ATMs Compromised, $45M Taken 196
An anonymous reader sends this news from the Associated Press:
"A worldwide gang of criminals stole a total of $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then draining cash machines around the globe, federal prosecutors said Thursday. ... Here’s how it worked: Hackers got into bank databases, eliminated withdrawal limits on prepaid-debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes."
I wonder how much was skimmed by the bag men (Score:5, Insightful)
I mean, can you really trust that some guy half way around the world is going to turn over the cash he just stole for you?
Re: (Score:2)
Re: (Score:2)
Of course. Here is the $10,000 I stole for you. (pockets $50,000)
Re:I wonder how much was skimmed by the bag men (Score:5, Insightful)
They had the bank's database, its possible that they could tell pretty easily exactly how much they had withdrawn.
Re: (Score:2)
Re:I wonder how much was skimmed by the bag men (Score:5, Funny)
Hey, if some guy around the world stole for me and skimmed a little off the top, would I care too much if I received $30,000,000 instead of the $35,000,000 I was thinking I would receive?
Don't give up your day job and go into drug dealing, it won't work out for you.
Re:I wonder how much was skimmed by the bag men (Score:4, Funny)
Re: (Score:3)
Hey, if some guy around the world stole for me and skimmed a little off the top, would I care too much if I received $30,000,000 instead of the $35,000,000 I was thinking I would receive?
Don't give up your day job and go into drug dealing, it won't work out for you.
this is pretty a different enterprise than drug dealing, so having to care about someone taking off from the deal doesn't matter as much, it all scales and the reason why they would pay and not keep everything is to keep receiving cc numbers sometimes in the future - and in part they work for clicks and the click needs to keep it's connection to the next level ok.
Re: (Score:3)
They stole prepaid debit card numbers. They did not steal from the rich, they stole from the poor. This isn't a gang of Robin Hoods, but a gang of Jesse James's (?).
Re: (Score:2, Informative)
The prepaid debit card numbers had not be given out to customers, so only the banks are taking the loss. The cost will trickle down to us via higher fees, but the immediate affect is on the banks only.
Re: (Score:2)
Fractional reserve banking (Score:2)
Re: (Score:2)
That is an interesting one. As far as I understand it, they did not steal from individuals, but from the bank. Off course this is the same as grabbing from someone else's savings, but so is fractional reserve banking. So in a way, if your bank does it, it is normal, if someone else does it, all of a sudden it is criminal.
Pretty much, yeah. After all, you're cutting into the multimillion dollar salary and bonus plan of some bank bigwig. They take that shit kinda serious ya know...
Re: (Score:2)
They could be part of an overall organization. As such, there would have been a working relationship prior. Or, it could be that they did a run in December to prove the concept, then just sold the cards upfront to people for that second run.
Re: (Score:3)
Typically "cashiers" charge about 50 points. The culture of trust in the black market is very interesting but I haven't seen many recent papers about it (post 07ish).
Sidenote: I haven't logged into /. for years... it feels good!
Re:I wonder how much was skimmed by the bag men (Score:5, Informative)
They did "discuss"
Mr. Lajud-Peña fled the United States just as the authorities were starting to make arrests of members of his crew, the law enforcement official said.
On April 27, according to news reports from the Dominican Republic, two hooded gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched.
Re: (Score:2)
thats an solved problem since all they would have to do is have the members of a Sicilian* Debate Team have a "forceful chat" with the street guys as to the extent of their "cut".
* please note you can substitute Northern Irish, Japanese and Russian here as required
Re: (Score:2)
That's a lousy return. I wouldn't want 4 cents on the dollar.
You do better to hire a crew of operators and instruct them to find an ATM, withdraw $500, and give you $400, and never talk to you again. (That's 80 cents on the dollar, and that's not even good.)
Like they say: (Score:2)
Afterwards.... (Score:5, Funny)
And then they all hoped into their Mini Coopers and drove off into the sunset, leaving a stream of bills fluttering in the wind.
