Experts Marvel At How Cyberthieves Stole $45 Million | WAMU 88.5 - American University Radio

NPR : News

Filed Under:

Experts Marvel At How Cyberthieves Stole $45 Million

With a haul of $45 million, it's being billed as possibly the biggest cyber-heist in history. But in reality, experts and authorities say, it was thousands of small but highly coordinated thefts.

As we reported on Thursday, federal prosecutors charged eight people with being the just New York cell of an operation that allegedly encompassed criminal cohorts in 26 countries.

The scheme, according to prosecutors, involved basically two parts:

First, hackers gained access to bank computers and downloaded prepaid debit card data while erasing their withdrawal limits.

Second, they passed the data to numerous "cashers" who cloned the cards and got to work withdrawing millions of dollars from ATMs.

Neither of those things by themselves is terribly unusual, but put them together and it's not quite so common, says Chuck Somers, vice president of core systems and ATM security at Diebold.

For instance, little more than a year ago, Visa and Mastercard were hacked, compromising up to 3 million accounts, Somers points out.

"It's quite possible that these hacks may have been inside jobs," says John Trobough, president of Narus, which handles cybersecurity for governments and commercial enterprises. It could be current or former employees, he says.

As for reproducing debit cards? It's just one component of so-called "skimming," devices are illegally attached to ATM card readers to record the information stored on the magnetic stripe. The cards are then duplicated.

"On a smaller scale, that's so common nowadays that it's barely newsworthy," Somers says.

"Most magnetic stripe cards can be converted to function as ATM cards because the format is an industry standard," says Trobough. "For example, you can use a hotel key as an ATM card if it is properly re-coded."

What's arguably more astounding than accomplishing both the hack and the cloning, is the coordination and the apparent clockwork precision with which the operation was carried out once thieves had cloned the cards.

According to the federal indictment, on one occasion the eight individuals in the New York cell siphoned "at least $2.8 million from more than 750 ATMs in 2.5 hours."

Let's do the math: If all eight were working together, they would have had to hit "at least" one ATM every 96 seconds, averaging $2,333 per withdrawal.

Somers agrees it was well-coordinated. "Does it sound doable? I have no reason to doubt it could be done," he says.

Tom Cross, director of computer security research at Lancope, tells American Public Media's Marketplace that he was surprised by "the coordination of the cash-out network" — in other words, the people running from ATM to ATM.

In an even larger tranche of the master theft, cashers elsewhere (we don't know how many) used 12 card accounts with the withdrawal limits deactivated and got $40 million in 36,000 transactions over a 10-hour period.

More math: That's one withdrawal averaging $1,111 every 10 seconds.

In this second case, it seems fair to assume that many duplicate cards might have been used to speed up the process.

The New York Times reports:

"Surveillance photos of one suspect at various ATMs showed the man's backpack getting heavier and heavier, [U.S. attorney in Brooklyn Loretta] Lynch said, comparing the series of thefts to the caper at the center of the movie Ocean's Eleven."

So, the keys to the crime were inadequate cybersecurity that allowed hackers to penetrate the back-end systems at banks. Better security protocols and more secure networks could solve that problem, experts agree.

"With increased employee oversight and stringent electronic monitoring within the bank, it would be more difficult for this type of theft to occur," says Narus' Trobough.

The second issue is the venerable magnetic stripe, a technology that Jim Pettitt, director of ATM security strategy and planning at Diebold, says has been around since the 1960s.

"Criminal organizations have exploited that pretty extensively and we've seen an upsurge of skimming since 2005," he says.

Encrypted chip technology is more secure. Europe has largely adopted it and the U.S. is "on the on-ramp," he says.

But don't expect that transition to come quickly; Pettitt says it could take a decade.

Copyright 2013 NPR. To see more, visit http://www.npr.org/.

NPR

'Mislaid' Punctures Notions Of Gender And Race

In Nell Zink's new book, Mislaid, a young woman marries her male professor. It's 1965. She likes women; he likes men. What follows is a biting satire about gender, race and sexuality.
NPR

Clean Your Grill, And Other Hot Holiday Tips From Alton Brown

Whether you're barbecuing OR grilling, a meat-eater or a vegetarian, here's how to keep your flavor from going up in smoke this Memorial Day weekend.
NPR

Senate Blocks Measures To Extend NSA Data Collection

The Senate worked late into the night but was not able to figure out what to do about expiring provisions in the Patriot Act that authorize the NSA's bulk collection of Americans' phone records.
NPR

The Future Of Cardiology Will Be Shown In 3-D

The Living Heart Project aims to create a detailed simulation of the human heart that doctors and engineers can use to test experimental treatments and interventions.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.