> "With five account numbers in hand, the hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards. On Dec. 21, the cashing crews made 4,500 A.T.M. transactions worldwide, stealing $5 million, according to the indictment."
If true, that's hilarious. Seriously, ATM reading magnetic stripes? What century are we, again? It seems I've traveled backwards in time. Either that, or it's a new Terminator movie plot.
I haven't seen a credit or debit card without a smartcard (which requires a PIN) in Brazil in more than a decade now. Not sure if it would have stopped this particular attack, as the magstripe readers are still there because of foreign credit cards. However, there are stricter restrictions on foreign money withdrawals which are enforced regardless of the originating bank.
If the US would switch to chip and pin then all those countries that already use chip and pin can turn off the magnetic strip by default. Right now they need to leave it on as the US is common travel destination.
Chip and pin isn't 100% secure either but it would stop a large number of skimmers.
If you don't travel and you live in a country with chip and pin have your bank disable your magnetic stripe. Even if someone were to skim your card the bank will not authorize a transaction via magnetic stripe.
Chip and pin pushes more burden onto the consumer. I am well protected now with mag stripe - why would I want to place more of a burden on myself to keep a PIN safe when the law currently protects me for unauthorized charges?
Indeed. As a US resident I have never had a chip and pin style card. Every merchant around fully accepts magstripe only, and PIN needed for cash withdrawals.
You have to get a specialized "foreign traveler" credit card. My coworker got one from BoA since we work for a Montreal based company and travel up a few times a year.
Not quite. Chip and PIN adds an additional layer of security (PIN verification upon payment, verified against a secure chip) that is much, much more difficult to duplicate because the internals aren't known. Magnetic stripes are open to everyone.
It's not just the cost of the new cards -- all the payment terminals would have to be upgraded as well. AFAIK, unless you're in a major international city (NYC, Washington DC, SF) the terminals in the stores & restaurants don't know what to do with a chip-only card.
some older ATMs in pacific using only magnetic stripes (e.g. New Zealand). I am from europe and my bank calls me each time when i use ATM because they have to follow security rules - cash withdrawal in low-level security ATM in exotic location)
I could not locate a copy of the actual indictment, so if somebody could find a link to it I would appreciate it.
I was curious to how they were caught. That they only caught the runners (the guys going to the ATM's with cards) and not the group leaders or the hackers suggests they were caught via traditional ID methods via ATM cameras[1], mobile phone or car license plates.
The other evidence to support this theory is that the runners in other countries were not arrested or charged at the same time. If law enforcement took these guys down from the top, you'd think they would be able to also ID the runners in other countries.
Instead, only the group of runners organized around New York were caught - 8 people, out of a group that would number at least 50 or more.
I also don't understand the money laundering charge. The defendants deposited $150k in $20 bills into a Miami bank and then used the account to buy a car. That isn't doing a very good job of hiding the source of funds, if that is what their intention was.
Seems very amateur and unworthy of a professional criminal organization - more likely it was the proceeds of a cut that one of the runners got.
[1] During the Boston Marathon Bombing manhunt the Feds released pictures that were taken from an ATM showing Suspect #2 (later identified as Dzhokhar Tsarnaev):
From the pictures you can see that ATM's take a photo when the user is approaching and while they are using the ATM (the first picture seems to be triggered by the door being opened). The quality is surprisingly good.
I'm surprised it's not 1080p or similar quality yet. That technology is so cheap these days; I'm sure it'll be a few more years before all security cams are recording in HD as the norm.
And just a few days ago people were discussing how that ATMs prefer to just give you money and overdraw an account rather than deny you cash when you go overdrawn. I guess this is the result? Systems that are only synced once an (hour? day?) provide a window to let thieves do a coordinated hit on different network partitions.
The article says they hacked into the bank that owns those debit card numbers. It doesn't matter how often the thing talks to the bank to check the balance and withdrawal limit if you've hacked the bank computer.
> In the first robbery, hackers were able to infiltrate the system of an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards.
> The hackers – who are not named in the indictment – proceeded to raise the withdrawal limits on prepaid MasterCard debit accounts issued by the National Bank of Ras Al-Khaimah, also known as RAKBANK, which is in United Arab Emirates.
