Forgot your password?
typodupeerror
Security The Courts News

$9 Million ATM Hacking Ring Indicted 86

Posted by kdawson
from the good-luck-with-those-arrests dept.
Trailrunner7 writes "US and international prosecutors have indicted a criminal ring that they allege was responsible for an ATM scam last November that stole about $9 million from RBS WorldPay. The criminals cracked payroll debit cards and withdrew money from ATMs in hundreds of cities around the world. A federal grand jury in Atlanta has indicted eight men in connection with the scheme, including five Estonians, one Russian, one Moldovan, and one unidentified man. Prosecutors allege that the men 'used sophisticated hacking techniques' to defeat the company's encryption system. The scam involved an elaborate plan in which the attackers first bypassed the encryption on the debit cards, which RBS WorldPay issues to customers for employee payroll purposes. They then raised the limits on the accounts attached to the cards, then provided a network of 'cashers' with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours; 130 different ATMs in 49 cities were hit within one 30-minute period."
This discussion has been archived. No new comments can be posted.

$9 Million ATM Hacking Ring Indicted

Comments Filter:
  • Proper monitoring (Score:4, Insightful)

    by ls671 (1122017) * on Tuesday November 10, 2009 @11:29PM (#30055732) Homepage

    Just earlier, we heard about a hole in Bing cash-back program and many people rightfully stated that not enough care is taken when developing and more importantly, designing secure systems.

    This is one more case that proves them right. Bright hackers usually pick the easiest target. Due to the hit and run nature of the theft, I believe that proper real-time monitoring of the system could have prevented most of the attack. Maybe half an hour or less instead of 12 hours time span before it would have been stopped.

    • Re: (Score:3, Interesting)

      by WarJolt (990309)

      There is such a thing as too much monitoring. If the cost of the monitoring system is more than the amount stolen it's not worth it. In this case a simple system could probably cost less than $9 million and prevented this. A company must have intuition to preempt the costs of theft. Many businesses, especially retail, actually expect theft and factor this into their costs.

      If you're running a casino you must invest lots in security because the cost of losing a lot of money is very real and worth the investme

      • by guruevi (827432)

        I don't know, if you want to monitor 1000's of ATM machines for certain patterns in order to catch something like this, you probably end up paying more than $9M on it. The software/hardware alone would probably cost $10M and maintenance, wages, service centers etc. only go up from there.

    • by jujuchef (452269)
      "I believe that proper real-time monitoring of the system could have prevented most of the attack..."

      As someone who has worked in the Card Fraud industry, I can assure you that it is a requirement for every card processor to use real time monitoring software for the prevention of fraud. Visa/Mastercard/etc demand it if you want their logo on the card. The amount of money prevented from fraudulent activity over the past 10 years has dropped very, very significantly. $9 mill on this would be a drop in th
  • Not sure I've heard of a payroll debit card?

    You mean some company doesn't either do direct deposit, or cut you a check?

    I don't think I'd like something not going to my checking account...do you have to pay bills and stuff out of this debit card account I'm guessing that the company owns?

    • Re:??? What? (Score:5, Interesting)

      by Bill, Shooter of Bul (629286) on Tuesday November 10, 2009 @11:43PM (#30055856) Journal

      Well, its a wide, wide world my friend. The things you don't know about could fill a library of congress or two.

      But on topic, these cards have many uses. Telemarketers used to give time limited payroll debit cards out for performance bonuses. In some parts of the world, they are given out instead of checks. With the idea being that you don't have to go to an open bank to get it cashed. Plus in many areas outside the US, checks are dead. No one uses or accepts them. obviously these aren't the kind of people that are planning for a future retirement in the hamptons.

    • Re:??? What? (Score:5, Interesting)

      by AF_Cheddar_Head (1186601) on Tuesday November 10, 2009 @11:46PM (#30055902)

      Lots of companies that have a highly fluid employee population use these payroll debit cards.

      My son works for a company owned 7-11 that pays him this way. Each card has an account dedicated to it. Not sure what the benefit from the company perspective is. Probably some kickback on the percentage the card issuing company collects on purchase and maybe ATM fees.

      These cards are also probably a handy to pay illegal aliens who can't get bank accounts (just speculating).

      • Re:??? What? (Score:5, Interesting)

        by Rophuine (946411) on Wednesday November 11, 2009 @12:34AM (#30056216) Homepage

        These cards are also probably a handy to pay illegal aliens who can't get bank accounts (just speculating).

        I used to write software for one of these companies. They practically marketed it that way.

        • I also worked for one of the first (maybe the first?) companies to develop such a system and use it in the US - they'd already build a similar system overseas. I didn't work directly on that project to any real degree, but I was there in the early days and at that time migrant field workers were their ONLY users.