Re: (Score:3)
Bah. Any true thief makes bill-trailing getaway in a Fiat 500. [blogspot.com]
Ocean's eleven (Score:4, Insightful)
Petty thieves (Score:5, Insightful)
Re:Petty thieves (Score:4, Funny)
Oh, lord, that was good. I wish I could give you an up-vote or something.
Would you accept this old hotel swipe card as a token of my esteem? It should work in any ATM.
Re:Petty thieves (Score:4, Insightful)
Seriously. Isn't this "heist" considered rounding error for financial CEO bonuses?
Re:Petty thieves (Score:5, Interesting)
You left out foreclosing on homes without the legal right to do so, laundering drug money, trading with Iran and other enemies of the country you're based on, and of course occasionally paying off regulators to help get away with it all. But then again, banks committing serious crimes is nothing new. As Major General Smedley Butler argued:
I spent 33 years and four months in active military service and during that period I spent most of my time as a high class muscle man for Big Business, for Wall Street and the bankers. In short, I was a racketeer, a gangster for capitalism. I helped make Mexico and especially Tampico safe for American oil interests in 1914. I helped make Haiti and Cuba a decent place for the National City Bank boys to collect revenues in. I helped in the raping of half a dozen Central American republics for the benefit of Wall Street. I helped purify Nicaragua for the International Banking House of Brown Brothers in 1902-1912. I brought light to the Dominican Republic for the American sugar interests in 1916. I helped make Honduras right for the American fruit companies in 1903. In China in 1927 I helped see to it that Standard Oil went on its way unmolested. Looking back on it, I might have given Al Capone a few hints. The best he could do was to operate his racket in three districts. I operated on three continents.
Re:Petty thieves (Score:5, Insightful)
On several documented occasions, they've foreclosed on people who had no mortgage whatsoever. They've foreclosed on people that lived next door to people they were intending to foreclose on due to typos. They've foreclosed on people who have paid their mortgage on time but the paperwork got mixed up by a servicer.
The victims aren't just victims of their own stupidity.
Re: (Score:2)
Re: (Score:3)
If a bank can foreclose on a property that it has no lien on (or can take a lien on the wrong property), the problem doesn't lie with the bank! That's a straight-up failure of the public records offices, and a worse public failure if sheriffs actually showed up to evict anyone.
It's not surprising that a bank had an occasional typo in their own documents, but no one should be relying on the honesty of a bank in the first place. One of the key functions of government is keeping track of deeds and ownership
Re: (Score:2)
So, what bank do you work for, again?
Re: (Score:2)
Not so fast. It may seem now that the dumb and dumber dug their own graves, but back when the bubble was inflating, you were (almost) a fool not to get into the game. Those wack-out mortgages were repayable because the value of the home would appreciate enough to refinance. People were getting RICH as they bought and flipped well before any high interest kicked in. Can you say you would have stayed on the sidelines, paying rent (going up every year), when people all around you are getting wealthy?
Hinds
Not ATMs, the debit card system (Score:5, Insightful)
ATMs themselves were not compromised. The authentication system for debit cards was. Sure the money came from ATMs but the authentication that came from it was the backend systems.
It was the backend banking system that was compromised, not ATMs. The ATMs worked perfectly and gave out cash only to authorized cards. There was no problem with the ATMs.
Re:Not ATMs, the debit card system (Score:5, Funny)
So to clarify, the ATM's had the problem?
Re:Not ATMs, the debit card system (Score:5, Interesting)
As someone who writes banking software, Yes. The ATMs trusted the withdrawal limits in the response from the authorization system. When the authorization system returned a response stating it was OK for the user of this account to withdraw $10K in cash, the ATM should have flagged that amount as suspicious and refused to complete the transaction.
Re: Not ATMs, the debit card system (Score:3, Insightful)
Re: (Score:2)
As someone who writes banking software, Yes. The ATMs trusted the withdrawal limits in the response from the authorization system. When the authorization system returned a response stating it was OK for the user of this account to withdraw $10K in cash, the ATM should have flagged that amount as suspicious and refused to complete the transaction.
