Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Coordinated, Global ATM Heist Nets $13 Million

Soulskill posted about 3 years ago | from the get-rich-really-really-quick-schemes dept.

Security 122

An anonymous reader writes "An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards. 'Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period. Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.' The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."

cancel ×

122 comments

Sorry! There are no comments related to the filter you selected.

I thought that was a LOT of forklifts (1, Funny)

Cryacin (657549) | about 3 years ago | (#37221762)

When I first read the headline, I thought they meant heist as in leaving a hole in the wall. Would have been much more spectacular.

Cybercrime gang? (-1)

Anonymous Coward | about 3 years ago | (#37221782)

Enough with the "cyber" shit.

Sounds like we're not getting the whole story (0)

Anonymous Coward | about 3 years ago | (#37221788)

Most institutions carefully monitor their cash outflows. There's something else to this.

Re:Sounds like we're not getting the whole story (0)

Anonymous Coward | about 3 years ago | (#37222180)

Agreed. Posting as AC because I work for a financial institution, but everything is monitored, watched, controlled and observed.

We don't fuck around with things like ATMs where there isn't an employee standing in between a person and money.

Re:Sounds like we're not getting the whole story (0)

Anonymous Coward | about 3 years ago | (#37222550)

We don't fuck around with things like ATMs where there isn't an employee standing in between a person and money.

Yeah. Sure you do, Sparky. That would explain why this can't happen: What ATM skimmers look like [reddit.com]

Re:Sounds like we're not getting the whole story (1)

treeves (963993) | about 3 years ago | (#37223760)

But ATM skimmers steal from the banks other customers. This story is about stealing directly from the bank. Slightly different situation.

Re:Sounds like we're not getting the whole story (1)

sjames (1099) | about 3 years ago | (#37222398)

Nope, that's it. They waited until the bank was closed to pull their dirty tricks. On Monday morning, the bank auditors performed their careful monitoring of their cash outflows and found a 13 million dollar problem in the form of a bunch of deposits on the electronic books that were not backed by actual money.

Re:Sounds like we're not getting the whole story (2)

babtras (629678) | about 3 years ago | (#37222596)

That's why these attacks are coordinated across multiple cities. Pull as much money out as you can before the anomaly is investigated and stopped.

Justice (0)

Anonymous Coward | about 3 years ago | (#37221798)

later given only probation?

Sounds like $9.4M leaves a lot of money for bribes, and the bribes are already in place for organized crime in most of those jurisdictions anyway.

Russian hackers attacking the US are heroes (1)

GodfatherofSoul (174979) | about 3 years ago | (#37221816)

Over there at least.

Re:Russian hackers attacking the US are heroes (0)

Anonymous Coward | about 3 years ago | (#37221846)

I believe you are thinking of Nigeria.

The cold war ended ~20 years ago. Only a few are stuck in that mindset.

Re:Russian hackers attacking the US are heroes (2)

MetalliQaZ (539913) | about 3 years ago | (#37221858)

Like if an American kid were to hack China?

Re:Russian hackers attacking the US are heroes (0, Troll)

Anonymous Coward | about 3 years ago | (#37221930)

Like if an American kid were to hack Iran?

FTFY

Re:Russian hackers attacking the US are heroes (1)

frank_adrian314159 (469671) | about 3 years ago | (#37223032)

You don't bite the hand that lends to you...

Re:Russian hackers attacking the US are heroes (1)

Darinbob (1142669) | about 3 years ago | (#37221980)

No, they're considered heroes if they hack Estonia.

Re:Russian hackers attacking the US are heroes (0)

Anonymous Coward | about 3 years ago | (#37222648)

There are still people around who could hack ENIAC clones?

Re:Russian hackers attacking the US are heroes (0)

Anonymous Coward | about 3 years ago | (#37222022)

I don't think so, however corruption is probably still a problem there, so it would not surprise me too much if some money got them a lighter sentence.

So (0)

Anonymous Coward | about 3 years ago | (#37221844)

Does this mean the "available balance" is duplicated and kept on nodes throughout the world, and synced with the central database only from time to time?

That's what I got from the summary, and it sounds incredibly stupid of a bank or whoever hands out these cards to do it that way.

Re:So (2, Insightful)

Anonymus (2267354) | about 3 years ago | (#37221866)

Yeah. I wouldn't go so far as to say they deserve it, since nobody really deserves to have stuff stolen from them, but if that's how they were set up, someone had to have know this would happen.

Re:So (1)

bioster (2042418) | about 3 years ago | (#37222060)

Well, I read the article and it mentions that the attackers were able to reload a card. So they basically just kept reloading the cards and taking money out. The bit about the withdrawal limits was simply so that they could withdraw as much as possible before the banks caught on.

Re:So (1)

pakar (813627) | about 3 years ago | (#37222114)

I know that i have withdrawn too much on my card when visiting another continent.. Forgot to transfer some funds but where able to withdraw about 500EUR more than actually in the account... So maybe the visa/mastercard etc just have a flag saying "this card is not over the limit" and then syncing this with the bank from time to time...

Irritating to get a overdraw fee when you have money sitting on the next account...