          Not that the companies ever had any trouble paying the illegal aliens with checks. This system just meant less work distributing checks, no issuing replacements for lost checks, and lower fees for

          • by Rophuine (946411)

            I worked for a spin-off of a US company in another country, so I never met the founder. I do know the US company used a 3-letter acronym from a name indicating they may well have been the first.

            There was also a 3rd-party software house involved who used a four-letter acronym.

            Sounding familiar?

      • by lamapper (1343009)

        My son works for a company owned 7-11 that pays him this way. Each card has an account dedicated to it. Not sure what the benefit from the company perspective is. Probably some kickback on the percentage the card issuing company collects on purchase and maybe ATM fees.

        The lovely "VCom" machines in most 7-11s, especially the company owned ones. 7-11 employees are allowed to use them for FREE, no fees. As of 2007, 7-11 would direct deposit into your bank account, you would get a paper copy of your check and/or check stub statement. With the VCom card, you could withdraw money, no limits, up to and including your entire paycheck if you wanted too. Those VCom machines are convenient if you do not have a supermarket near you. Most supermarkets (grocery stores) will allow

    • Re:??? What? (Score:5, Informative)

      by interkin3tic (1469267) on Tuesday November 10, 2009 @11:49PM (#30055924)

      You mean some company doesn't either do direct deposit, or cut you a check?

      Yes. Mark of a company that hates hates HATES its employees. After undergrad I was working at gamestop when they decided to go this route. For some reason, they were incapable of processing a direct deposit for me, so checks were fine. Then these cards came. They give your paycheck to a different company. Said company gives it to you. The fine print in the information pamphlet they handed out: one free transaction a month. After that, $2 fee for using the debit card for anything.

      They undoubtedly made a killing from many high school kids on that one. And gamestop no longer had to print and distribute paychecks, saving the company untold hundreds of dollars a month. Since that was one of the least annoying things gamestop did to it's employees, morale probably wasn't a factor.

      • by lamapper (1343009)

        The fine print in the information pamphlet they handed out: one free transaction a month. After that, $2 fee for using the debit card for anything.

        What a rip off, solution, in one transaction, move your entire paycheck from account to another bank account, thus avoiding the $2.00 fees for additional transactions related to the cards.

        Of course they would then put in an artificially low maximum that would prevent you from transferring / withdrawing your account in one transaction.

        • What a rip off, solution, in one transaction, move your entire paycheck from account to another bank account, thus avoiding the $2.00 fees for additional transactions related to the cards.

          Of course they would then put in an artificially low maximum that would prevent you from transferring / withdrawing your account in one transaction.

          Transferring it with that one transaction is probably exactly what they and the company would point to if called out on it. I didn't read far enough to see if there was anything about a maximum, after reading the 2$ for every transaction afterwards I understood what type of scam it was and was on the phone with personnel. I'm assuming the overdraft charges were also a scam, likely measured in "fold" rather than "percent" and a balance inquiry to be sure you don't transfer more than your paycheck counts as

  • When will banks start upgrading their security?

    Me think its the same syndicate as these guys. [theage.com.au]

    • by physburn (1095481)
      Will this was the Royal Bank of Scotland, a formally solid institution, but one that went bust last year and had to be bailed out to the tune of 10 billion. You wouldn't expect much security out of a bank that managed they financial affairs that baddly. Actually though RBS where one of the first UK banks, to provide on-line payments and where very forward looking in providing electronic money management. So its a shame for the hack, and needing the bailout.

      ---

      Computer Security [feeddistiller.com] Feed @ Feed Distiller [feeddistiller.com]

      • by jonbryce (703250)

        I'm pretty sure it was a lot more than £10bn. Lloyds was bailed out to the tune of £160bn. RBS is about 2.5 times bigger than Lloyds and in a much worse financial state.

  • If you are worried that your laptop containing sensitive data might get stolen and thief would there by get the passwords stored in your firefox browser, then here is my suggestion.
    Use the finger print or retina recognition so that the laptop operates only when it recognizes you. These are becoming standard these days with IBM T400 series having finger print recognition and Dell Inspiron 15 series having retina recognition.
    If you are worried that there are so many passwords to maintain, then yes, I am wor

    • Re: (Score:3, Insightful)

      by jandrese (485)
      What is the point of fingerprint recognition if they just pull the drive out and read all of the data off of it? You don't need fancypants biometrics to encrypt the hard drive, which is the only real protection against losing data when your laptop is stolen.
      • by timeOday (582209)
        The security-oriented Thinkpads (probably including all of those with fingerprint scanners, but also some without) also have support for hardware whole-disk encryption. It's great. After entering a password at power-on, it's otherwise unnoticeable. No performance overhead.

        The fingerprint scanner, I had on a T60 and never used. To me it's easier just to enter a password.

