Forgot your password?
typodupeerror
The Almighty Buck Databases Security

ATMs Compromised, $45M Taken 196

Posted by Soulskill
from the designed-for-redundancy-not-security dept.
An anonymous reader sends this news from the Associated Press: "A worldwide gang of criminals stole a total of $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then draining cash machines around the globe, federal prosecutors said Thursday. ... Here’s how it worked: Hackers got into bank databases, eliminated withdrawal limits on prepaid-debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes."
This discussion has been archived. No new comments can be posted.

ATMs Compromised, $45M Taken

Comments Filter:
  • by gatkinso (15975) on Friday May 10, 2013 @08:53AM (#43683847)

    I mean, can you really trust that some guy half way around the world is going to turn over the cash he just stole for you?

    • by Budgreen (561093)
      by fear... yes.
    • by slashdyke (873156)
      Hey, if some guy around the world stole for me and skimmed a little off the top, would I care too much if I received $30,000,000 instead of the $35,000,000 I was thinking I would receive? Then there is the flip side... With all the money the banks have lost in recent years, forcing foreclosures, lost jobs, and so forth, maybe it was not so much that the guys "at the top" got the money, but that the banks lost it. What was their intention? Get rich, or rob from the rich?
      • by Joce640k (829181) on Friday May 10, 2013 @09:08AM (#43683971) Homepage

        Hey, if some guy around the world stole for me and skimmed a little off the top, would I care too much if I received $30,000,000 instead of the $35,000,000 I was thinking I would receive?

        Don't give up your day job and go into drug dealing, it won't work out for you.

        • by slashdyke (873156) on Friday May 10, 2013 @09:10AM (#43683999) Homepage
          Not to worry. I was not planning to.
        • by gl4ss (559668)

          Hey, if some guy around the world stole for me and skimmed a little off the top, would I care too much if I received $30,000,000 instead of the $35,000,000 I was thinking I would receive?

          Don't give up your day job and go into drug dealing, it won't work out for you.

          this is pretty a different enterprise than drug dealing, so having to care about someone taking off from the deal doesn't matter as much, it all scales and the reason why they would pay and not keep everything is to keep receiving cc numbers sometimes in the future - and in part they work for clicks and the click needs to keep it's connection to the next level ok.

      • They stole prepaid debit card numbers. They did not steal from the rich, they stole from the poor. This isn't a gang of Robin Hoods, but a gang of Jesse James's (?).

        • Re: (Score:2, Informative)

          by Anonymous Coward

          The prepaid debit card numbers had not be given out to customers, so only the banks are taking the loss. The cost will trickle down to us via higher fees, but the immediate affect is on the banks only.

    • That is an interesting one. As far as I understand it, they did not steal from individuals, but from the bank. Off course this is the same as grabbing from someone else's savings, but so is fractional reserve banking. So in a way, if your bank does it, it is normal, if someone else does it, all of a sudden it is criminal.
      • by jamstar7 (694492)

        That is an interesting one. As far as I understand it, they did not steal from individuals, but from the bank. Off course this is the same as grabbing from someone else's savings, but so is fractional reserve banking. So in a way, if your bank does it, it is normal, if someone else does it, all of a sudden it is criminal.

        Pretty much, yeah. After all, you're cutting into the multimillion dollar salary and bonus plan of some bank bigwig. They take that shit kinda serious ya know...

    • by rijrunner (263757)

      They could be part of an overall organization. As such, there would have been a working relationship prior. Or, it could be that they did a run in December to prove the concept, then just sold the cards upfront to people for that second run.

    • Typically "cashiers" charge about 50 points. The culture of trust in the black market is very interesting but I haven't seen many recent papers about it (post 07ish).

      Sidenote: I haven't logged into /. for years... it feels good!

  • "Hack The Paynet!"
  • by TheCRAIGGERS (909877) on Friday May 10, 2013 @08:59AM (#43683909)

    And then they all hoped into their Mini Coopers and drove off into the sunset, leaving a stream of bills fluttering in the wind.

  • Ocean's eleven (Score:4, Insightful)

    Media all around the world are comparing this heist to Ocean's Eleven. Funny, but prolly not the first time that a movie yields the cultural background material for understanding viz. interpreting a crime...
  • Petty thieves (Score:5, Insightful)

    by 140Mandak262Jamuna (970587) on Friday May 10, 2013 @09:16AM (#43684047) Journal
    This is not how bank fraud should be done. The right and proper way is to become too big to fail, to big to jail, rig the LIBOR rates, create systematic rigging, award oneself huge salaries and bonuses, threaten worldwide economic collapse, hold governments to ransom and get huge bail out money. The master criminals running the banks are dismayed by petty criminals stealing from them.
    • by TrentTheThief (118302) on Friday May 10, 2013 @09:44AM (#43684317)

      Oh, lord, that was good. I wish I could give you an up-vote or something.

