It only took a few hours for thieves to rob $45 million from ATM machines -- and it seems like it wasn't all that hard to pull off. Law enforcement agencies from more than a dozen nations organized to catch the thieves. That effort led to the arrest of seven people in the U.S., accused of operating the New York group of what prosecutors say was a criminal
spanning 27 countries.
According to the Associated Press, hackers got into bank databases, eliminating withdrawal limits on prepaid debit cards and creating access codes. Others, the AP reported, loaded that data onto any plastic card with a magnetic stripe -- an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes.
Time to Switch Readers?
Ken Pickering, development manager for security intelligence at CORE Security, told us the actual methodology is not yet known. He said the theft was straightforward, but sophisticated.
"This is not some waiter who cloned your card at a restaurant and bought beer with it. This group was organized enough to steal $45 million in $20 dollar bills from ATMs in a coordinated way, in a very short amount of time. It's not opportunistic theft, but a sophisticated and coordinated theft that was planned over a long period of time," Pickering said.
"The attack reveals some significant flaws in ATMs. The fact that ATMs have a single point of failure -- the authorization system -- that allowed these guys to seize so much cash is evident. It's also clear that card technology is behind, because magnetic stripe cards can be easily cloned without any precaution."
Who is going to be caught? There were people who withdrew cash from the ATMs, and the ATMs took photos of them, but they're just money mules, Pickering said -- the real brains behind the attack is protected by layers, and is free to repeat this attack again.
"As much as it pains me to admit this, we're woefully behind in card security," he said. "Unfortunately, I think most people treat fraud as a 'necessary evil' in issuing magnetic-stripe credit cards, but the real problem is: How do we replace all the credit scanners in the U.S.?
"No company wants to issue a mandatory requirement to switch all readers and potentially lose out on transactions. So, we end up with this situation."
Pickering said that often, in analyzing the security of a system, it comes down to the weakest link.
"The real weakest link in this scenario was how easily these cards were modified and duped on a massive scale," he said.
Real-Time Monitoring Needed
Tom Cross, director of security research at Lancope, told us several attacks of this nature have occurred in the past few years. What makes this type of attack unique is not just the technical skill required to pull it off, he said, but the level of logistical coordination needed to perform nearly simultaneous withdrawals from large numbers of ATM machines.
"The fact that debit card processing was compromised is a significant problem," Cross said. "There are a variety of different attacks that may have been possible given the access that these criminals had to the back-end infrastructure. The vulnerabilities that led to that compromise need to be identified and closed."
Unfortunately, Cross said, while breaches like this are often reported to the public, we rarely hear the specific technical vulnerabilities that the attackers were able to exploit in order to pull off the attack. It would be helpful, he added, if more organizations publicly disclosed the technical vulnerabilities associated with network security breaches, because this information helps their peers prioritize the steps they should take to lock down their own networks.
"This type of attack might be preventable if ATM networks were able to monitor transactions in real time for unusually large numbers of transactions involving individual cards or cards from the same issuing institution," Cross said. "Unfortunately, that type of infrastructure doesn't exist today, but perhaps it's time to consider creating and implementing it now -- especially after this latest attack."
Posted: 2013-05-20 @ 6:33am PT
"How do we replace all the credit scanners in the U.S.?"
I dunno, will it cost more than $45 million?