Re:So (1)

jank1887 (815982) | about 3 years ago | (#37222408)

hey, the money in the next account is probably pulling a different interest rate. that rate is based on the bank's expected availability of the money for lending to other people. if you wanted that money more readily available for yourself, and less available to the bank for lending, then you should have put it in that account and taken the lesser interest rate for the benefit. you can't expect to have both. so they hit you for it.

Re:So (1)

pakar (813627) | about 3 years ago | (#37223562)

Actually that account is just a transfer-account without any interest at all... It's just an account i get my salary on before i pay the bills and manage where to put my money...

Re:So (0)

Anonymous Coward | about 3 years ago | (#37222158)

Not sure if that was exploited here, but I've exploited that in the past on my own account. I had a max $200/day ATM withdraw limit. I just rode around town to a bunch of ATM's and took $200 from each.

I also had one issue once where I did a "check my balance" at an ATM owned by my bank in the same office that was my main branch (and was the main branch for Bank One in Columbus Ohio), It said I had money. So I took out money, then went and bought a soda and chips at a gas station, and got gas separate, and got dinner elsewhere. I got hit with an overdraft fee for every one of those, cause some checked had cleared earlier that day, but they hadn't updated the balance in the ATM. I had a big shitstorm argument with the branch manager (who told me I should always keep at least $5000 in my account anyway - that's what she does - this to a college kid with very little money). I got them to give back all but one of the fees, but it was BS. Immediately following those transactions, I also had a deposit of my payroll check, so it wasn't like I wouldn't have the money there - it was 100% an issue with their balance checking from the ATM, which I was told will lag 2-4 days behind the actual balance.

So, I don't know if the DB is necessarily distributed, but they're not all using the most up to date data - or at least they weren't back then (late 90's).

Re:So (1)

gnarfel (1135055) | about 3 years ago | (#37222194)

Depends on the size of your institution. The one I work at uses live, current balances. Then again, we're a not-for-profit credit union, so we actually care about our members and their accounts. (And we don't make a profit, we give it back at the end of the year as a nice random deposit into your savings, divided by the total number of members.)

Re:So (1)

Coren22 (1625475) | about 3 years ago | (#37222434)

I would drop that bank...sounds like a bad bank if they can't even keep the digital balance up to date. My credit union is awesome.

Re:So (2)

dissy (172727) | about 3 years ago | (#37222814)

I would drop that bank...sounds like a bad bank if they can't even keep the digital balance up to date. My credit union is awesome.

I'm not the AC, but I too am in Columbus and have had dealings with Bank One.
They really are that bad.

I only used them for about a year (admittedly a little over 10 years ago) but had all the same problems with 23 hour delays on updating your online balance (As in on their website online balance!) ATM balances were fairly delayed too, though only a couple hours.

I had a similar problem as the anon GP. I was 17 and in college, just lost my crappy job at the local computer stores stock room not two weeks before classes started, and was basically only eating every three days or so due to lack of funds.
One day I decided screw it, I'll write a check for groceries and just deal with the check-bounce fee later once classes started back up and I had my student loan leftover money. Turns out Bank One didn't charge $60 per NSF like they say, it's $60 PER DAY until you bring your account positive.
That was the most expensive $40 grocery check I ever wrote, coming up to over $700.

I spent a few days trying to close my account out, which of course they wouldn't allow while it was negative so it could keep adding fees until it was enough to send to collections.
Ironically, they never did send me to collections. They called to bug me about it for a few months and eventually gave up and wrote it off. It's not on my credit report or anything.
I think they know such things are not legal and just try to scare people into paying for that crap.

Long story short, Bank One was horrible, and from what I hear is still almost as bad.

Re:So (0)

jank1887 (815982) | about 3 years ago | (#37222458)

wait, so you had an outstanding check you weren't sure had cleared or not, and you took the amount available at face value? maybe that check could have cleared the minute after you checked your balance before buying the soda. that scenario would have you fully liable for the fees. account balance, available funds, and unobligated funds are very different things. they really need to teach basic finance in high school. If you don't do everything with immediate transactions, if you write checks as obligations for future drafts, you can't use an account balance as a statement of funds available for use. you already promised some of that money to someone else. it's that simple.

Re:So (1)

Anonymous Coward | about 3 years ago | (#37222540)

I have had something similar happen to me.

I had some charge, (it was a subscription to WoW I think, back when I used to play it), that automatically went through. It was sent as a credit transaction though. So it went onto my account, then disappeared for two days. Then, two days later, it came out of my account, and sure enough, any transaction that was smaller was run after, and I was charged $700 in fees for $34 in overage.

The main issue was that the online system which did NOT have any kind of disclaimer on it about the accuracy of the account total at the time told me that the account had $X in it, which was wrong.

In the end, I told the bank that I was not asking them, I was telling them that they were going to reverse those charges, or I would spend the $700 they were charging me to file a small-claims action against them since I had by almost pure coincidence all the paper records to prove what had happened. They reversed all of the charges, I closed the account, and I told them I never wanted anything to do with their institution again, and if they attempted to contact me again, my response would be to waste as much of their employee's time as possible.