..but there are people with 10k+ withdrawal limits.
the daily limit would have to have been part of the some off-atm authorization system - and it was and that system was corrupted.
Re: (Score:2)
Well, you don't earn enough to understand that there's plenty of people who do in fact withdraw $10K in cash from ATMs. There's no way for an ATM to have enough information to decide whether a withdrawal is suspicious or not. The ATM would need to pull in a lot of data to make that determination. That'd be a gaping security hole. The upstream systems were, apparently, a gaping hole too, but you seem to think that moving that hole to the ATM proper would have helped any. You're delirious.
Re: (Score:2)
Re: (Score:2)
Are you dense or can't you read? The ATMs WERE the problem!
I guess US banks will re-evaluate.. (Score:4, Insightful)
Re: (Score:2)
Re: (Score:3)
So much for that theory
Wait, do you actually believe that the cost of adding smart chips to all credit cards, modifying all ATMs to use the smart chips, etc would be LESS than $45M? What are you smoking? There are almost 620 MILLION credit cards in the US. There are 2.2 MILLION ATMs in the US. Please tell us how you plan to upgrade all of that for less than $45M.
The problem is not underestimation of risk, it is underestimation of cost by the second-guessers.
Re:I guess US banks will re-evaluate.. (Score:4, Funny)
Put "Smart Chip Compatible" stickers on all ATMs and cards? I don't think a sticker would cost more than 13.82$USD.
Re: (Score:2)
See, you can't even estimate the cost correctly for a joke. At your cost of $13.82 per sticker, just adding stickers to all cards and ATMs would cost $8.5B, not including the cost of getting the stickers to the cards.
Re: (Score:2)
So, 72324$USD for each card and ATMs? Or is my math off again?
Re: (Score:2)
Crap I think I multiplied instead of dividing
0.07$USD
Sounds about right for one sticker.
Re: (Score:2)
The benchmark isn't $45M. This can and will continue to happen until the security problems are fixed. If you don't want your ATM to be a Quik-E-Mart you are going to have to upgrade security.
Re: (Score:2)
Wait, do you actually believe that the cost of adding smart chips to all credit cards, modifying all ATMs to use the smart chips, etc would be LESS than $45M? What are you smoking? There are almost 620 MILLION credit cards in the US. There are 2.2 MILLION ATMs in the US. Please tell us how you plan to upgrade all of that for less than $45M.
The problem is not underestimation of risk, it is underestimation of cost by the second-guessers.
It's interesting to me that I've had one of the chipped cards for several years now - at least 4 or 5 years. I assumed when I received it that our other cards would be moving that way, too, but every card we have has been replaced since then - some several times - and none of them have the chip, or if they do they don't mention it. I suspect we'll be seeing more chipped cards after this, though. You're right, it's expensive, but not every bank has billions of dollars to lose, either - for example, credit
Re: (Score:2)
So much for that theory
Wait, do you actually believe that the cost of adding smart chips to all credit cards, modifying all ATMs to use the smart chips, etc would be LESS than $45M? What are you smoking? There are almost 620 MILLION credit cards in the US. There are 2.2 MILLION ATMs in the US. Please tell us how you plan to upgrade all of that for less than $45M.
The problem is not underestimation of risk, it is underestimation of cost by the second-guessers.
if the dolts in usa would have started the transition mid '90s LIKE THE REST OF THE FUCKING CIVILIZED WORLD then you would already have had them on all issued cards for the past decade. basically this is like the same argument "usa is so huge everything is expensive to roll out". fuck that. it's cheaper per person than in a nation of 5 million people.
it felt like such a joke to swipe a card at a convenience store in usa and to write a "signature" using a friggin slow ass resistive touchscreen. I mean - prio
Re: (Score:2)
The only thing that was 'easy' about this was cloning the cards. The real problem was the some banked got hacked, account limits raised, safeguards removed, etc. I am guessing that wasn't 'easy' this time, and will be even harder from now on. The idea that this could happen 100s or thousands of times on this scale is ludicrous.