    • by BountyX (1227176) on Tuesday November 10, 2009 @11:57PM (#30055996)
      Biometric security is a horrible idea. Not only can you trick a retina scanner with a photograph and easily lift a finger print, but it is also non-disposable. There are much simpler and effective solutions to protecting sensitive information, like TrueCrypt. I bet most fingerprint readers and retina scanners on consumer electronics have manufacturer backdoors.
      • by Talisman (39902)

        Biometrics by itself is inadequate for complete security (if such a thing even exists), yes. But as a part of the holy trinity of security (something you have, something you know, something you are) it is still useful.

      • by Cylix (55374)

        I don't know what world you live in, but biometric components are highly disposable.

        Just last week we had a copy of an employees eye floating around. We quickly plugged that hole by confiscating the employee's left eye.

        Every so often we get a real joker who thinks its funny to prove how he can bypass the thumb readers. Those guys stop smiling the moment we take that compromised thumb away.

        Just another day in the security division of OCP.

      • by DarthVain (724186)

        LOL. Ya I love when people get all hot and bothered about this type of technology, thinking it is all high tech and infallible. My favorite example of this was people spoofing "facial recognition" biometric software and sensors..... with a printed picture held up for the camera. LOL!

    • Re: (Score:1, Informative)

      by Anonymous Coward

      You are on the wrong article, I believe you wanted to reply to this post:
      http://ask.slashdot.org/story/09/11/10/2045258/Best-Tool-For-Remembering-Passwords [slashdot.org]

    • by harl (84412)

      What happens when you need to change your password?

  • "Caught" them. (Score:1, Interesting)

    by hackus (159037)

    Well, this is how I see it.

    First of all, alleged is an understatement. How they would link bogus accounts, addresses and phone numbers to these 9 people I think would be very hard to do. (i.e. impossible.)

    Secondly, really? The most advanced criminal ring in the world? If so, how did they get caught if they are that good? I would be more inclined to believe that they are amateurs.

    Why would I think that?

    1) Well, first of all, the government cannot look like a putz in public, which is strictly an image pr

  • Horrible Article (Score:5, Interesting)

    by carp3_noct3m (1185697) <slashdotNO@SPAMwarriors-shade.net> on Tuesday November 10, 2009 @11:48PM (#30055916)
    The original and much more informative article, written by someone that at least has basic understandings of technology at wired One of the keys to why this is so big can be found in the following... "The hack involved reverse-engineering PINs for payroll debit card accounts" and "Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access on November 4. Pleschuk allegedly developed the method for reverse-engineering the encrypted PINs." So what it boils down to is that usually something happens to a bank, and it is some stupid CIO or consultant that leaves unencrypted info on a laptop or something similarly stupid, while this seems to be a "legitimate" hack/crack. This involves all the steps of classic vulnerability assesment a pro security consultant would do, but with blackhat intent, including passive recon, 0 days, etc. It should be noted that in the Credit Card fraud underworld, the biggest problem is not getting cards info, including PIN's. The problem is called "cashing out". Often internet currencies (e-gold, etc) and offshore gambling sites are used to launder money, but this is why the "cashiers" usually charge 50 points. They got caught because of how they got the money, and the real special thing here is that they targeted only a few high level payroll accounts. Making their indicment only on 16 counts. I highly doubt they would be expected to pay back every bit of it, and if they are smart they had a contigency plan, hide a million or two in a hole in the ground, and will only serve a handful of years in jail, but my entire last statement is pure speculation as I know very little about how the justice system works in regard to this stuff, barring to say that I have a friend who spent 5 years in prison for non-malicious haking of government computers, while the local young girl murderer gets 3 years....ahh i need to drink less, or maybe more, before posting to /.!
    • Re: (Score:3, Interesting)

      by Talisman (39902)

      "...if they are smart they had a contingency plan, hide a million or two in a hole in the ground, and will only serve a handful of years in jail..."

      Let's assume high and say $2MN dollars is successfully hidden. Let's say they get 5 years in jail. There were 8 of them. 2MN/8 = $250,000. $250,000/5 = $50,000.

      Good job, guys! You went to jail for 5 years for $50,000 per year, which is what a mid-level IT tech makes. You also guaranteed yourselves a lifetime of being watched by government agencies the world over.

      Now, I don't know how many people were just foot soldiers and how many were involved in the technical side of the hack, but say instead of ri

      • by Anonymous Coward

        I spent 3 years going after someone who defrauded my company for quite some money, and frankly, I wish it was in a different country. The guy was quite bright financially, but instead of using it for honest gain he really HAD to do something shady even if more profitable, honest options were available. This is why we eventually took the lid of the finances he managed and found a large hole where our revenue was supposed to be - hidden by falsified statements.

        He was a national, but he played the woefully

  • by Anonymous Coward on Tuesday November 10, 2009 @11:55PM (#30055978)

    Is he the unidentified man? Why does Glen Beck not deny his involvement?