Right - but there is a difference between the "Withdrawal limit" and the "Account Balance" - Just because you have a $50mm withdrawal limit, doesn't mean you have a $50mm account balance.
Not sure why delackner is getting downvoted. Clearly these debit cards did not have $45M on them, so this certainly sounds like they managed to overdraw the accounts (by a massive factor).
Probably because the article specifically states that the hackers increased the withdrawl limits on the cards they used. There is no indication that a delay in data syncing was the cause of the problem.
From an engineering point of view, the mere fact that these people were able to withdraw millions of dollars from five accounts in multiple locations simultaneously is just absurd. Even if these guys had direct access to the database to be able to change the withdrawal limits and balances of the cards, any engineer with half a brain in charge of designing their back end would create a separate system that monitors transactions and does both security and reality checks.
Same card being used within seconds at two locations 5 miles apart? Probably something funny going on. "Deposits" of millions of dollars on a single pre-paid card in a day? Might be unusual.
These banks deserve to lose every dime they have to lose if they are this stupid, or are hiring such inept IT people.
I think you forget that the payment systems are designed to tolerate failure and still work. For instance, you may be able to use your credit card at a store even if their phone line or internet connection breaks down.
So it's possible to scam the system, but the banks probably figure that they would lose more money in lost transaction fees by implementing a 100% secure, ACID-compliant 2-phase commit payment protocol, than by keeping the current best effort authorization + batch processing system in place.
The transaction is stored, and fowarded later. It's a variant on the Card Number + Impression that used to be common place 20 years ago, and Card Number + CCV that is still common place in locations with intermittent/no connectivity.
The prime example of this being done electronically is on planes, they have been accepting credit cards a large number of years before connectivity was possible.
Any merchant that would release goods or services without an approval code exposes themselves to a loss. Of course it's possible for a merchant to store the card information and post it later, but it's far from a good idea.
The ATMs can be configured for both cases. If the ATM is in a well-trafficked area, with a (normally!) low degree of crime, the bank may set it for high-availability vs. hard-transactional to avoid inconveniencing their customers.
Don't forget that the banks make their money from ATMs off the transaction fees, so if a foreign customer's bank is unreachable at that moment, they may still take a chance and give them their money (plus charge them the $4).
Most larger chains have a limit up to which they'll accept that risk. For obvious reasons what those limits actually are is very closely held information.
Well, at least where I live I've encountered this a few times. The payment terminal shows "connecting" for some time, and eventually prints out an extra receipt that I have to sign (whereas usually entering the PIN is sufficient). Can you tell me what goes on in that case?
IT codes according to what the business wants. If the business folks don't want it after someone brings up such things because it would cost more money and take away resources from another project, it's not going to get done, and you'll see this kind of stuff.
Banks must hire among the most inept IT people of any industry. Every time I log into PNC, I literally switch tabs and try and "do something else" for at least a minute, because that's how long it takes their Virtual Wallet bullshit to load. At least, that's what the site says it's doing. Loading. Only they have "HTML5" emblazoned in huge letters on the page, for some unknown reason, which inevitably makes me wonder what the fuck is taking so long then. Let me guess, your SOAP requests are 3 miles long. Uphill. Through the snow.
In my country theres a foreign worker scam that allows Indian companies to fly in the worst IT staff complete with fake resumes and pays them $6/hr for a year to screw up their website with dozens of SSL certs and slow security theatre that pretends to do something but is just a little flash to watch while you wait forever to load their junk software.
major banks here all made at least a trillion in profit last year but couldnt be arsed to pay for legit IT staff. now we all suffer paying tax dollars to track down all these thieves who easily fraud their faces off with the terribad security and poor code quality
I work for a financial institution. This problem is due to complete ignorance of banks on best security practices.
Their global ATM lacks simple velocity checks. Such can never be made in real-time as data has to be aggregated globally to detect the total money flows from certain financial institutions, but given the manual handling of ATM withdrawals, a minute delay would be acceptable.
Simply sum all withdrawals, not per card number, but per financial institution (per BIC-code), and measure the money flowing out per time unit. If it exceeds a multiple of X times the average for what's normal on that day,
raise an alarm to investigate manually.