Interestingly, eventually they did try and contact me to get me back as a customer. I held good on my promise and spent a while explaining to this "account specialist" what had happened. Even more interestingly, he spent the entire time trying to convince me that I just wasn't a very good customer, but they were willing to forgive me my sins if I returned and signed a document saying they could charge me overage charges in the manner they had.

I told him he was a sad excuse for a human being if the level of mindlessness he had sunk to for employment was to convince other people that it was morally wrong for them to not allow a giant banking corporation to steal from them, and that if he had any humanity left in him at all, he should really examine what it was he was doing with his life.

Re:So (2)

NormalVisual (565491) | about 3 years ago | (#37223486)

This brings up an interesting topic - why is it that banks don't/won't show a persistent record of the authorizations against credit/debit cards on your monthly statement? I can see the authorizations when they're active, but as soon as they time out, they're gone from my online statement and never show up anywhere else. It would certainly be nice to be able to easily reconcile authorizations against the actual charges without having to do a lot of extra record-keeping.

every-24-hour coordination (5, Interesting)

Iamthecheese (1264298) | about 3 years ago | (#37221864)

Many banking systems only talk to each-other in nightly batches. It's mostly done that way because that's the way it's always been done, and to save money on entirely new systems. The every-24-hours style is less secure, slow, and inefficient. This is 2011 and there's no real excuse for it.

Re:every-24-hour coordination (2)

roman_mir (125474) | about 3 years ago | (#37222016)

I used to do some work for Symcor, AFAIK that's how Canadian banks work.

It's crazy, I am building my own retail systems right now, the data exchange between the office systems and the stores are batched (because the Internet connection can and does go down sometimes), but when the networks are up, the data is synchronized a few times an hour, we can safely synchronize every 10 minutes. Of-course that's only 15 stores right now, but the difficulties are somewhat similar - while you are synchronizing, you have to lock the records that are being updated/deleted/inserted and you still have to have enough performance to serve multiple simultaneous reports to office workers and to suppliers and to store directors. It's a hard problem really, not as easy as it seems, even in 2011, but it's doable. Of-course banks just don't do it that way and when they decide to go ahead and try, they'll go through similar set of issues that I had to deal with (record or table locks via multiple running requests, data consistency, etc.)

Re:every-24-hour coordination (1)

pakar (813627) | about 3 years ago | (#37222168)

hmm... bank sends -> allow to withdraw up to X amount when the balance is changed. Visa sends amount X withdrawn to bank when card has been used.. If the network connection is down (at the store or something) then the charges are just buffered until it becomes available again...

Don't think it will be a big problem since they are just simple messages that can be queued at the bank or at visa depending on their server load... If they want to take less risks then just add more server-capacity to handle the total load..

Re:every-24-hour coordination (2)

roman_mir (125474) | about 3 years ago | (#37222272)

No, you didn't get my point. The data comes flooding into the center, it will lock all of the record that are updated (hopefully just records and not entire tables.) There will be not a single moment in time that there will be no updates coming into the banks, unless there is some form of absolute synchronization (possible), but even then, if you synchronize with the center say every 1 hour, that means that once an hour every bank, every buffer that there is out there will send data into the center.

IF (that's a big if) the center is only used to collect data and for nothing else, that may be OK. If (and that's the case) the data in the center is constantly used for various transactions, not just printing and check clearing (like what we did in Symcor), but for all sorts of transactions, then those transactions may be blocked by the incoming data.

If you ask me what kinds of transactions do centers like that handle? I'll tell you exactly, because I was an architect on a number of projects like that. You can download your check images, statements on line, this data is not sitting in every bank! This data is requested from the center (again, I am talking about Symcor) and it is then served to the requester through a number of proxies. The data may not be immediately available (not even sitting on a hard drive,) but there are pretty cool robot storage facilities, with robotic hands spinning around on vertical poles, going up and down, grabbing disks or other types of storage (tape) and bringing them to readers and plugging them in and moving them around, all based on near-real-time requests, this depends on the SLA. Though I worked on it 2001-2004, maybe it's different today, but even if it is different, data needs to be synchronized across multiple storage systems, some are on line, some are not, etc., and it's because some are used for real time or near real time requests.

It is just not a simple problem, it really is entire infrastructures and ecologies of systems that were built around the principle mainframes, and in many systems (all?) it is assumed, that data comes in at night.

The expense to switch from that to a more real time system will be horrendous.

Re:every-24-hour coordination (1)

baegucb (18706) | about 3 years ago | (#37223650)

When I worked for CIBC in the 70s, in a regional data center, checks came in via messenger 3 or 4 times a day. 99% of the checks were internal to CIBC and there was always a rush to seperate other banks checks. Then the checks would be read in by an IBM 1419 and processed by the IBM mainframe. Cash dispensing machines were done by batch too, similar to how checks were processed. We were told that the penalty for not getting other banks checks back to them on the same day incurred a penalty equal to the face value of the checks. Not too difficult, since there were so few bank chains back then (I haven't lived in Canada in a long while)..