Re: (Score:2)
Nope, you're not insightful here. How on Earth would secure smart cards have helped? We're talking prepaid debit cards here. It's perfectly legal to distribute them. The nefarious folk would simply need to go to the country where their target bank was, buy some prepaid cards, ship them abroad, and only then launch the scheme. Magstripe-only cards have let them skip this step, but it's no big deal, really. They'd be in the hole for $1k or so to ship the cards around, and perhaps another couple $k to travel t
idiots already have been arrested (Score:5, Interesting)
one of them was found dead on April 27 in the Dominican Repblic
eight have already been arrested
turns out the geniuses went shopping for rolexes and luxury cars with the cash
cash has serial numbers. everything is video taped. it was only a matter of time before the cops tracked them down
Re:idiots already have been arrested (Score:4, Interesting)
Quid Pro Quo (Score:2)
Re:Quid Pro Quo (Score:4, Informative)
I only wish these hoods got away with about $4.5B instead of a paltry $45M.
In that case they'd be playing golf with the president instead of being prosecuted. Their problem was thinking small.
Re: (Score:2)
the important part of the story was the last parag (Score:5, Interesting)
Re: (Score:2)
Great (Score:3)
Re: (Score:3)
Now all the bank has to do is ask the Fed for a zero interest $50 million loan and it's all good, like nothing happened.
I don't think they bother with a mere $50M loan. They probably write it off as a petty cash loss.
Re: (Score:2)
Re: (Score:2)
Um, you do understand that interbank loans in the U.S. are pretty much free? The current federal funds rate that the depository banks use to lend their fed deposits to each other is 0.25%, and the discount rate used to cover liquidity requirements is 0.75%.
Another Bad Headline (Score:2)
The ATM's themselves were not compromised.
The bank's computers were compromised and the limits on ATM withdrawals was removed from certain accounts.
Amateurs (Score:2)
A lousy $45M and a bunch of them were caught and will be prosecuted. Amateurs. The Best Way to Rob a Bank Is to Own One [google.com]. If these petty crooks had any brains, they'd at least have read the book.
Update: the book is a little dated because it's about the S&L crisis. Back then people were prosecuted for control fraud. Nowadays doing it on a big enough scale means you get to play golf with the president. $45M is skimming the petty cash.
Easy to hack into international banks (Score:5, Interesting)
Doesn't add up (Score:5, Insightful)
"In New York alone, eight people hit 2,904 ATMs in 10 hours, withdrawing $2.4 million."
OK, if they split up and worked individually, that means 363 ATMs per person in 10 hours, which is around 36 ATMs per person per hour. Each of those 8 people would have to average under 2 minutes per ATM over the course of 10 full hours without interruption. Even if you had a really well-planned route, that seems like an impossible pace.
That was summarized by an idiot. (Score:5, Informative)
http://www.justice.gov/usao/nye/pr/2013/2013may09.html [justice.gov]
Over the course of approximately 10 hours, casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs. From 3 p.m. on February 19 through 1:26 a.m. on February 20, the defendants and their co-conspirators withdrew approximately $2.4 million in nearly 3,000 ATM withdrawals in the New York City area.
2904 withdrawals, not ATMs. About 10 hours, not EXACTLY 10 hours.
Also, it's 8 persons with 12 accounts per person. [nytimes.com] All they needed to cover was about 30 ATMs.
Which comes out to about 20 minutes per ATM, meaning that each TEAM (i.e. at least one to withdraw the money, one to drive the car and keep lookout) had about 8 minutes to get from one ATM to the next.
Good critical thinking on your part though. Just too much noise in the signal.
Re: (Score:2)
I read that and had the same thought, and came up with the same math. Even in midtown Manhattan, that pace doesn't seem possible.