Such velocity checks would never work if only looking at withdrawals in a single ATM and still not good enough if they would measure all withdrawals in a single banks all ATMs as there are so many banks.
Banks need to cooperate in developing a global anti-fraud system. Unfortunately they still use COBOL and don't lose enough money on these things to find the motivation to do it.
It makes me peeved when these reports omit the names of the parties that were compromised in the intent of "protecting" their name. If I was a customer of one of the banks that got broken into, I think it would be my right to know that they're insecure so that I could put my money elsewhere.
It's even more infuriating when your bank tells you a vendor you did business with was compromised and they refuse to tell you who. And it gets worse when they issue you a brand new credit card with a new number because of the un-named compromised vendor. But rest assured dear customer, your old number will still function...
I've done a bit of digging and if you look at the RAKBANK prepaid portal [0] you can see the service is powered by ECS which is based in India [1], with offices in the US, UAE and Singapore.
Not sure about the other one, the bank of Muscat site is a bit crap, didn't find mention of the processor in the T&Cs or description of the cards [2].
More importantly electraCard is certified PCI compliant by Control Case [0]. I think, this is the primary reason electraCard's name is not on the news; it has been certified secure by the payment industry standard [1]. Either Control Case failed to perform audit properly or the hackers had some serious skills.
The point is that it isn't suppose to be the news to report it. Your bank should let you know, and let you know what they are doing it to prevent it in the future, etc. Otherwise everyone would be up in arms over something that may have been out of their banks control.
I am at a loss as to why the news supposed to report it? That is part an parcel of investigative journalism.
It maybe because the vulnerabilities still exist and they don't want the general public to know about it. Yet this rings hollow as the bad guys still know about it.
Looks like it was "debit accounts issued by the National Bank of Ras Al-Khaimah" and "cards issued by the Bank of Muscat in Oman" - not the ATM owners.
The credit card companies are making billions in profit. One way of increasing the profit is by using 40 year old technology like magnetic strips instead of upgrading the hardware. 45 million may sound like much, but it's much cheaper than ensuring that every credit card reader in the world only uses chip readers.
I am sure that the crew here att HN could come up with 50 better solutions to security than the magnetic strip and a string of numbers.
I thought that little SIM chip in my Visa Debit card from my Credit Union here in the States was just for show until I was forced to use it everywhere I went in Vancouver, Canada.
I guess they've either been stung enough by fraud up there that they switched over from stripes, or they're just a bit more forward thinking than we are.
BTW, Visa and MC are rolling out EMV smart cards in the US by 2015. Presumably they have preferred to invest in server-side anti-fraud up to this point.
I wish that my bank would let me set a message to pop up whenever withdrawals over a certain amount (or percentage) are made. If we can't be secure, I'd at least like my would-be-account-ruiners to know "LOL STUDENT ACCT". What would be even better is if every time I accessed an ATM it would snap a photo (so many are all recording video anyway) and put it into my account mailbox to view the same way I view checks. That way I could track my facial expression over time as I watch my account go from $XXXX to $XX every time the rent is paid and chart it along with other personal metrics. On the off chance that someone does steal my card/pin/... at least I would be able to shame take a moment shaming them in Photoshop out of... grief?
---
This actually got me thinking about a relatively straight-forward way to make ATMs more secure. Many ATMs have cameras and are, presumably, recording each time someone makes a transaction. I don't know exactly how the system works, but here's what I think:
- People who use ATMs should pretty much expect to be recorded in some fashion for security purposes, even if it's just a camera in the corner of the room.
- By using an ATM most people, even the privacy-conscious, would agree to this amount of surveillance. If not, they are welcome to visit their bank during regular business hours, in a ski mask if they prefer, or better yet use the inside of their mattresses instead.
- Adding a camera to a device, particularly one like an ATM, is trivial to implement and should only make a slight difference in cost.
- This camera could also be sensitive to infrared or other bands in order to defeat the ski-mask (thieving) or eye-patch/bandage (handicapped or disfigured) crowds.
- The software could be made such that it only proceeds with certain actions IFF it recognizes that the camera is not being blocked, that it recognizes a face, and that the face is not being spoofed by a Polaroid or something silly.