Re:every-24-hour coordination (1)

roman_mir (125474) | about 3 years ago | (#37223996)

Actually I don't know about this moment in time, but back when I worked for Symcor it didn't process CIBC. It processed RBC, TD and BMO, in fact they spawned the company and outsourced check processing and statement printing to them. But the checks are processed at night.

Re:every-24-hour coordination (1)

gl4ss (559668) | about 3 years ago | (#37222826)

you don't have live checking of balance for debit cards? how would your system have detected to reject these cards?

(fun fact, visa electron, i think known as maestro in more countries but it's "visa electron" here, often when roaming only checks that there's _some_ money on the account, not that there's enough for the withdrawal, I think it's because it's just hacked on top of the regular visa processing, they're quite effectively the same thing as credit card visa, only that you're supposed to only use them electronically - thus it's possible to over draw accounts you weren't supposed to be possible to overdraw... so imagine someone stealing more money from you than what you have, "haha").

anyhow, around here in finland, despite the local banking cartels effective cartel on card processing, you can get quite easily as a business mobile terminals that you can do card charges with and they're checked live(all kebabs, bars, etc places have them, they don't need to check bank cards live but debit cards yes).

Re:every-24-hour coordination (1)

roman_mir (125474) | about 3 years ago | (#37222928)

There are on-line and off-line debit cards. In Canada the on-line transactions are handled by Interac. It is a central system.

But this story is about pre-paid cards. Apparently data about purchases from these cards is synchronized in batches at night.

Re:every-24-hour coordination (1)

jonbryce (703250) | about 3 years ago | (#37223280)

Maestro is the Mastercard equivalent of Visa Debit.

Re:every-24-hour coordination (1)

Normal Dan (1053064) | about 3 years ago | (#37222040)

But if you think about it from a business standpoint, implementing a system like that would cost far more than $13 million.

Re:every-24-hour coordination (1)

roman_mir (125474) | about 3 years ago | (#37222096)

Oh, definitely. It will be in hundreds of millions, possibly more. Just the hardware upgrades will be in billions probably. The problem is that banks normally close at night, so synchronization does not really have to take into account that there are multiple live transactions going at the same time, so for example it's possible to lock an entire table to do updates (and it's mostly done that way). Imagine having to figure out all of the problems related to frequent synchronization and thus insane performance degradation if they even just switch from table to record locks. That's not going to be enough, they'll have to do much more than that, they'll have to redesign the way transactions work altogether. It's going to be fun, I had to do this for a retail system that I build to do frequent synchronization between all the sale points and center while serving all sorts of reports and requests. But banks are a much bigger problem than just a small store chain.

Re:every-24-hour coordination (1)

pakar (813627) | about 3 years ago | (#37222226)

But if you think about it from a business standpoint it would probably cost less to implement than $365 Million for Canada

http://www.rcmp-grc.gc.ca/scams-fraudes/cc-fraud-fraude-eng.htm [rcmp-grc.gc.ca]

And they current batch-based systems could still be used for this... just smaller chunks...

Re:every-24-hour coordination (1)

roman_mir (125474) | about 3 years ago | (#37222454)

Don't forget that there is insurance that banks buy for this as well. Of-course from POV of insurance companies it would be a good thing for banks to do, to minimize any sort of vector of attack, so if banks wanted to pay less insurance premiums, they could invest, but likely it would be much more than just a few hundred million dollars.

Think about this: a tiny project in a bank costs maybe around 250K. That's small time peanuts, and that's software only.

Now think about this: there are thousands of systems in operation in banks. Every system will have to be at the very minimum reviewed for potential impact of such a gigantic paradigm shift. So say it takes 100K to review a project on average. So that's 100K X thousands of projects for to be reviewed.

Hundreds of millions, if not billions will be spent on reviews. Then there will be a huge architectural undertaking. Then the hardware, links, software will have to be actually built. Then there will be a transition period, with small steps taken, some parts of systems will be transitions (while the old systems will all be running exactly as they were). There will be doubling of the impacted systems.

I guarantee that most systems that are impacted will have to be doubled. The old will continue operating and the new will come on line to start transitioning with a tiny test.

This is not going to be 365Million. We are literally talking about tens of billions. And when you take into account that there are multiple centers, not all banks are connected into the same systems, it's going to be in hundreds of billions.

Re:every-24-hour coordination (1)

pakar (813627) | about 3 years ago | (#37223622)

So a normal withdrawal that is linked directly into the account could not be used?? I can see a withdrawal within a few minutes later on my account... If i withdraw an amount from any ATM here i can see that the amount has been withdrawn from the account from any other ATM (different banks) ... Seems a bit strange to not reuse existing infrastructure that already handles this type of thing...

I think there is a more hidden agenda about wanting delays, and that is that they are making big bucks on those that overcharge their account because they forgot to transfer funds into the account...

Also about insurance... X banks pay Y amount of money... X*Y must be smaller than the total amount the insurance-company takes in, and probably quite a bit more for them to want to take the risk...