The other thing that bugged me about the story is that the whole scheme seemed to me to be too global and highly coordinated an effort for $45 million. Further, he leader of the NYC crew skips the country and takes a bullet to the head, a risk he took for $100,000 in cash out of $2.4 million stolen? OK, he was only 23 so maybe that seemed like a good deal to him, but then tha
Re: (Score:2)
If you are withdrawing from another bank, the ATM fee is typically $2. The banks were making out like bandits!
Hotel Key? (Score:2)
Others loaded that data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes
Magnets!
Is there anything they can't do?
But seriously, why is of this of note? I'm pretty sure any magstrip carrying the right codes would work.
Re:Why wouldn't they work? (Score:4, Funny)
Welcome to Slashdot Summaries, where the grammar is bad and the content mostly random.
Re:Why wouldn't they work? (Score:5, Funny)
Re: (Score:2)
I think they are trying to emphasis that the thieves only needed to fool the machines with a card that could easily be detected by the average joe as fake. Its pretty obvious fact. Its stupid news reporting. Local news does it all the time: " Woman who died choking on hot dog did not expect to die watching a baseball game, in fact none of us do either!"
Re: (Score:2)
Baseball? oh you mean that boring girls game ...
You were always the last to be picked, right?
Re:Why wouldn't they work? (Score:5, Informative)
Why wouldn't an Old Hotel card with a mag stripe work if it had the info the reader was expecting? I mean it's interesting that it worked, but why is that of note?
Because a lot of people don't understand that a mag strip is a mag strip, regardless of what piece of plastic it's connected to. There's an opportunity here to talk about how some types of chipped cards can prevent this type of easy duplication, but they missed it.
Re: (Score:2)
Actually, there are several varieties of magstrips that require different writers. They are all read compatible, though, which is what is important for this purpose.
Re:Why wouldn't they work? (Score:5, Funny)
If it's not of note, then why is it interesting?
Re: (Score:2)
If it wouldn't have worked, would it have been interesting?
Re: (Score:2)
If it wouldn't have worked, would it have been interesting?
actually, yes. maybe this will get visa/master in the usa to get globally chipped.
Re:honeypasswords? (Score:5, Interesting)
Since the cards were used to steal directly from the bank and they've got no place to chargeback to like they usually do to cover their losses due to their insecurity, I wonder if we'll finally see a sudden outbreak of security from the banks.
Re:honeypasswords? (Score:5, Interesting)
They already have huge losses from skimming to make them care about security, it was probably an inside job ... they usually are.
Re:honeypasswords? (Score:5, Insightful)
It comes down to which costs more: fixing the security problems, or losses due to security problems. My guess is that fixing the security problems would cost far more, so don't think anything is going to change.
Re: (Score:2)
Well, if they are prepaid cards then the financial entity which are the two banks are on the hook for the money. Visa or MasterCard have nothing to do with this other than maybe the routed the requests to the banks for authentication.
Re:Who pays? (Score:5, Insightful)
What I think AC is trying to say is that yes, the banks are on the hook for the funds. Having lost the money the banks will try to make up for it by raising fees and interest, so it all tricks back down to the consumer.
Re:Who pays? (Score:4, Interesting)
This is a direct hit to the bank's shareholders, or to their insurance.
Re: (Score:3)
Mostly true. It does change the calculus some. The risk of future events like this/mitigating those risk increase the cost of issuing the cards. Therefore, they may be willing to increase prices (slightly) and issue fewer cards (slightly) to re-maximize profits.
But yeah, this particular event is a one-time cost, so not going to change their pricing structure/desire for profit.
Although there's 3 other veins where the effect may be felt.
Re: (Score:3)
They don't generally say "Oh, we're making enough money"
Enter the concept of a credit union, stage left :)
Re: (Score:2)
It's good that's settled.
I'm glad I'll never see an increase in my banking fees or adjustments to interest rates ever again.
if you never switch banks based on those things, then it's likely they will rise.
