Experts Marvel At How Cyberthieves Stole $45 Million | WAMU 88.5 - American University Radio

NPR : News

Filed Under:

Experts Marvel At How Cyberthieves Stole $45 Million

With a haul of $45 million, it's being billed as possibly the biggest cyber-heist in history. But in reality, experts and authorities say, it was thousands of small but highly coordinated thefts.

As we reported on Thursday, federal prosecutors charged eight people with being the just New York cell of an operation that allegedly encompassed criminal cohorts in 26 countries.

The scheme, according to prosecutors, involved basically two parts:

First, hackers gained access to bank computers and downloaded prepaid debit card data while erasing their withdrawal limits.

Second, they passed the data to numerous "cashers" who cloned the cards and got to work withdrawing millions of dollars from ATMs.

Neither of those things by themselves is terribly unusual, but put them together and it's not quite so common, says Chuck Somers, vice president of core systems and ATM security at Diebold.

For instance, little more than a year ago, Visa and Mastercard were hacked, compromising up to 3 million accounts, Somers points out.

"It's quite possible that these hacks may have been inside jobs," says John Trobough, president of Narus, which handles cybersecurity for governments and commercial enterprises. It could be current or former employees, he says.

As for reproducing debit cards? It's just one component of so-called "skimming," devices are illegally attached to ATM card readers to record the information stored on the magnetic stripe. The cards are then duplicated.

"On a smaller scale, that's so common nowadays that it's barely newsworthy," Somers says.

"Most magnetic stripe cards can be converted to function as ATM cards because the format is an industry standard," says Trobough. "For example, you can use a hotel key as an ATM card if it is properly re-coded."

What's arguably more astounding than accomplishing both the hack and the cloning, is the coordination and the apparent clockwork precision with which the operation was carried out once thieves had cloned the cards.

According to the federal indictment, on one occasion the eight individuals in the New York cell siphoned "at least $2.8 million from more than 750 ATMs in 2.5 hours."

Let's do the math: If all eight were working together, they would have had to hit "at least" one ATM every 96 seconds, averaging $2,333 per withdrawal.

Somers agrees it was well-coordinated. "Does it sound doable? I have no reason to doubt it could be done," he says.

Tom Cross, director of computer security research at Lancope, tells American Public Media's Marketplace that he was surprised by "the coordination of the cash-out network" — in other words, the people running from ATM to ATM.

In an even larger tranche of the master theft, cashers elsewhere (we don't know how many) used 12 card accounts with the withdrawal limits deactivated and got $40 million in 36,000 transactions over a 10-hour period.

More math: That's one withdrawal averaging $1,111 every 10 seconds.

In this second case, it seems fair to assume that many duplicate cards might have been used to speed up the process.

The New York Times reports:

"Surveillance photos of one suspect at various ATMs showed the man's backpack getting heavier and heavier, [U.S. attorney in Brooklyn Loretta] Lynch said, comparing the series of thefts to the caper at the center of the movie Ocean's Eleven."

So, the keys to the crime were inadequate cybersecurity that allowed hackers to penetrate the back-end systems at banks. Better security protocols and more secure networks could solve that problem, experts agree.

"With increased employee oversight and stringent electronic monitoring within the bank, it would be more difficult for this type of theft to occur," says Narus' Trobough.

The second issue is the venerable magnetic stripe, a technology that Jim Pettitt, director of ATM security strategy and planning at Diebold, says has been around since the 1960s.

"Criminal organizations have exploited that pretty extensively and we've seen an upsurge of skimming since 2005," he says.

Encrypted chip technology is more secure. Europe has largely adopted it and the U.S. is "on the on-ramp," he says.

But don't expect that transition to come quickly; Pettitt says it could take a decade.

Copyright 2013 NPR. To see more, visit http://www.npr.org/.

NPR

Why Afghanistan's 'Underground Girls' Skirt Tradition To Live As Boys

In a new book, journalist Jenny Nordberg writes about the bacha posh, young girls who dress up like boys to enjoy the freedoms of being an Afghan male for as long as they can.
NPR

Keeping Heirloom Apples Alive Is 'Like A Chain Letter' Over Many Centuries

Scott Farm in Vermont grows 100 apple varieties, some of them dating back to the 1700s. These apples may not look as pretty as the Red Delicious, but what they lack in looks they make up for in taste.
WAMU 88.5

New Anthony Brown Video Accuses Opponent Of 'Hiding' And 'Lying"

Democrat Anthony Brown unveiled a new web video today alleging that Republican Larry Hogan is "hiding" his positions on contentious issues like abortion and gun control.
NPR

Tech Week: Smartphone Privacy, Cyberstalking, Alibaba's Big Debut

Chinese e-commerce giant Alibaba makes the biggest debut on the NYSE ever. The details, and the other tech stories that piqued our interest, are in this week's roundup.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.