- ATMs are networked and should be capable of uploading medium resolution photos. Assuming reasonable policies could be maintained, the photo could be sent over the wire directly to your card-issuing institution and then routed to you, perhaps with a 7-days-til-self-destruct mechanism. Obviously you could archive these if you wanted, but the point is that banks/credit companies would treat it the same as security footage, i.e. data glut that's only useful while it's fresh.
- As soon as you are made aware of some sort of fraud, you can simply report the transaction, with identifying snap, to the bank (who will hand it over to authorities).
I'll leave the potential problems of this system to your imaginations, but it seems to me like a fairly easy to adopt solution to small, regular ATM theft. Obviously a coordinated attack could perhaps find some sort of exploit, but maybe it could deter the small-timers enough to be worth it.
EDIT: I am aware that this doesn't solve any of the particulars in the article, but I still think it's "on topic" since we all like tech, and ATMs are tech :)
Off the top of my head, I can think of several ways in which your scheme can go wrong:
- A camera in the corner of the room is vastly different in its surveillance capacities as a camera in front of your face.
- People are not used to seeing cameras in front of them at an ATM, only on the wall behind them. In fact, a camera attached to the front of an ATM could very well be part of a skimming device.
- Banks are always looking for a way to hold you responsible for their fuckups. For example, it can be more difficult to dispute a debit card transaction if your PIN was used. Your bank can and will use the photo evidence against you in the same manner, unless you can prove beyond a doubt that it wasn't you.
- ATMs are networked, but not necessarily with high-bandwidth connections.
- The "authorities" can and will archive those photos and use them for questionable purposes. You're deluding yourself if you think those photos will self-destruct.
At my credit union, every ATM has a camera built in right above the screen. Same with the Chase ATMs I used when I banked with Chase. Perhaps I am used to this because I only use branded ATMs (aka, Chase ATMs or 5/3 ATMS etc).
- In my opinion, a corner cam is most useful for deterring break-ins and "the bank", whereas an ATM cam is only useful as a fraud prevention measure. Both advantageous to a bank but in different ways.
- Cameras are already on every bank ATM I've used in recent years. Usually, they are on the other side of a two-way mirror. It's no secret what's behind it, but I'm sure they get a really nice shot of anyone who wants to check their lipstick in it really quick. That being said, I've also seen plenty in the delis around that have a very blatant camera installed directly above the screen.
- When do you foresee this being a real issue? I agree that it would be very difficult to fight, but isn't that the point? If someone manages to spoof your card, your pin, and your face all at the same time that seems like a much different problem (like a hostage...) than simple fraud. I'm having trouble envisioning how such a system could work directly against you in the way that you suggest.
- True. Then again, compression technology is such that even an ATM on a dial-up modem could probably upload a useful snap by the time you could finish a transaction. I do think it's reasonable to expect that if the system were to be implemented that in a few years time all ATMs could be running on decent connections. Even if you count the few real backcountry areas with ATMs, it's a small issue.
- The rest of my comment will address your last point so that it's a little more readable, and because I think it's the most important to address.
First, if you believe this to be the case, then it's already too late. Your face is already in their databases doing perhaps all kinds of more interesting things than depositing your paycheck. This falls back to the issue of if you don't trust anyone, don't depend on anyone which ultimately leads to non-participation being the best bet for avoidance, or over-participation in order to blend in. You should probably worry much more about what the "authorities" are doing with your candid shots on facebook, your friends' facebook, or whatever than the pic snapped of while you withdraw $40 for an evening on the town.
The most obvious line of defense is, like the whole gun database ordeal, to stipulate that no government body may keep a record of this data beyond its expiration date and even then, only by the institution to which it is served unless directed otherwise by a warrant. If you're worried about your bank doing dirty things to your image, you might want to stop banking since they already have a copy of every other relevant bit of identifying data. If you're worried about the police, then you should be worried about the NSA. If you're worried about the NSA, good. Let me know once you've found a nice hiding space, I'll bring some board games. I don't expect we'll have much internet access.
