Current Events: $9 million ATM scam
The FBI is investigating an ATM scam that has occurred within a 30 minute period on November 8th. About 130 different ATM machines have been accessed to withdraw a total of about $9 million dollars. The scam hit 49 cities worldwide, including Moscow, Chicago, New York, Hong Kong and Montreal.
The FBI says that the operation was very well coordinated, and at this time no suspects have been identified.
The description of the attack follows. First, the computer system of the payment processing company called RBS WorldPay was hacked.
“One service of the company is the ability for employers to pay their employees with the money going directly to a card, called payroll cards, a lot like a debit card that can be used in any ATM.” The hacker was able to access the system and steal all the information needed to create the duplicates of the ATM cards.
Then, a group of people all over the world took the fake cards and visited locations with ATM machines to withdraw money. These individuals are referred to as “cashers,” and believed to be “low-level players, in a scheme devised from some mastermind – a dangerous computer hacker or hacking ring.”
The most interesting part is that the hacker was able to achieve retrieval of $9 million with just about 100 cloned cards. Normally, the cards would have a limit for maximum amount to withdraw a day. This is done for protection against card theft, so that even if both – the card and the pin are compromised, it is still not possible for the thief to withdraw a large amount of money. However, the hackers were able to trick the system, and allow multiple withdrawals possible, as if no limitation existed.
The RBS WorldPay says that none of the card holders will be accountable for any illegal transactions. However, it is possible that personal records and sensitive information, of potentially 1.5 million customers stored in the system, has been compromised.
It is still not clear what security hole the attacker has found in the system, since the FBI did not reveal all the information, and the case continues to be under investigation. However, it is clear that the system has had a serious security hole, which allowed the attacker to break in the system, and obtain the information to be encoded on the ATM cards.
Also, it is not obvious how the attacker was able to increase the maximum amount of money that can be withdrawn. We are guessing that the hacker was able to change information stored in the RBS system, which allowed skipping or altering limitation check of money withdrawals.
It is possible that the attacker was able to obtain the information he needed for card duplication, because the customer data has not been encrypted with appropriate security level. This could have been prevented if it was not easy to decode the account information.
In addition, a possible prevention of the attack could have been the increase of security within the card itself. For example, a feature that would prevent cards from easily being physically cloned could have been introduced.
Of course, the amount of money that has been stolen might not even be the biggest issue. Even though it has not been confirmed yet whether the identity theft has occurred, since the attacker was able to access all the required information to create card duplicates, it would be safe to assume that he has also stored personal sensitive information to conduct identity theft attacks in the future.
As the response to the attack, the RBS WorldPay hired a security company that is conducting the investigation to reveal the problems with the current system and to suggest the ways of prevention of such attacks from happening again. Also, the card holders have been notified, and the credit protection has been granted to the victims of the attack for the following year.
There is no such thing as 100% secure system. Sometimes the security holes can be identified soon enough to prevent an attack. However, often we learn about the vulnerabilities the hard way. It is possible that other companies have similar security threats in the system, and it is now a good time for them to make sure that their customers are protected from such attacks.
Comment by Orion
February 13, 2009 @ 9:26 pm
Is it just me, or is it weird that each ATM, on average, had almost $70,000 in cash in it? It seems to me like that is a little excessive. Perhaps, in the interest of security, ATMs shouldn’t have access to more than a few thousand dollars at any given time. Perhaps the banks should set a lower limit for the amount of access the ATMs have, in addition to each debit card.
Comment by IanF
February 13, 2009 @ 9:57 pm
Sound like someone had access to the underlying database, and the ability to swap out a small code set. For example, one system I worked with had differing shared libraries containing the code necessary to perform db connect and transaction commit. It was packaged this way as the approach was different depending on what environment – development vs. training vs. production.
Clarifying question – did other transactions within the time period in question execute and commit normally?
Sounds like an inside job, perhaps DBA, Sysadm, and/or developer.
Comment by jimmy
February 13, 2009 @ 10:06 pm
Interesting. I am curious why this attack only happened to the RBS company. I can think of three reasons. One, the attacker wasn’t greedy and got out while he/she was 9 million dollars ahead. Two, the attacker has insider information on the RBS company. Or three, the attacker tried the attack on others and it only worked on RBS systems.
Another point that startled me is if the numbers are correct in this article, the average ATM holds around 70,000$ in cash. I would have expected the number to be much lower. This kind of cash seems like it would make it worth a criminals while to resort to all sorts of attacks to get at ATMs, including physical attacks and unsophisticated smash and grab jobs.
Comment by Justine Sherry
February 13, 2009 @ 10:48 pm
I totally read about this attack – super interesting. I think the wildest thing is the number of people who were involved in the attack – there are actually huge networks of people who get involved in these things. I think it is a good reminder that we are often not out on the lookout for just one attacker, but that groups of people leveraging the same flaw at once can and do cause even bigger problems all at once.
Comment by oterod
February 14, 2009 @ 8:55 pm
A quick aside, ATMs are remarkably smash/grab proof. From what I’ve read, the money in an ATM is VERY hard to get to via brute physical force. Even if you are able to break through defense layers, ATMs are also geared to make the money itself impossible to use via dye and other techniques.
Comment by seraphim
February 20, 2009 @ 9:01 pm
Especially in computing, where magnifying the scale of an attack is almost trivial (ping floods, etc), considering the case of multiple attackers is an absolute necessity. I wonder if the vulnerability in question was related to the scale of the attack, or was something completely different – as that many requests within a short time frame could easily cause problems. More frightening is the flash-mob nature of the attack, where seemingly unrelated/unconnected people all coordinate an attack at once.
The willingness of people to follow schemes as this speaks to the vulnerability of the human condition. While not terribly similar in method, it’s the same basic weakness as the inherent password vulnerabilities we’ve been talking about.