How to Pull Off a $45 Million Global ATM Heist
Two men charged in the $45 million ATM heist revealed by U.S. authorities on May 7, 2013, in a self-portrait taken in March
CREDIT: U.S. Attorney's Office for the Eastern District of New York
Want to pull off your own $45 million worldwide ATM heist? It might not be that easy, experts say.
The spectacular global scheme uncovered yesterday (May 9) by federal prosecutors was cinematically epic, involving hacked prepaid debit cards, dozens of "cashers" simultaneously hitting ATMs in two dozen countries, a staggering cash payoff and an equally movie-ready mob hit.
But for anyone seeking to replicate the feat, it could take months of planning, deep insider knowledge of financial databases and top-notch technical abilities.
"On a scale of one to 10, this is a nine," said Ori Eisen, founder and CEO of San Jose, Calif.-based security firm 41st Parameter. "This specific attack requires a very high level of sophistication and perhaps some inside help. It requires organization and planning, and you can't execute it every day."
Tip of the iceberg
The indictments unveiled by Loretta E. Lynch, U.S. Attorney for the Eastern District of New York, involved only the local New York cashing crew, the low end of the totem pole.
Still unnamed are the masterminds of the entire operation and their locations, and the hackers they paid to break into the computer systems of card-payment processors in the United States and India.
The hackers, or possibly bank employees who were paid off, raised the account balances on between 10 and 20 prepaid debit cards so that the cards, and any copies of them, could be used to make unlimited ATM cash withdrawals.
"The attack is really quite specific in what it targeted," said Roel Schouwenberg, a senior anti-virus researcher with digital-security firm Kaspersky Lab. "I wouldn't be surprised if there was an insider component to this story. The global nature also meant the withdrawal part of the operation had to be very coordinated."
The eight men named in the indictments, all residents of Yonkers, N.Y., just north of New York City, made maximum withdrawals using "cloned" debit cards from hundreds of Manhattan ATMs in two separate sprees in December 2012 and February 2013 that lasted only a few hours each.
Their withdrawals were timed with other sprees using the same card numbers in several other countries.
"It took a well-coordinated and very busy industrious criminal gang — a directed mob," said George Smith, senior fellow with Washington, D.C.-based think tank GlobalSecurity.org.
"If you have such a similar mob you can put together, you can think about trying to duplicate this type of thing," Smith said. "But you'll have to have some startup capital, since it's not quite something you can just walk out the door and assemble off the cuff."
In the February cashing binge, two of the New York men made their way down Broadway for several hours, hitting every ATM from the Upper West Side to Union Square, netting approximately $2 million in cash. They then took photos of themselves posing next to a stack of bills.
"The picture of two of the New York errand boys flaunting their stack of bundled cash in the car won't strike anyone as being from the high end of innovation and thinking," Smith pointed out.
Hiring local petty criminals to do the dirty work also increases the risk of exposure, said Sean Sullivan, a security adviser with the F-Secure security firm in Helsinki, Finland.
"The need to have lots of money mules to withdraw all the cash seems to be the big complication in getting away with the crime. That leaves a trail for law enforcement," Sullivan said. "I'm sure there are similar hacks by smarter players that don't overdo it — and so don't make it a federal case."
"The good news is that it's not individuals who are having money stolen from their accounts, but rather the financial institutions," said Graham Cluley, a senior technology consultant with the Sophos security firm in Abingdon, England. "Mind you, ultimately, they pass the costs of such things on to the general public."
Can anyone do this?
One might imagine there are thousands of small-time crooks around the world reading about the heist and wondering, "How can I pull this off?"
"You can't, unless you have an insider at the financial institution who will help cover it up, and raise the credit lines without tripping any fraud detection," Eisen said.
"The scale and nature of this operation can't be executed by low to mid-level gangs," he said. "This is the high end of organized cybercrime — the loot is usually commensurate with the sophistication of the criminal."
Robert Graham, CEO of Errata Security in Atlanta, disagreed that this sort of scheme had to be an inside job.