Re:every-24-hour coordination (1)

roman_mir (125474) | about 3 years ago | (#37224018)

I am not talking about synchronizing only the withdrawals, that is actually done by Interac in Canada. I am talking about synchronizing all account data. But in case of the pre-paid debit cards the data can be waiting anywhere in the world, it's collected at night from whatever local branches and buffers.

Re:every-24-hour coordination (1)

sjames (1099) | about 3 years ago | (#37222426)

But it would only cost that once.

Re:every-24-hour coordination (1)

avandesande (143899) | about 3 years ago | (#37223040)

Ever had to wait a day before your money was available to your credit card even if the money was deposited? It's not that big of a deal but the entire system is riddled with inefficiencies due to these batch jobs.
 

Re:every-24-hour coordination (0)

Anonymous Coward | about 3 years ago | (#37222062)

They don't need an excuse - they're the banks. And from we've seen over the couple of years, they're the ones who are really in charge.

Also, it not just these cards it also the debit cards that suck. True story:

Woman get's her debit card stolen. Crooks use it as a credit card. Woman reports fraud and bank gets her money back after a couple of weeks after their "investigation".

She then asks about all the late fees and penalties that were charged to her because automatic payments that hit her account bounced. Banks said that was her problem - tough shit. $800+ in bogus fees and penalties. I think she filed a complaint with the OCC and got some sort of resolution.

The banks are evil cocksuckers and th politicians who give them a free ride should go to a special Hell where they see their children slowly die of cancer.

Re:every-24-hour coordination (1)

MWoody (222806) | about 3 years ago | (#37222208)

Wait, so how does an ATM that only synchronizes once a day know that I just put in the right pin number? Does every ATM on the planet download a list of every ATM card and PIN in existence?

I'm not trying to be sarcastic or glib, I'm just trying to understand how the system you describe could function.

Re:every-24-hour coordination (0)

Anonymous Coward | about 3 years ago | (#37222260)

The PIN is stored on the card.

Re:every-24-hour coordination (1)

garyebickford (222422) | about 3 years ago | (#37222342)

Well, no worries there. The PIN is perfectly safe there, no doubt. |>_|

Re:every-24-hour coordination (2)

babtras (629678) | about 3 years ago | (#37222436)

Not any more it isn't. WAY back in the past, there was a PIN "Offset" stored on the card, which relies on an ATM having the correct "PIN Verification Key" from the financial institution to validate. However, that's no longer the case. If you look at the track 2 data on any card today, the numbers in the offset field are either random or '0000'.

Re:every-24-hour coordination (1)

toadlife (301863) | about 3 years ago | (#37222474)

The PIN is stored on the card.

As a hash, I hope.

Re:every-24-hour coordination (1)

_0xd0ad (1974778) | about 3 years ago | (#37222782)

There are only 10,000 possible PINs. Hashing isn't going to help much.

Re:every-24-hour coordination (2)

jonbryce (703250) | about 3 years ago | (#37223324)

It is a challenge response system that operates on the card itself. For example, my bank supplies a card reader for online transactions. I enter the pin and an 8 digit number supplied by the bank at the time of the transaction, and get an 8 digit number back which I enter on the website to authenticate the transaction. The card reader will tell me if I have entered the right pin or not, but after 3 incorrect attempts, the chip on the card gets locked, and I have to take the card to the bank to unlock it.

Re:every-24-hour coordination (0)

Anonymous Coward | about 3 years ago | (#37222286)

The PIN entered is verified against the PIN stored on the card.

Re:every-24-hour coordination (0)

Anonymous Coward | about 3 years ago | (#37222318)

The PIN is encoded on the card's mag strip. Not the PIN itself, though. If you read the mag strip, it would not show your actual PIN. The ATM knows how to decode it.

Re:every-24-hour coordination (0)

Anonymous Coward | about 3 years ago | (#37222604)

The atms work in realtime. It's the ACH (automated clearing house) that operates overnight usually. There are multiple levels the transactions must go thru, but generally speaking the banks have a record of the transaction within minutes.

Re:every-24-hour coordination (1)

babtras (629678) | about 3 years ago | (#37222314)

To clarify, transactions are mostly authorized in realtime by the bank that issued the card (*some* credit card transactions can be done "offline" but not normally at an ATM unless there's a network problem). The nightly batches are settlement processes where the bank actually pays the ATM owner for the cash they gave to the bank's customer. Authorization happens in realtime, money shuffling between financial institutions happens at night.

Re:every-24-hour coordination (1)

Solandri (704621) | about 3 years ago | (#37222954)

Heaven forbid they use the money from ATM fees to actually improve the ATM network, rather than pocketing it as pure profit.

Re:every-24-hour coordination (1)

madhatter256 (443326) | about 3 years ago | (#37223044)

The banks that were affected were SunTrust.... which is the most poorly secured bank in Florida, at least...

Re:every-24-hour coordination (1)

Eil (82413) | about 3 years ago | (#37223906)

Many banking systems only talk to each-other in nightly batches. It's mostly done that way because that's the way it's always been done, and to save money on entirely new systems. The every-24-hours style is less secure, slow, and inefficient. This is 2011 and there's no real excuse for it.

(Disclaimer: I used to work in financial I.T. But don't worry, I got better.)

