Experts Marvel At How Cyberthieves Stole $45 Million | WAMU 88.5 - American University Radio

NPR : News

Filed Under:

Experts Marvel At How Cyberthieves Stole $45 Million

With a haul of $45 million, it's being billed as possibly the biggest cyber-heist in history. But in reality, experts and authorities say, it was thousands of small but highly coordinated thefts.

As we reported on Thursday, federal prosecutors charged eight people with being the just New York cell of an operation that allegedly encompassed criminal cohorts in 26 countries.

The scheme, according to prosecutors, involved basically two parts:

First, hackers gained access to bank computers and downloaded prepaid debit card data while erasing their withdrawal limits.

Second, they passed the data to numerous "cashers" who cloned the cards and got to work withdrawing millions of dollars from ATMs.

Neither of those things by themselves is terribly unusual, but put them together and it's not quite so common, says Chuck Somers, vice president of core systems and ATM security at Diebold.

For instance, little more than a year ago, Visa and Mastercard were hacked, compromising up to 3 million accounts, Somers points out.

"It's quite possible that these hacks may have been inside jobs," says John Trobough, president of Narus, which handles cybersecurity for governments and commercial enterprises. It could be current or former employees, he says.

As for reproducing debit cards? It's just one component of so-called "skimming," devices are illegally attached to ATM card readers to record the information stored on the magnetic stripe. The cards are then duplicated.

"On a smaller scale, that's so common nowadays that it's barely newsworthy," Somers says.

"Most magnetic stripe cards can be converted to function as ATM cards because the format is an industry standard," says Trobough. "For example, you can use a hotel key as an ATM card if it is properly re-coded."

What's arguably more astounding than accomplishing both the hack and the cloning, is the coordination and the apparent clockwork precision with which the operation was carried out once thieves had cloned the cards.

According to the federal indictment, on one occasion the eight individuals in the New York cell siphoned "at least $2.8 million from more than 750 ATMs in 2.5 hours."

Let's do the math: If all eight were working together, they would have had to hit "at least" one ATM every 96 seconds, averaging $2,333 per withdrawal.

Somers agrees it was well-coordinated. "Does it sound doable? I have no reason to doubt it could be done," he says.

Tom Cross, director of computer security research at Lancope, tells American Public Media's Marketplace that he was surprised by "the coordination of the cash-out network" — in other words, the people running from ATM to ATM.

In an even larger tranche of the master theft, cashers elsewhere (we don't know how many) used 12 card accounts with the withdrawal limits deactivated and got $40 million in 36,000 transactions over a 10-hour period.

More math: That's one withdrawal averaging $1,111 every 10 seconds.

In this second case, it seems fair to assume that many duplicate cards might have been used to speed up the process.

The New York Times reports:

"Surveillance photos of one suspect at various ATMs showed the man's backpack getting heavier and heavier, [U.S. attorney in Brooklyn Loretta] Lynch said, comparing the series of thefts to the caper at the center of the movie Ocean's Eleven."

So, the keys to the crime were inadequate cybersecurity that allowed hackers to penetrate the back-end systems at banks. Better security protocols and more secure networks could solve that problem, experts agree.

"With increased employee oversight and stringent electronic monitoring within the bank, it would be more difficult for this type of theft to occur," says Narus' Trobough.

The second issue is the venerable magnetic stripe, a technology that Jim Pettitt, director of ATM security strategy and planning at Diebold, says has been around since the 1960s.

"Criminal organizations have exploited that pretty extensively and we've seen an upsurge of skimming since 2005," he says.

Encrypted chip technology is more secure. Europe has largely adopted it and the U.S. is "on the on-ramp," he says.

But don't expect that transition to come quickly; Pettitt says it could take a decade.

Copyright 2013 NPR. To see more, visit http://www.npr.org/.

NPR

Church Of Scientology Calls New HBO Documentary 'Bigoted'

The filmmaker says Going Clear, harshly critical of the Church of Scientology, is about the dangers of "blind faith." The church has hit back with an aggressive public relations effort of its own.
NPR

Think Nobody Wants To Buy Ugly Fruits And Veggies? Think Again

Remember that old movie trope, in which the mousy girl takes off her glasses to reveal she was a beauty all along? A similar scenario is playing out among food waste fighters in the world of produce.
NPR

Amazingly, Congress Actually Got Something Done

The leaders and members must, in a word, compromise. And on this occasion, Speaker John Boehner and Minority Leader Nancy Pelosi did just that, with skill and savvy.
NPR

Can Republicans Get Ahead In The 2016 Digital Race?

When Sen. Ted Cruz threw his hat into the ring, it happened first on Twitter. Political news is breaking more and more on social media, and both sides face different challenges in reaching out.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.