"In my pentests [penetration tests] of financial institutions, I know that such things can easily be done by outsiders," Graham said. "A certain amount of familiarity with the banking industry is needed, but it's the sort of thing that outsiders can easily pick up."
The alleged leader of the New York crew, Alberto Yusi Lajud-Peña, wasn't around to be indicted with the other accused cashers. He was murdered in late April in the Dominican Republic, where he had fled after arrests of his alleged accomplices began in late March.
According to Dominican press reports cited by Wired magazine, two masked men burst into a room where Lajud-Peña was playing dominoes, shot his companions in the legs and then killed him. The gunmen didn't touch a manila envelope containing $100,000 in cash.
"There are likely to be gangs of other people outside the United States who were involved in this, and it will be interesting to see if there are further arrests overseas," Cluley said.
Financial safeguards aren't perfect
Despite the layers of security around modern financial computer systems, enterprising criminals can often find a way in, Smith said.
"The worldwide network of global money card transactions is so omnipresent and complicated there are always openings, banks and repositories which cannot secure things," he said.
Graham noted that the banks that had issued the prepaid cards were in the United Arab Emirates and neighboring Oman.
"Banks in Third World countries have horrible cybersecurity, so it's pretty easy to break in and steal information," Graham said. "All it takes is the very simplest hacks, like SQL injection or phishing."
"We don't know how they managed to break into the card processors' network to remove the spending limits on the prepaid cards," Cluley said. "For obvious reasons, the organizations concerned aren't offering details — but hopefully, they are investigating and tightening their systems for their own sakes."
The one part you can pull off
There was, however, one simple aspect of the operation. Cloning credit or debit cards, especially the old-fashioned magnetic-stripe version still used in the U.S., is commonplace.
"A magnetic-stripe writer costs $200," Graham said. "With such a device, you can easily program any credit card in your wallet to one of the stolen accounts."
In fact, almost any magnetic-stripe card can become a "clone" of a credit card or debit card — a library card, a hotel-room key, a store membership card. Blanks can also be obtained easily.
The card cloning in such schemes is usually left to the local cashing crews, who have been electronically provided with the card account details and ATM PIN numbers, security researcher Paul Ducklin explained on Sophos' Naked Security blog.
In Europe, magnetic-stripe cards have been replaced with EMV, or chip-and-PIN, cards that contain a computer chip and electronically interact with the card reader. It's still possible to clone those, but it takes more sophistication and pricier equipment.
"Having EMV chip cards could really help here, and that's something where the U.S. is very seriously lagging behind," Schouwenberg said. "They've been the standard in Canada and Europe for some years now, but [are] virtually non-existent over here."
Penalties and punishments
Authorities in several countries are trying to work their way up the chain of command to nail the masterminds of this scheme, but if history is any indication, the top conspirators may get off scot-free.
Sullivan and Ducklin pointed out that in a similar scheme in 2009, cybercriminals netted $9 million through hacked payroll debit cards, yet the head of a Chicago-based cashing crew that acted as part of the scheme was sentenced to only 30 months in prison.
The St. Petersburg-based mastermind of the 2009 scheme was given no prison time — only probation — by Russian authorities in exchange for his cooperation.
In the case announced yesterday, the seven surviving members of the New York crew face maximum sentences of 10 years for each count of money laundering and 7.5 years for each count of conspiracy. It's not clear how many counts each individual has been slapped with.
Compare those penalties with the 35-month federal sentence handed down in March to hacker Andrew "Weev" Auernheimer for accessing account information posted on a public website, or with the 50 years in prison digital-rights activist Aaron Swartz faced for downloading archived academic journals.
Or, as a commenter on Slashdot wryly observed, "This is not how bank fraud should be done. The right and proper way is to become too big to fail, too big to jail, rig the LIBOR rates, create systematic rigging, award oneself huge salaries and bonuses, threaten worldwide economic collapse, hold governments to ransom and get huge bailout money."