Anatomy of a $45 million heist

aNewDomain.net – Earlier in the spring, crooks made off with about $45 million in a sophisticated heist that targeted A.T.M. machines in over two dozen countries. While authorities eventually brought the thieves to justice – federal prosecutors indicted eight men, including the suspected ringleader – a more disturbing question for enterprise IT professionals remains. Given that the Department of Justice revealed charges for another such heist in a little over a month, we should expect robbers to make further attempts in the future.

heistThe $45 million heist isn’t the first of its kind. For example, in 2008 the Royal Bank of Scotland got hit by a $9 million theft.

So at this point, the key questions are – How did it happen? And, perhaps more importantly, how can it be prevented in the future? These questions remain unanswered.

The how has largely been explained in the unsealed indictment documents.  In a nutshell, the theft involved fugitives in two dozen countries, acting in coordination, who defrauded thousands of A.T.M. machines using nothing more than laptops and the Internet.

Essentially, the bandits managed to create money – using a prepaid debit card hack – and then steal it from A.T.M. machines via cash withdrawals. Many, many withdrawals.

The devil is in the details

According to security experts, the hackers likely received vital banking information necessary in order to compromise the banks’ security by hacking a customer service web portal, with a SQL injection. Then, by using a key logger and a remote access tool, accessed the CVC and CVV data stored on prepaid credit card magnetic strips, says Dodi Glenn, director of AV Labs, ThreatTrack Security. With that same access to sensitive systems, Glenn said, the hackers also stole the bank identification number database and duplicated the necessary data to access funds from an A.T.M. network.

The robbers then used magnetic strip writers to encode the stolen account information on the backs of gift cards, or hotel room keys, creating a card that would then be able to withdraw cash from multiple A.T.M. sites.

Using this technique, they struck first in December – 4,500 A.T.M.s and $5 million in cash – and then again in February, stealing $40 million from over about 36,000 A.T.M. withdrawals.

Once the money had been stolen, the criminals laundered it by purchasing cars, and other luxury goods.

Max Cherney
Max A. Cherney is a San Francisco based tech journalist. Email tips to [email protected]
Max Cherney
Max Cherney
Tags: Business,IT Security
  • Chetan Patel

    My question will be – how do we stop this. What is on the offering that can save from this nuisance