NPR : News

Filed Under:

Experts Marvel At How Cyberthieves Stole $45 Million

With a haul of $45 million, it's being billed as possibly the biggest cyber-heist in history. But in reality, experts and authorities say, it was thousands of small but highly coordinated thefts.

As we reported on Thursday, federal prosecutors charged eight people with being the just New York cell of an operation that allegedly encompassed criminal cohorts in 26 countries.

The scheme, according to prosecutors, involved basically two parts:

First, hackers gained access to bank computers and downloaded prepaid debit card data while erasing their withdrawal limits.

Second, they passed the data to numerous "cashers" who cloned the cards and got to work withdrawing millions of dollars from ATMs.

Neither of those things by themselves is terribly unusual, but put them together and it's not quite so common, says Chuck Somers, vice president of core systems and ATM security at Diebold.

For instance, little more than a year ago, Visa and Mastercard were hacked, compromising up to 3 million accounts, Somers points out.

"It's quite possible that these hacks may have been inside jobs," says John Trobough, president of Narus, which handles cybersecurity for governments and commercial enterprises. It could be current or former employees, he says.

As for reproducing debit cards? It's just one component of so-called "skimming," devices are illegally attached to ATM card readers to record the information stored on the magnetic stripe. The cards are then duplicated.

"On a smaller scale, that's so common nowadays that it's barely newsworthy," Somers says.

"Most magnetic stripe cards can be converted to function as ATM cards because the format is an industry standard," says Trobough. "For example, you can use a hotel key as an ATM card if it is properly re-coded."

What's arguably more astounding than accomplishing both the hack and the cloning, is the coordination and the apparent clockwork precision with which the operation was carried out once thieves had cloned the cards.

According to the federal indictment, on one occasion the eight individuals in the New York cell siphoned "at least $2.8 million from more than 750 ATMs in 2.5 hours."

Let's do the math: If all eight were working together, they would have had to hit "at least" one ATM every 96 seconds, averaging $2,333 per withdrawal.

Somers agrees it was well-coordinated. "Does it sound doable? I have no reason to doubt it could be done," he says.

Tom Cross, director of computer security research at Lancope, tells American Public Media's Marketplace that he was surprised by "the coordination of the cash-out network" — in other words, the people running from ATM to ATM.

In an even larger tranche of the master theft, cashers elsewhere (we don't know how many) used 12 card accounts with the withdrawal limits deactivated and got $40 million in 36,000 transactions over a 10-hour period.

More math: That's one withdrawal averaging $1,111 every 10 seconds.

In this second case, it seems fair to assume that many duplicate cards might have been used to speed up the process.

The New York Times reports:

"Surveillance photos of one suspect at various ATMs showed the man's backpack getting heavier and heavier, [U.S. attorney in Brooklyn Loretta] Lynch said, comparing the series of thefts to the caper at the center of the movie Ocean's Eleven."

So, the keys to the crime were inadequate cybersecurity that allowed hackers to penetrate the back-end systems at banks. Better security protocols and more secure networks could solve that problem, experts agree.

"With increased employee oversight and stringent electronic monitoring within the bank, it would be more difficult for this type of theft to occur," says Narus' Trobough.

The second issue is the venerable magnetic stripe, a technology that Jim Pettitt, director of ATM security strategy and planning at Diebold, says has been around since the 1960s.

"Criminal organizations have exploited that pretty extensively and we've seen an upsurge of skimming since 2005," he says.

Encrypted chip technology is more secure. Europe has largely adopted it and the U.S. is "on the on-ramp," he says.

But don't expect that transition to come quickly; Pettitt says it could take a decade.

Copyright 2013 NPR. To see more, visit http://www.npr.org/.

NPR

A Glimpse Of Listeners' #NPRpoetry — From The Punny To The Profound

It was a simple idea: Would you, our listeners, tweet us poems for National Poetry Month? Your response contained multitudes — haiku, lyrics, even one 8-year-old's ode to her dad's bald spot.
WAMU 88.5

Eating Insects: The Argument For Adding Bugs To Our Diet

Some say eating insects could save the planet, as we face the potential for global food and protein shortages. It's a common practice in many parts of the world, but what would it take to make bugs more appetizing to the masses here in the U.S.? Does it even make sense to try? A look at the arguments for and against the practice known as entomophagy, and the cultural and environmental issues involved.

WAMU 88.5

A Federal Official Shakes Up Metro's Board

After another smoke incident and ongoing single tracking delays for fixes, U.S. Secretary of Transportation Anthony Foxx announced a shake-up of Metro's board.

NPR

'The Guardian' Launches New Series Examining Online Abuse

A video was released this week where female sports journalists were read abusive online comments to their face. It's an issue that reaches far beyond that group, and The Guardian is taking it on in a series called "The Web We Want." NPR's Audie Cornish speaks with series editor Becky Gardiner and writer Nesrine Malik, who receives a lot of online abuse.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.