It only took a few hours for thieves to rob $45 million from ATM machines -- and it seems like it wasn't all that hard to pull off. Law enforcement agencies from more than a dozen nations organized to catch the thieves. That effort led to the arrest of seven people in the U.S., accused of operating the New York group of what prosecutors say was a criminal network
spanning 27 countries.
According to the Associated Press, hackers got into bank databases, eliminating withdrawal limits on prepaid debit cards and creating access codes. Others, the AP reported, loaded that data onto any plastic card with a magnetic stripe -- an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes.
Time to Switch Readers?
Ken Pickering, development manager for security intelligence at CORE Security, told us the actual methodology is not yet known. He said the cyber theft was straightforward, but sophisticated.
"This is not some waiter who cloned your card at a restaurant and bought beer with it. This group was organized enough to steal $45 million in $20 dollar bills from ATMs in a coordinated way, in a very short amount of time. It's not opportunistic theft, but a sophisticated and coordinated theft that was planned over a long period of time," Pickering said.
"The attack reveals some significant flaws in ATMs. The fact that ATMs have a single point of failure -- the authorization system -- that allowed these guys to seize so much cash is evident. It's also clear that card technology is behind, because magnetic stripe cards can be easily cloned without any precaution."
Who is going to be caught? There were people who withdrew cash from the ATMs, and the ATMs took photos of them, but they're just money mules, Pickering said -- the real brains behind the attack is protected by layers, and is free to repeat this attack again.
"As much as it pains me to admit this, we're woefully behind in card security," he said. "Unfortunately, I think most people treat fraud as a 'necessary evil' in issuing magnetic-stripe credit cards, but the real problem is: How do we replace all the credit scanners in the U.S.?
"No company wants to issue a mandatory requirement to switch all readers and potentially lose out on transactions. So, we end up with this situation." (continued...)
Posted: 2013-05-20 @ 6:33am PT
"How do we replace all the credit scanners in the U.S.?"
I dunno, will it cost more than $45 million?