      Would you accept this old hotel swipe card as a token of my esteem? It should work in any ATM.

    • Re:Petty thieves (Score:4, Insightful)

      by Overzeetop (214511) on Friday May 10, 2013 @09:48AM (#43684363) Journal

      Seriously. Isn't this "heist" considered rounding error for financial CEO bonuses?

    • Re:Petty thieves (Score:5, Interesting)

      by dkleinsc (563838) on Friday May 10, 2013 @09:49AM (#43684375) Homepage

      You left out foreclosing on homes without the legal right to do so, laundering drug money, trading with Iran and other enemies of the country you're based on, and of course occasionally paying off regulators to help get away with it all. But then again, banks committing serious crimes is nothing new. As Major General Smedley Butler argued:

      I spent 33 years and four months in active military service and during that period I spent most of my time as a high class muscle man for Big Business, for Wall Street and the bankers. In short, I was a racketeer, a gangster for capitalism. I helped make Mexico and especially Tampico safe for American oil interests in 1914. I helped make Haiti and Cuba a decent place for the National City Bank boys to collect revenues in. I helped in the raping of half a dozen Central American republics for the benefit of Wall Street. I helped purify Nicaragua for the International Banking House of Brown Brothers in 1902-1912. I brought light to the Dominican Republic for the American sugar interests in 1916. I helped make Honduras right for the American fruit companies in 1903. In China in 1927 I helped see to it that Standard Oil went on its way unmolested. Looking back on it, I might have given Al Capone a few hints. The best he could do was to operate his racket in three districts. I operated on three continents.

  • by RichMan (8097) on Friday May 10, 2013 @09:23AM (#43684121)

    ATMs themselves were not compromised. The authentication system for debit cards was. Sure the money came from ATMs but the authentication that came from it was the backend systems.

    It was the backend banking system that was compromised, not ATMs. The ATMs worked perfectly and gave out cash only to authorized cards. There was no problem with the ATMs.

    • by Anonymous Coward on Friday May 10, 2013 @09:48AM (#43684359)

      So to clarify, the ATM's had the problem?

      • by Anonymous Coward on Friday May 10, 2013 @10:01AM (#43684491)

        As someone who writes banking software, Yes. The ATMs trusted the withdrawal limits in the response from the authorization system. When the authorization system returned a response stating it was OK for the user of this account to withdraw $10K in cash, the ATM should have flagged that amount as suspicious and refused to complete the transaction.

        • ATMs are dumb devices. All transactions are autorised by the upstream system, which typically include fraud detection systems. If the upstream system authorise a transaction and instructs the ATM to dispense, the ATM dispenses. There is zero intelligence in an ATM. None. Everything gets done from the upstream host. These guys had access to the authorising host where they modified the authorising pipeline to ignore the limits that were placed on cash withdrawals. I work in the industry. It's complicated
        • by gl4ss (559668)

          As someone who writes banking software, Yes. The ATMs trusted the withdrawal limits in the response from the authorization system. When the authorization system returned a response stating it was OK for the user of this account to withdraw $10K in cash, the ATM should have flagged that amount as suspicious and refused to complete the transaction.

          ..but there are people with 10k+ withdrawal limits.

          the daily limit would have to have been part of the some off-atm authorization system - and it was and that system was corrupted.

        • by tibit (1762298)

          Well, you don't earn enough to understand that there's plenty of people who do in fact withdraw $10K in cash from ATMs. There's no way for an ATM to have enough information to decide whether a withdrawal is suspicious or not. The ATM would need to pull in a lot of data to make that determination. That'd be a gaping security hole. The upstream systems were, apparently, a gaping hole too, but you seem to think that moving that hole to the ATM proper would have helped any. You're delirious.

      • Are you dense or can't you read? The ATMs WERE the problem!