Re: (Score:2)
Businesses don't just wait until they have some additional cost to pass on to their customers - they always charge as much as the traffic will bear. Thinking that any losses can always be passed on to consumers is a basic economic fallacy. It's part of a false argument against taxing corporations to claim that they somehow voluntarily keep their profits low to leave headroom so they can pass the additional tax on to the individual customers, so 'corporate taxes are always really individual taxation'. It's a
Re: (Score:2)
I think the point "as the traffic will bear" got a little buried.
Businesses charge fees based on a lot more than how many they can get paid. The core of any business is to get paying customers and if they lose them due to fees or even a perception that they're greedy, then a wise business will avoid the fees that cause the problem.
People decide all the time to switch who they are doing business with due to a perception of unfairness. Businesses absolutely do have to raise the prices they charge due to regul
Re: (Score:2)
I don't usually play grammer nazi, but the internally unpunctuated, run-on question you asked ended with the wrong punctuation as well. This is a bad enough series of grammer mistakes to be seriously difficult to understand. After that, there's a singular/plural disagreement, the socialist Germans (I thought that wall came down) are selling only oozed out bank data, and the one thing you did not actually do is digress. There's a great pile of other errors, enough that two things happened.
1. You failed to c
Re: Surely this sort of thing is better than Bitco (Score:2, Insightful)
The problem is that if Bitcoin takes off, banks will still treat it like regular currency. Once you make a deposit, the bank will add it to a pool, and withdrawals will come from that pool. Your account holdings will still be a decimal formatted number in a database somewhere.
Banks and creditors need a new transaction system built on cryptography, single use keys, and enhanced by Internet connectivity, to protect their customers. And they needed it yesterday.
Re: (Score:3, Informative)
Except that you don't need a bank just to keep your money in with bitcoin.
The money is stored in the transactions that are in the block chain and replicated everywhere.
You just need to store the private key that signed those transactions to be able to "spend" that money.
You don't need a bank, you just need to be able to store a few hundred bytes of data to prove the bitcoins are yours.
Re: (Score:2)
You don't need a bank, you just need to be able to store a few hundred bytes of data to prove the bitcoins are yours.
In many (most?) places, your home or person is more likely to be robbed than the bank, so it will be safer to keep your bitcoins in the bank - especially if the bank provides insurance against robbery. But that's really about checking account analogs.
People might well still choose to deposit bitcoins in a savings account that paid interest, and that's where fractional reserve banking comes from. Even if you don't need a checking account with bitcoins, checking account deposits are small in the scheme of th
Re: (Score:2)
Thieves can break into my house, or hack into my computer, and steal my Bitcoin wallet. Hell, I'll email it to you, if you want.
However, it is encrypted, and good luck with that.
Re: (Score:2)
How nice for you. If bitcoin were ever widely used, most people using it would be normal people. Thus, banks.
Re: (Score:2)
The problem is that if Bitcoin takes off, banks will still treat it like regular currency. Once you make a deposit, the bank will add it to a pool, and withdrawals will come from that pool. Your account holdings will still be a decimal formatted number in a database somewhere.
Not with Bitcoin. Sure, they could use a pool, but that wouldn't do them any good.
The reason for the pool is called Fractional reserve banking [wikipedia.org], and that's impossible to do with Bitcoin.
Re: (Score:3, Insightful)
Could you please explain how this is impossible with Bitcoin?
The banks were doing it back in the days of gold. They held a vault full of gold and kept an account of who owned what gold on a ledger. Then they lent out some of that gold, or rather, they lent out notes for gold which they still kept in the vault, in fact, they lent out more gold than they actually had in the vault. This works fine as long as the number of people withdrawing real gold from the vaults doesn't exceed deposits.
There is no reason t
Re: (Score:2)
There is absolutely no reason at all for banks to "store" the bitcoins. The block chain does the storage, and it's not only distributed storage, but also quite secure storage. Whoever holds bitcoins holds a part of what would be considered a bitcoin bank. If bitcoins were ubiquitous, there'd be no need for banks at all. Yeah, you could have lenders, but they wouldn't need to be banks at all.
Re: (Score:2)