, got pretty far within a few days, and didn't look suspicious to any law enforcement.

      It's probable they'll eventually get caught in that case, as facial recognition technology becomes more widespread, they may be identified automatically in 3 or 4 years, when they eventually pass through a public place that's closely monitored

      The world is a

  • by smoker2 (750216) on Saturday February 07, 2009 @04:26PM (#26766429) Homepage Journal
    RBS Worldpay is the Royal Bank of Scotlands Worldpay cheapo net transactions processor. The processor is shit (and expensive), and RBS are basically owned by the UK govt. after the bailout.
    So if you use Worldpay on your website, I would get shot of it sharpish. They are the kind of outfit that will have multiple holes in their security. (I used to use their payment processor back in 2002.)
  • That many people coordinating themselves, presumably using the intertubes. . ?

    If even one person was caught on a security camera or ratted out for having $300,000 in cash under the bed. . , or has mental issues and throws a hissy-fit and decides to name names. Well that person could get everybody caught.

    So that means the information security being used by the organizers will have to have been reliable. Lucky for them, they're hackers, so they're pretty smart. Unfortunately for them, they're hackers, whic

    • by Cassini2 (956052) on Saturday February 07, 2009 @07:52PM (#26767857)

      Anyone hoping to pocket a percentage of $9,000,000 by giving a bunch of passwords to a bunch of people you don't know, and then assuming you won't get grassed out to the cops is likely making a major mistake.

      If the criminal is smart, a better strategy might be to "give" the information away to the right group of people. This might give someone a smug sense of "revenge" against a former employer. Someone could short the stock in the stock market, or the theft could cover up some insider funny business. The initial criminal act may be different than what it appears.

      Alternatively, the actual "inside" mastermind may actually be a victim too. Maybe someone conned an insider for information, or access to a laptop, and just sold the information. Maybe someone got hold of the backup tapes. This might actually a fairly low-value theft for the original criminal.

  • 130 ATMs? (Score:4, Interesting)

    by loshwomp (468955) on Saturday February 07, 2009 @06:01PM (#26767083)

    Hang on a second: That works out to over $69000 per ATM. Do they really have that much cash loaded in each one? I'd be surprised if that's true.

  • by cdn-programmer (468978) <terrNO@SPAMterralogic.net> on Saturday February 07, 2009 @06:27PM (#26767259)

    The funniest ATM theft I've heard of took place in Saskatchewan, Canada. This took place on a long weekend in a sleepy little rural town.

    4:00 AM sees our thieves breaking into the local gravel contractor. After breaking through the gate they steal a gravel truck and an oxy-acetelene torch. Next stop is the post treating plant about 1/2 mile (1 km) down the highway. They steal a loader. This is what is used to load poles and posts onto semi-trailors.

    By now its about 4:15 or so. Did they make noise? Well - a diesel truck and 350 HP diesel loader will make some noise I suppose. It woke some of the locals up.

    Around the corner from the bank about one (1) block away is the local police station which is manned 24x7. The police are at their desks thinking the gravel contractor must be getting an early start this morning.

    So the thieves drive the loader over to the bank. The reach in through the roof totally demolishing the building and grab the ATM which is firmly bolted to the concrete floor and footings. Seems the concrete wasn't much of a match for the 350 HP loader because the ATM was cleanly plucked through the gapping hole and dropped into the back of the dump truck.

    By now the cops were heading for their cars thinking there must have been a big accident on Main Street.

    Our thieves meanwhile shut off the loader and hopped into the dump truck and took off.

    A few miles south of town they stopped at an abandoned farm yard and took their time with the oxy-acetelene torch and chopped the ATM apart.

    Having done this they took the money and casually left the scene of the crime. So far no one has been caught! So far apparently these thieves are keeping their mouths closed. Apparently there are no leads.

    The best part of this story is the locals still laugh about their bank robbery! When you live in a sleepy Saskatchewan rural town then once in a while a little excitement spices up an otherwise dreary life.

  • Lying liars (Score:2, Informative)

    by faronem (675704)

    I've never used RBS Worldpay, but was notified several weeks ago that my financial records for the past 20 years, as well as SSN, were compromised.

    What's incredibly distressing is that RBS Worldpay (part of Citizens Financial Group) shares data with other affiliates. I just have a basic checking account in one of their banks, that's it--no credit cards, no gift cards, no payroll cards.

    However, they didn't go public with the news or notify any customers until the day before Xmas eve in December 2008: http [prnewswire.com]

  • Bias in the Line up? (Score:2, Interesting)

    by Naznarreb (1274908)
    I'm concerned about the pictures that myfoxny.com obtained. Of the 8 individual people shown in the 12 photos (a few people appear twice) 6 are very clearly black or minority. 130 ATMs robbed in 50 cities, you only get security photos of 8 people and nearly all of them are minority? I don't think so.

It is better to give than to lend, and it costs about the same.

Working...