At the end of the banking day, the backend systems of every decent-sized financial institution begin churning through the day's data to settle transactions, adjust accounts, produce reports, and exchange information with other institutions. This is called running cycle. Some parts of cycle are kicked off automatically when a certain condition is met (e.g., it's 18:00 or a file suddenly appears in a magic directory), other parts are started manually by the datacenter operators. Depending on the volume of data to be dealt with, cycle can take anywhere from a couple hours to halfway through the night. End-of-month cycle can take an entire weekend. If you're (to pick a non-random example) a Unix admin and something you did to one of the boxes crashes a job and holds up cycle, you get a phone call no matter how late/early it is.

Cycle can't be run during the day for a number of reasons, none of which are simply tradition. The biggest one is that in the middle of the business day, there are lots of accounts and databases which are open and being actively used in real-time by other systems and users. Trying to run heavy reporting or transaction jobs on that data all day long just for the sake of staying up-to-the-minute is highly wasteful in terms of system resources alone. You'd be putting extra load on a production server with extremely expensive downtime (as in, millions-of-dollars-per-minute downtime) and drastically lowering the system response time for users who are entering or retrieving data from it. It's far better to shift that load to the evening when the business is closed for the day, downtime is much cheaper, and there's more time available to fix the tough problems.

A good analogy would be this: running cycle in the middle of the day is like running fsck on your desktop system with all of the filesystems mounted and also while you are trying to use it for important work. Now, there are plenty of real-time data reporting systems where possible and where it makes sense. But for the most part, the consumers of the data (customers, accountants, managers, actuaries, and other software) are perfectly able to do their jobs with the previous days' data.

Maybe one day humans will do away with the concept of business hours. Or perhaps we'll develop software that can affordably process petabytes of raw financial data in the blink of an eye. Until then, we're stuck with a daily after-hours cycle.

Honesty (4, Insightful)

Anonymous Coward | about 3 years ago | (#37221886)

"The attack is eerily similar to the 2008 attack on RBS WorldPay that stole $9.4M. The men who pleaded guilty to the RBS attack were arrested and charged in Russia, but were later given only probation."

Would you try to steal $9.4M by nonviolent means if you knew that the penalty for being caught was probation? Be honest.

Re:Honesty (1)

Anonymous Coward | about 3 years ago | (#37221920)

Naturally not.

(Ask me again when I know how)

Re:Honesty (4, Funny)

scorp1us (235526) | about 3 years ago | (#37221988)

It's still more honest than members of congress. At least with the heist, you know you're getting robbed.

In America, the government robs you then sends you the bill.

Re:Honesty (1)

jdgeorge (18767) | about 3 years ago | (#37222210)

Amusing, but this is the same as every other country with a functional government.

Re:Honesty (3, Funny)

mr1911 (1942298) | about 3 years ago | (#37222374)

You imply the United States has a functional government.

Amusing, but this is the same as every other country with a dysfunctional government.

FTFY

Re:Honesty (0)

Anonymous Coward | about 3 years ago | (#37223918)

[Insert canned reply from Usenet about the government does many things that people never notice in their everyday life, then they go online to FoxNews.com to complain about how the government is ruining their life]

Re:Honesty (0)

Anonymous Coward | about 3 years ago | (#37223136)

Oddly enough, I wouldn't, but I'm hopelessly honest.

cities across Europe, Russia and Ukraine (1)

Iamthecheese (1264298) | about 3 years ago | (#37221888)

In soviet Russia, bribes pay you!

Re:cities across Europe, Russia and Ukraine (0)

Anonymous Coward | about 3 years ago | (#37221918)

In Soviet Russia, Slashdot is not read

Re:cities across Europe, Russia and Ukraine (0)

Anonymous Coward | about 3 years ago | (#37222002)

> In soviet Russia, brides pay you!

Great! Where do I sign up!?

acceptable to machavieli if (1)

magsk (1316183) | about 3 years ago | (#37221948)

plan a heist of Russian and former soviet block countries banks and financial institutions. So they realize the real damage caused by letting these people off lightly. IMHO Russia now takes enjoyment out of these hits, since they see it as a way to inflict damage on the west by way of proxy. Need a global effort to eliminate such criminals.

Re:acceptable to machavieli if (1)

garyebickford (222422) | about 3 years ago | (#37222358)

Except that if they catch you, they won't bother with a trial. They'll torture you, then shoot you and your entire family. Like other organized crime groups in the good old days.

Eliminate such criminals? (1)

BrianMarshall (704425) | about 3 years ago | (#37222422)

"Need a global effort to eliminate such criminals."

There is no way to eliminate "such criminals". There will always be criminals and some will try this sort of thing if it is possible.

The attack was against one financial institution in the US. The financial institutions could change to make this sort of crime harder or maybe even impossible to pull off. But, as other posters have pointed out, this would cost orders of magnitude more than $13 million. Eventually, it will be worth it.

But to even try to "eliminate such criminals", what can be done? Off hand, I would imagine that the only way would be to try to detect the conspiracy before the crime happened. The only way to do this would be to massively increase the degree of government surveillance. IMHO, this "cure" (to the extent it helped at all) would be worse than the disease.