  • by strangeattraction (1058568) on Friday May 10, 2013 @09:24AM (#43684137)
    I guess US banks will re-evaluate the use the more secure smart carts. They have been reluctant to use them because the cost of adoption was greater than their projected losses due to theft. So much for that theory. Another failure to predict the risk.
    • Actually, it was only about 45 Million. That is a lot to us, but I doubt it is enough to make the banks quake in their boots. They'll just use this as an excuse to up percentage points by one and walk away with a nice profit from the ordeal.
    • by bws111 (1216812)

      So much for that theory

      Wait, do you actually believe that the cost of adding smart chips to all credit cards, modifying all ATMs to use the smart chips, etc would be LESS than $45M? What are you smoking? There are almost 620 MILLION credit cards in the US. There are 2.2 MILLION ATMs in the US. Please tell us how you plan to upgrade all of that for less than $45M.

      The problem is not underestimation of risk, it is underestimation of cost by the second-guessers.

      • by ArcadeMan (2766669) on Friday May 10, 2013 @10:12AM (#43684583)

        Put "Smart Chip Compatible" stickers on all ATMs and cards? I don't think a sticker would cost more than 13.82$USD.

        • by bws111 (1216812)

          See, you can't even estimate the cost correctly for a joke. At your cost of $13.82 per sticker, just adding stickers to all cards and ATMs would cost $8.5B, not including the cost of getting the stickers to the cards.

      • The benchmark isn't $45M. This can and will continue to happen until the security problems are fixed. If you don't want your ATM to be a Quik-E-Mart you are going to have to upgrade security.

      • by Skater (41976)

        Wait, do you actually believe that the cost of adding smart chips to all credit cards, modifying all ATMs to use the smart chips, etc would be LESS than $45M? What are you smoking? There are almost 620 MILLION credit cards in the US. There are 2.2 MILLION ATMs in the US. Please tell us how you plan to upgrade all of that for less than $45M.

        The problem is not underestimation of risk, it is underestimation of cost by the second-guessers.

        It's interesting to me that I've had one of the chipped cards for several years now - at least 4 or 5 years. I assumed when I received it that our other cards would be moving that way, too, but every card we have has been replaced since then - some several times - and none of them have the chip, or if they do they don't mention it. I suspect we'll be seeing more chipped cards after this, though. You're right, it's expensive, but not every bank has billions of dollars to lose, either - for example, credit

      • by gl4ss (559668)

        So much for that theory

        Wait, do you actually believe that the cost of adding smart chips to all credit cards, modifying all ATMs to use the smart chips, etc would be LESS than $45M? What are you smoking? There are almost 620 MILLION credit cards in the US. There are 2.2 MILLION ATMs in the US. Please tell us how you plan to upgrade all of that for less than $45M.

        The problem is not underestimation of risk, it is underestimation of cost by the second-guessers.

        if the dolts in usa would have started the transition mid '90s LIKE THE REST OF THE FUCKING CIVILIZED WORLD then you would already have had them on all issued cards for the past decade. basically this is like the same argument "usa is so huge everything is expensive to roll out". fuck that. it's cheaper per person than in a nation of 5 million people.

        it felt like such a joke to swipe a card at a convenience store in usa and to write a "signature" using a friggin slow ass resistive touchscreen. I mean - prio

    • by tibit (1762298)

      Nope, you're not insightful here. How on Earth would secure smart cards have helped? We're talking prepaid debit cards here. It's perfectly legal to distribute them. The nefarious folk would simply need to go to the country where their target bank was, buy some prepaid cards, ship them abroad, and only then launch the scheme. Magstripe-only cards have let them skip this step, but it's no big deal, really. They'd be in the hole for $1k or so to ship the cards around, and perhaps another couple $k to travel t

  • by alen (225700) on Friday May 10, 2013 @09:25AM (#43684141)

    one of them was found dead on April 27 in the Dominican Repblic
    eight have already been arrested

    turns out the geniuses went shopping for rolexes and luxury cars with the cash
    cash has serial numbers. everything is video taped. it was only a matter of time before the cops tracked them down

    • by GPLDAN (732269) on Friday May 10, 2013 @10:39AM (#43684843)
      I also believe that there are databases that trace bill serial numbers to the ATMs that distributed them. The banks probably had a database of every bill issued to the criminals. Once they surfaced anywhere, they were going to be tracked. Also, nobody in underworld finance would dare launder that heist. Those were toxic bills and probably why they got caught quickly.
  • Now the banks have an inkling of how we feel about them stealing us blind in the mortgage fiasco! I only wish these hoods got away with about $4.5B instead of a paltry $45M. Then, the results would have been more equitable... :-(
  • by etash (1907284) on Friday May 10, 2013 @09:26AM (#43684153)
    the leader of the gang flew out of the US, and masked gunmen shot him down in the dominican republic. he had 100.000 usd with him and they were untouched. I wouldn't say that the hacked financial institutions didn't get their revenge.
  • by Dunbal (464142) * on Friday May 10, 2013 @09:26AM (#43684155)
    Now all the bank has to do is ask the Fed for a zero interest $50 million loan and it's all good, like nothing happened. Because too big to fail means we reinforce failures and give them all the support they need so they can keep failing. Seriously, what kind of bank lets people into their database? Do they have happy hour in the vault, too?
    • Now all the bank has to do is ask the Fed for a zero interest $50 million loan and it's all good, like nothing happened.