You'd be right if you said that the stipulation would mean nothing to those interested in gathering that information, but the point is really just to prevent them from using that information in any way that's detectable.
When I say self-destruct, what I mean is the bank's copy. They have no reason to keep it, but sure, maybe the government does. But again, if that's the case then I'm sure they would have had a backdoor to the live feed of all those existing ATM cameras anyway.
---
Sorry if that was a bit rambling, but I hope you get the gist. We share some of the same concerns but in my opinion, it's already game over unless we can bring more information into the equation. That data is already out there. Your photo is already on the ATM and every security cam you walked past to get there. The best thing you can do is to have a copy of that information yourself because right now you know less than they do, and that's how you lose.
1) They used prepaid cards so your account wound't have been effected. They did it intentionally so that they wouldn't hit account limits.
2) The vast majority of ATMs have cameras. I would guess (only a guess) that all of the locations they hit had cameras to pull the max amount of cash.
3) If they didn't have cameras in the ATM, they were certainly cameras nearby. Likely the mistake they made was covering their face, but using a vehicle (since they had to hit a lot fast) with a mask on and some other camera got their plates.
But..., your idea of using not just visible light has merit and I hope someone figures out how to implement it.
> I wish that my bank would let me set a message to pop up whenever withdrawals over a certain amount (or percentage) are made.
ING Direct does exactly this!
I get an email (text messages possible too) every time I make a purchase over a certain amount that I've chosen. You can set the limit as low as $1 if you really wanted to, so you can be notified of literally every single debit card purchase.
This forward thinking is one of the many benefits (no fees EVER being another) I've enjoyed and why I love banking with them.
Online banking is definitely the future, or at least will grow to be a much larger part of it.
I actually meant a message popping up on the ATM screen, sort of like a vacation-away responder but for people with bad spending habits.
The functionality you're talking about is obviously much more useful :) I'll have to check and see if my bank has this function, as I probably would not have set it when I opened my account and have yet to receive anything like it. My girlfriend's bank sends her a message when her account is under a certain amount and flat out denies withdrawals over that same amount (i.e. notifies when under $500, can't withdraw more than $500/mo regardless).
Simple alerts via their iPhone application of every debit card transaction made -showing the places name, and a location on a map at the same time.
Because there is no cut off, other than turning off notifications, this sounds like it could be annoying. But in practice, it’s just nice, and gives you a sense of security.
And when looking back over transactions at the end of the month - the maps are dang handy for jogging my memory…
> And when looking back over transactions at the end of the month - the maps are dang handy for jogging my memory...
Whenever I get an email from ING about a transaction or deposit (one that isn't totally obvious) I do this:
Click "Forward".
Delete all text/images.
Write a few words about the purchase or deposit.
And send it to myself.
That way I can look back in Gmail at any time and know EXACTLY what I spent that money on. This is helpful because sometimes knowing WHERE I spent money doesn't tell me anything about I actually purchased.
For example, I have a Debit Card Purchase of $10 at Farhad Monadjeem. What in the HECK is that???? Oh, that's actually the car wash at Mobil; the owner's name I suppose. This system is also great for online purchases, so I don't have to login to various websites to see what item(s) I purchased; it's all in my email.
PNC lets you setup alerts via text or email for a wide variety of options: balance over / under a limit, overdraft, check bounce, overdraft autotransfer, ATM withdrawal, check payment, or preauth payment over / under a limit, and a bunch of security-related things like login / profile changes.
Right now I only use the direct deposit alert so I know when I've been paid and the security alerts.
There was a case a few years ago in Australia where someone realized that their (foreign-issued) card would always authorize, but that the debit would never hit their account.
They had a field day (or months). Police estimated that the person had withdrawn up to $2M from ATMs.
But people are greedy - faced with a machine that effectively gave free cash, as much as desired - how was this person caught? A gambling spree (go figure - where's the real allure in "winning" when you can "win" at any ATM?) - on a losing streak, he couldn't be bothered to spread his withdrawals amongst multiple ATMs at or around the casino, and in one night emptied an ATM (approximately $100,000), which tipped off the bank, that had only filled it that morning. Some cross referencing, and it was all over.
Scarily, the bank noted that until then, there was "nothing that had been flagged in their system" alerting to a problem with this person/account.