Not cybercrime (1)

billcopc (196330) | about 3 years ago | (#37221976)

Did the attack take place over the internet ? Or was an android used to execute the attacks ? No ? Then it is NOT cybercrime. It's not cyber-anything!

This was a meatspace attack, the kind any 12 year old can perform with a card cloner - you know, a small, simple electronic device consisting of about $15 worth of components and a few hundred bytes of PIC code. I figure all they did was run the same cards simultaneously at different ATMs, exploiting a probably very huge gaping race condition in the bank's software. More importantly, I wouldn't be surprised if many other banks were also vulnerable to this type of attack, with no intentions to fix it. The only reason we don't hear about it more often is because most of us in the western world don't have dozens of sketchy friends with the nerves to coordinate this sort of attack yet still remain trustworthy. We also tend to have more to lose from getting caught, than the few thousand dollars gained in a successful attack. Is it worth risking a criminal record and incarceration for the sake of a year's salary ? For most of us the answer is no. We aren't criminals, not because we're "good people", but because it is simply not worth the risk. If the take were larger by an order of magnitude, you'll find allegedly honest people are suddenly far more interested in taking that risk.

Re:Not cybercrime (1)

PeanutButterBreath (1224570) | about 3 years ago | (#37222038)

Hence, "cyber".

Re:Not cybercrime - edited (1)

PeanutButterBreath (1224570) | about 3 years ago | (#37222050)

exploiting a probably very huge gaping race condition in the bank's software. . .

hence "cyber".

Re:Not cybercrime (0)

Anonymous Coward | about 3 years ago | (#37222054)

Did the attack take place over the internet ? Or was an android used to execute the attacks ? No ? Then it is NOT cybercrime. It's not cyber-anything!

Exactly! They may as well call it a trousercrime - on the assumption that the participants wore trousers at some point during the planning or execution of this lulzy jape./

Re:Not cybercrime (1)

Baloroth (2370816) | about 3 years ago | (#37222076)

If the take were larger by an order of magnitude, you'll find allegedly honest people are suddenly far more interested in taking that risk.

And you'd find the hole being plugged very quickly. This sort of attack is rather tricky to pull off (you need someone to physically be at each ATM, meaning hundreds or possibly thousands of people), and that coupled with the fact that most ATMs have cameras makes this security hole fairly minor ($13 mil sounds like a lot, but to a large bank it's pretty much pocket change. With lots of people involved it would give fairly mediocre payouts).

Also, if you read TFA it sounds like they actually reloaded the cards using direct access to the bank's card system, so I'm guessing this really was a cyber-attack in addition to the meatspace one.

Re:Not cybercrime (1)

AdamThor (995520) | about 3 years ago | (#37222302)

($13 mil sounds like a lot, but to a large bank it's pretty much pocket change. With lots of people involved it would give fairly mediocre payouts)

The profitable part isn't standing there, withdrawing (say) $200... The profitable part is selling the chance to withdraw $200 for $100 through your organized crime network to a few hundred people. "load this track on your card-cloner, use this bank network and this pin, withdraw $200 between 8:00 pm and 8:15 pm on this date." Then you get to make a chunk of change, and also gather a retinue of hacker-thugs who consider you to be "THE BOSS" that provides a payout to feed your criminal mastermind ambitions.

Re:Not cybercrime (2)

colesw (951825) | about 3 years ago | (#37222082)

I know reading the article means I'm new and all, but it was based on both meatspace and cyber.
"Armed with unauthorized access to FISâ(TM)s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero."
This was coordinated between people at the ATM and to someone on the FIS network reloading the cards.

Re:Not cybercrime (1)

Syberz (1170343) | about 3 years ago | (#37222098)

I dunno, hacking into FIS's network to remotely remove or increase the withdrawal limits and reload the debit cards sounds like a cybercrime to me...

Re:Not cybercrime (1)

bioster (2042418) | about 3 years ago | (#37222116)

Sure, it was meatspace... all except for a key part of their plan:

Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.

Your other guesses are likewise incorrect. Basically they figured out a way to reload their cards and then ran around emptying ATMs as frantically as possible before the banks caught on.

So uh... did you RTFA?

Re:Not cybercrime (1)

MichaelKristopeit501 (2018074) | about 3 years ago | (#37222894)

does it even matter if they read the article? they contradicted themselves in their own comments by claiming an electronic device interfaced with the bank network was required, but then somehow rejected that as use of an "android" based on relativistic cost.

slashdot = stagnated.

Re:Not cybercrime (0)

Anonymous Coward | about 3 years ago | (#37222298)

Norbert Wiener coined the phrase "cybernetics" to mean the study of "technological mechanism" back in 1948 (Plato had used it to mean government back in the day). Gibson coined cyberspace to mean what we now call the internet. I think you're confusing the two. To my mind, which is quite linguistically focused, anything involving technology of any sort could have a cyber- prefix.

Even though part of the attack was in meat-space, and involved physical ATMs; cyber would fit with the above justification.