    • by tux0r (604835)

      On the basis of this post, I propose a new IM-style abbreviation: COL (Chuckle Out Loud).

      As in, I just COL'd (because I just did).

      Good form, sir!

  • Want some coke?

    Um, okay..

  • hackerz (Score:3, Funny)

    by kaoshin (110328) on Wednesday November 11, 2009 @12:06AM (#30056038)
    and a person the prosecutors identified only as "Hacker3."
    Hacker 3, a three year old child, was already suspected by the RIAA of copywrite infringement.
    • by nexuspal (720736)
      You are exactly correct Sir. Any hacker worth his or her salt would use ANOTHER PERSONS NETWORK, on a CLEAN COMPUTER. But we all know that of course, and this isn't any surpise to any of us that some non-anonymous hacker is now under investigation...
  • smarter criminals (Score:5, Insightful)

    by Anonymous Coward on Wednesday November 11, 2009 @12:21AM (#30056152)

    Bank Robber: thousands of dollars stolen, but they go to a maximum security prison
    ATM fraud ring: millions of dollars stolen, but they go to a medium security prison
    Ponzi scheme: billions of dollars stolen, but they go to a minimum security prison.
    Bankers: trillions of dollars stolen, and they're given more by the government with a bonus on top

    • Re: (Score:1, Troll)

      by bradbury (33372)

      Plus you have the added fact that the prisons are generally outside of Russia/former Soviet Union -- and there is quite a bit of difference between going to prison in the former S.U. and more modern civilized countries. Financial criminals most probably view imprisonment in current environments as a paid vacation. Hardly a deterrent, perhaps even an incentive, to commit non-violent crimes.

    • by Bovius (1243040)

      When I saw this article, I imagined Dr. Evil holding his pinky finger up and saying "Nine meeeeellion dollars!". There's much more serious fraudulent activity going on.

    • by Epi-man (59145)

      Bank Robber: thousands of dollars stolen, but they go to a maximum security prison

      You forgot...(most likely) has a criminal record, claimed to or had a gun and held it to someone's head threatening to kill them, very high probability they will make an attempt to escape or harm other people....

      ATM fraud ring: millions of dollars stolen, but they go to a medium security prison

      Hurt approximately zero people, threatened approximately zero people with harm, but organized others to help with their deeds

      Ponzi sche

      • by Wildclaw (15718)

        And yet you don't think the people in government who stole the money from us and gave it to the bankers should be in prison???

        Depends what you mean by stealing. If you mean taxing is stealing, then you just don't get it. You can't steal what you already own. And the government owns the whole country, every single bit of it, by virtue of having the bigger guns. Taxing is nothing more than collecting rent.

        If you are saying that some government employees went above their authority in giving money to the bankers, then you are correct. There are lots of people in the government who should be held accountable for willfully ignoring exis

  • i am always amazed when ring like that is discovered. It must be some incredible especially when it is worldwide coordinated. Makes you wonder that in real world there are doch few cops like you see in cinemas.
  • used sophisticated hacking techniques

    They just opened the machines. Shhh! But don't tell anyone.

  • One of these characters is already under indictment for similar shenanigans http://www.wired.com/threatlevel/2009/11/rbs-worldpay [wired.com] , so a good bet is that the Feds have a rat, sorry, a cooperative concerned citizen, big deal. The real story, not these unfortunate Estonian freelance security consultants, but that if RBS was stupid enough to get nailed like this, who else is this sloppy with their security? A decent amount of work and planning went into this ( except for the exit strategy), and no one noticed
  • easy money!

  • Bring a dufflebag (Score:4, Insightful)

    by buyingtires (1676126) on Wednesday November 11, 2009 @02:47AM (#30057026) Journal
    Considering the $9 million was taken from 2,100 ATMs, that's over $4,200 per transaction... Most ATMs only have 20's to dispense, so that would be a pretty big pile of cash to carry out of the store/bank/gas station.
  • Does anyone have more information on the Hong Kong and Netherlands roles in this case? I blogged a summary of charges, including some of the SQL Statements the baddies were using to monitor, change limits on, and monitor "their" cards from the indictment here: CyberCrime & Doing Time [blogspot.com]. The part I'm trying to find more data on comes from this bit from the FBI Press Release: Cooperation between the Hong Kong Police Force and the FBI also led to a parallel investigation, resulting in the identification
  • If only they had just taken the fractions of a cent on every transaction they would have gotten away with it.
  • >The $9 million loss occurred within a span of less than 12 hours; 130 different ATMs in 49 cities were hit within one 30-minute period
    This is where being a programmer, it makes sense that it is physically impossible to have that many cards to 1 account used in that many cities, so after the first 4 or 5 like this, you would think you stop the transactions from going on, unless the crime was committed on a realtime schedule where everybody was synched to do the withdrawals all at the exact time (almost t

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...