If the ATM is verifying that the face belongs to an account holder, there's little worry of someone unauthorized accessing it. Use two cameras to get a real 3D biometric, they'd need a lifelike model of your head to access your account.
Wtf - 3000 ATM withdrawals in the same card and no alarms go off? Presumably there is a "ignore flags flag" they set too!
So this just reminds me of the Microsoft paper a few months back - the problem is not robbing the electronic bits, the problem is getting them out of the financial system.
In the traditional bank transfer they need a money mule stupid enough to transfer to a Russian bank. In this one the people with the (inside) knowledge to uncap 12 cards needed to find 100 guys walking up to atms, plus their supervisors and contacts.
So it seems either you can rob a bank but need an idiot to help you get it out the country, or you can rob a bank and need a guy who happily sends hooded killers round to your place.
Can someone explain to me how they were able to withdraw so much money with only a few prepaid accounts? I'm assuming that the even though the prepaid accounts had a small balance, ATM machines let them withdraw as much as they wanted??
This is just one of many cashout crews at the bottom of the crime pyramid that got caught. The masterminds are prob in Russia/Ukraine and wont be extradited so long as they arent stupid enough to go to a country on vacation that has extradition treaty with the US or they will find themselves getting kidnapped by feds to stand trial in the US, for a middle east bank heist because USA polices the world and your taxpayers cover the millions it will cost in flights and court fees/investigation
Even though this is really sad from IT point of view, I kind of like that there are people who always forces IT to be better and better.
PS: I personally think that human made systems will never be absolute secure anyway.
What impresses me most about this is just how incredibly well it was orchestrated, especially considering the number of moving parts and participants. Some top-notch project management there.
The people who should suffer and eat this loss are the people responsible for letting it happen. Sadly, this will not happen, and the loss will be socialized (and profits capitalized) across the entire people through the form of raised insurance rate policies.
It's the system of insurance that is broken, not the fact that dumb corporations are doing stupid things and losing other people's money.
Socialism doesn't work in any system that you implement it in. When you separate the consequences from the actor, the rational actors will behave in a maximally self-interested way and screw everyone else. When all do this, the nation falls back 100 years. Not remedied, the nation falls back 1000 years.
He means the bank should take responsibility and chalk up the stolen cash as their loss. What's more likely to happen though is that the bank will pass the cost of the loss on to customers (in the form of increased prices).
Well of course they're going to raise prices. They're a business. This isn't happy fairy land; their cost of doing business went up, so their prices will have to go up. If businesses didn't increase their prices to match an increase in cost of goods sold, they'd quickly go out of business.
NO. This is where you're wrong. This is a business; their goal is to get money: ALL the money, at all times. If they could raise prices and make more money, they would have done it already. They're not sitting on their laurels saying "We have enough money!" only to be shaken from complacency and driven to change their price schedule because of an unexpected expense.
This money comes straight out of their value as a business. It is a loss to the shareholders.
Wouldn't that necessarily force them to raise prices or cut payments or leave them with less money to lend? I mean, it has to come from somewhere, right?
Yeah, the money has to come from somewhere. But the point is, the loss could've been mitigated by making better decisions. The bank has less incentive to change their behaviour when the customer will ultimately cover the cost of their mistake.
Say for example there was a regulation that said banks couldn't increase fees because of theft (as a thought exercise, not a practical suggestion). The 45 million loss would directly affect their profits. Lets pretend this happened on a yearly basis on average, it makes good business sense to spend 20 million a year on security to prevent it happening.
If they can lose 45 million a year but know they can recuperate 30 million by making the customer cover the cost of losses, it becomes cheaper to charge the customer than invest in security.
If true, that's hilarious. Seriously, ATM reading magnetic stripes? What century are we, again? It seems I've traveled backwards in time. Either that, or it's a new Terminator movie plot.
I haven't seen a credit or debit card without a smartcard (which requires a PIN) in Brazil in more than a decade now. Not sure if it would have stopped this particular attack, as the magstripe readers are still there because of foreign credit cards. However, there are stricter restrictions on foreign money withdrawals which are enforced regardless of the originating bank.