But it is interesting that a global consortium put this deal together, got the various parties to collaborate and had the technological chops to hack the systems ostensibly protecting the accounts in question. What may be even more interesting is that anyone ever discovered the loot was missing. All of which raises questions about motive, capability, security and functionality in today's economy. Especially when the trend is to make financial transactions even more effortless than they already are.
The stories being reported so far are notably short on certain tantalizing details. The banks affected were allegedly in 26 countries, but most may have been in the US and India. That raises questions about who: Indian crime families, militant Islamists, international cyber-thieves or...? But the reporting has also been pretty sparse about who the masterminds may have been and how the losses were first found. It is alleged that Mastercard tipped off the FBI, but that story appeared in the Hindustan Times, an English language Indian paper not a US or European source, suggesting that US and other international police officials still arent exactly sure how this happened - and dont want the still-extant perps to know what they know, or dont.
There are also questions about the street level bag-men who actually went to the ATMs to collect. They were the first to be caught, seemingly after police had been tipped and started looking for them. One of them was shot and killed, suggesting higher ups knew he was a liability.
But a larger question arises about the co-evolutionary relationship between hackers and their counterparts in the security community. Is our dependence on technology giving authorities more of an edge? Diamond thieves in Belgium, Chinese military hackers and now the credit card thieves? All have been outed, if not always caught or convicted. The loot has not yet been discovered in this case but identification of those who did it and their methods seems more a matter of time than not. The back-and-forth of advantage and catch-up seems unlikely to end, but it is conceivable that our technological addiction - and our willingness to feed it further - can and is being used against us, however positive the purpose...or not. JL
Zachary Goldfarb reports in the Washington Post:
A global posse of cyberthieves, armed with laptops in place of guns, hacked into financial institutions and stole $45 million from automated teller machines in a first-of-its-kind heist made for the 21st century. Over a seven-month period ending last month, the authorities said, hackers broke into computer networks of financial companies in the United States and India and eliminated the withdrawal limits on prepaid debit cards.Then, people involved in the heist withdrew tens of millions of dollars from ATMs in Manhattan and more than 20 other places around the world. In one case, surveillance cameras picked up a member of the “cashing crew” going from machine to machine, his cash-stuffed bag growing bigger with each hit.
In unsealing an indictment Thursday against eight men accused of helping to orchestrate the looting, the authorities described an underworld of cybercrime that they said was a burgeoning threat in the Internet age.
“This was a 21st-century bank heist that reached through the Internet and spanned the globe,” said Loretta E. Lynch, U.S. attorney for the Eastern District of New York. “Moving literally at the speed of the Internet, the organization made its way from the computer systems of international corporations to the streets of New York.”
Banks, not individual ATM users, were harmed. But the heist reinforced fears that new payment systems — such as those being built into smartphones — raise a variety of new risks for consumers.
“New technologies and the rapid growth of the Internet have eliminated the traditional borders of financial crimes and provided new opportunities for the criminal element to threaten the world’s financial systems,” said Steven Hughes, special agent in charge of the Secret Service office in New York.
According to the indictment, the eight defendants — mostly men in their mid-20s and all residents of Yonkers, about a half-hour north of Manhattan — carried out the New York-based part of the fraud. Seven of them were arrested in recent weeks. An eighth man was reportedly slain last month in the Dominican Republic.
The authorities dubbed the heist an “unlimited operation” because hackers eliminated the withdrawal limits of debit cards. According to the indictment, the efforts began in October.
The masterminds of the scheme — whose identities or locations, if known, were not disclosed — breached an Indian firm that processes credit card transactions for MasterCard debit cards issued by Rakbank, an institution in the United Arab Emirates. These hackers attempted to either dramatically increase or eliminate withdrawal limits.
They next distributed prepaid card numbers associated with hacked accounts to cashing crews around the world, including the defendants in New York, the indictment says. These crews, potentially armed with cheap technology easily bought online, reprogrammed gift cards and other disposable cards with the account data delivered by the hackers.
The crews conducted 4,500 ATM transactions in locations around the world, withdrawing $5 million, the indictment says.
A few months later, a second — and much larger — heist was conducted.Crews in two dozen countries set out over 10 hours, withdrawing $40 million in cash in 36,000 transactions. About $2.4 million was taken from ATMs in New York.
Once again, hackers launched an unlimited operation, attacking a MasterCard processor in the United States that handled transactions for prepaid debit cards issued by the Bank of Muscat in Oman. The name of the processing firm wasn’t disclosed.
The thieves, according to the indictment, took a variety of steps to dispose of the money.
One defendant allegedly deposited nearly $150,000 worth of $20 bills in a bank branch in Miami. Others allegedly bought expensive items such as Rolex watches and a Mercedes SUV.
Authorities from around the world, from Canada to Thailand, were involved in the investigation. The defendants in New York could each face 17 1 / 2 years in prison and up to $250,000 fines if convicted.
Henry Schwarz, a security expert who provides consulting to ATM companies, said the main vulnerability lay with the networks that were penetrated by hackers. He said it is extremely difficult to break into a network and obtain a regular customer’s four-digit personal identification number.
“The vulnerability was the ability to hack into the card processors’ servers,” he said. With a PIN, he said, “it’s very difficult because a PIN is stored by the card issuer in a heavily fortified” server.
Brian Riley, senior research director at CEB TowerGroup, said that although most people would suffer a terrible inconvenience, they would be protected if their ATMs were hacked.
“There’s no doubt it will be a major inconvenience to get your way through this,” he said. “Consumers are generally protected by the terms and agreements they signed up for with the card.”
He added that there will always be growing threats as companies seek to broaden access to financial transactions through new technologies.
“The first thing the card business is trying to do is to make it easier for people to transact,” Riley said. “As you do that, you’re opening up new areas to get attacked in. You’re opening up new vulnerabilities that never existed.”
0 comments:
Post a Comment