Even putting that aside and taking cyber to mean only internet based, I suspect that the removal of limits from the cards was most likely carried out over a network - most likely the network of networks we call the internet.

So in either case, cyber would be allowed. Away and boil your head as my dear old grandmother would have said.

Re:Not cybercrime (1)

Em Adespoton (792954) | about 3 years ago | (#37222326)

Did the attack take place over the internet ?

Yes.

I think this kind of kills the rest of what you said.

The initial attack was on the back-end systems via compromised online accounts. The withdrawals in meatspace were only the final step, and wouldn't have netted much of a haul without the initial attackers already modifying the limits set on the accounts used.

Re:Not cybercrime (1)

sjames (1099) | about 3 years ago | (#37222448)

According to TFA, they hacked in to the bank's network so they could create a series of fake deposits in order to continue withdrawing money from the cards, so yes, cyber.

Re:Not cybercrime (1)

avandesande (143899) | about 3 years ago | (#37222982)

What's the difference between manipulating a system with a card reader or a keyboard? Bits are Bits.

Global? (1)

rossdee (243626) | about 3 years ago | (#37222104)

"several major cities across Europe, Russia and Ukraine."

I thought that G;onal would be bigger than Europe (Russia was once considered part of Eastern Europe)

Diebold (0)

Anonymous Coward | about 3 years ago | (#37222266)

ATMs are secure, and so are your votes!

Re:Diebold (1)

babtras (629678) | about 3 years ago | (#37222510)

The breaches are happening at the ATM processor, which in the ATM's point of view is a trusted network. It's not usually the ATM's fault. However, retarded ATM deployers often leave the ATM's management password as default and don't bother changing the physical locks from the generic one-size-fits-all key, which makes compromising an ATM easy, it's just not nearly as profitable as compromising a whole network all at once.

"eerily similar" (1)

FatLittleMonkey (1341387) | about 3 years ago | (#37222362)

Off-topic, but:
Why is it "eerily similar" and not just "similar"? Even "suspiciously similar" I could understand, if that was the point. But what was "eerie" about it?

Re:"eerily similar" (1)

cyberstealth1024 (860459) | about 3 years ago | (#37223234)

Halloween must be nearby!

poor security history (0)

Anonymous Coward | about 3 years ago | (#37222968)

I used to work for this company when it was under Equifax, one of our main systems you needed to login with... The program resided on a shared drive, the login credentials were in another folder as a excel file, unencrypted. It was funny to me at the time, opening the file and getting the superuser account to elevate my own privledges. im just glad i left before they got hacked so many times. Equifax became Certegy, which had a compromise of accounts from an employee there stealing data. Hopefully they get a good security team in place someday.

why should they? (1)

decora (1710862) | about 3 years ago | (#37223576)

13 milion is not enough to sneeze at. they just raise the interest rates on credit cards secretly over a weekend and make 26 million, then laugh about it.

why the hell would they want to hire a security team? let the FBI handle it, throw people in jail, dont spend any money fixing the problem.

oh, what about your customers? most companies are not in business for the customers. they are in business for the shareholders and bondholders.

not to give you all more details (0)

Anonymous Coward | about 3 years ago | (#37222978)

details ....but i have known there are other systems where you can pull the pins right out of said network and copy them then to cards....then you can make cards and go about and if you dont use same locations and are nto greedy 300-500 a month nothing will happen ....(went on for a long time until said moron got wasted bragged told howto to DUMMY )

Said dummies got a few people and the way it worked is each individual atm you can pull a few hundred bucks from.
So these idiots went to every atm machine in a single medium sized city grabbed 10 grand and cops now alerted sat at last one and arrested them( AKA you hit one or two move on never to return )

Too my knowledge the system of how that was done is still possible as well....i'm not saying nor will i bother trying it.

13 milion is nothing compared to what (3, Insightful)

decora (1710862) | about 3 years ago | (#37223544)

Goldman Sachs and the others just stole from the taxpayers.

have you seen the recent FOIA files released on the 'secret bailout'? billions and billions and billions. and a lot of it went to pay bonuses to those guys at the CDO and mortgage securities departments at those banks. massive, overwhelming fraud, completely unpunished. and we whine about hackers stealing 13 million from an ATM.

13 million would not even cover a year of a bailed-out bank CEO executive bonus. it wouldnt even be a drop in the bucket of the Boards of Directors payments (many of whom do exactly nothing). 13 million is what John Thain wiped his ass with at Merrill Lynch.

wake up folks. wake up. watch The Young Turks for more info

Re:13 milion is nothing compared to what (1)

farble1670 (803356) | about 3 years ago | (#37223882)

Goldman Sachs and the others just stole from the taxpayers.

ya we know. knowing is not the problem. doing something about it is the problem.

amateur journalism is rather enjoyable. (1)

decora (1710862) | about 3 years ago | (#37224002)

editing wikipedia is rather fun sometimes... the more powerful the entity you edit the page about, the more fun it is. the highest form of fun is when you add boring, banal facts, and watch people go apeshit over them.

also fun? submitting stories to slashdot.

more fun? FOIA requests.

fun fun fun!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>