      I don't think they bother with a mere $50M loan. They probably write it off as a petty cash loss.

      • I'm pretty sure most banks have a larger quarterly offset from rounding errors (one system rounds 0.5 up, another 0.5 down, per business rules this is random)
    • by tibit (1762298)

      Um, you do understand that interbank loans in the U.S. are pretty much free? The current federal funds rate that the depository banks use to lend their fed deposits to each other is 0.25%, and the discount rate used to cover liquidity requirements is 0.75%.

  • The ATM's themselves were not compromised.

    The bank's computers were compromised and the limits on ATM withdrawals was removed from certain accounts.

  • A lousy $45M and a bunch of them were caught and will be prosecuted. Amateurs. The Best Way to Rob a Bank Is to Own One [google.com]. If these petty crooks had any brains, they'd at least have read the book.

    Update: the book is a little dated because it's about the S&L crisis. Back then people were prosecuted for control fraud. Nowadays doing it on a big enough scale means you get to play golf with the president. $45M is skimming the petty cash.

  • by ZiggyM (238243) on Friday May 10, 2013 @10:08AM (#43684541)
    two years ago I posted here how while waiting on a bank in Peru I played with a terminal that was there to show the bank website. In 5 minutes I was able to get into their WAN just by clicking arround. I could see all the networks inside, and inside that I could see the individual machines which has excel files and such. I inmediatelly reported it to the manager. In the US that could have gotten me arrested. I took a pic as a souvenir, which I still have. A month later I was there again and noticed that they had simply disabled right-click on the browser (it was one of the steps that I reported). After 10 min I was able to get into the network again. Told again the manager. Two years later (last week) I noticed that they still hadnt fixed it. Didnt say anything this time, but left the network screen open.
  • Doesn't add up (Score:5, Insightful)

    by mypalmike (454265) on Friday May 10, 2013 @11:22AM (#43685277) Homepage

    "In New York alone, eight people hit 2,904 ATMs in 10 hours, withdrawing $2.4 million."

    OK, if they split up and worked individually, that means 363 ATMs per person in 10 hours, which is around 36 ATMs per person per hour. Each of those 8 people would have to average under 2 minutes per ATM over the course of 10 full hours without interruption. Even if you had a really well-planned route, that seems like an impossible pace.

    • by denzacar (181829) on Friday May 10, 2013 @12:49PM (#43686377) Journal

      http://www.justice.gov/usao/nye/pr/2013/2013may09.html [justice.gov]

      Over the course of approximately 10 hours, casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs. From 3 p.m. on February 19 through 1:26 a.m. on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area.

      2904 withdrawals, not ATMs. About 10 hours, not EXACTLY 10 hours.
      Also, it's 8 persons with 12 accounts per person. [nytimes.com] All they needed to cover was about 30 ATMs.
      Which comes out to about 20 minutes per ATM, meaning that each TEAM (i.e. at least one to withdraw the money, one to drive the car and keep lookout) had about 8 minutes to get from one ATM to the next.

      Good critical thinking on your part though. Just too much noise in the signal.

    • I read that and had the same thought, and came up with the same math. Even in midtown Manhattan, that pace doesn't seem possible.

      The other thing that bugged me about the story is that the whole scheme seemed to me to be too global and highly coordinated an effort for $45 million. Further, he leader of the NYC crew skips the country and takes a bullet to the head, a risk he took for $100,000 in cash out of $2.4 million stolen? OK, he was only 23 so maybe that seemed like a good deal to him, but then tha

    • by Tokolosh (1256448)

      If you are withdrawing from another bank, the ATM fee is typically $2. The banks were making out like bandits!

  • Others loaded that data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes

    Magnets!

    Is there anything they can't do?

    But seriously, why is of this of note? I'm pretty sure any magstrip carrying the right codes would work.

I find you lack of faith in the forth dithturbing. - Darse ("Darth") Vader

Working...