How did the hackers steal $9 million in one 30-minute time period using only 100 ATM cards you ask? That shouldn’t be possible given the daily limits (usually about $500/day) placed on all ATM cards. Well it turns out that the hackers applied military like precision to old ATM Scam techniques and added a touch of devious ingenuity to pull this one off. Here is a look at how the theft was perpetrated.
via Largest Coordinated ATM Rip-off Ever Nets $9+ Million in 30 Minutes | NetworkWorld.com Community.
First, the bad guys had to obtain the ATM cards. To accomplish this they hacked into RBS WorldPay [1] and stole at least 100 payroll cards. According to RBS WorldPay, “Payroll cards are used by a growing number of U.S. firms to pay wages to employees. A payroll card is a reloadable stored value card that can be used at any point of sale that accepts credit and debit cards.”
Second, the bad guys had to figure out how to reload the cards. To accomplish this they hacked into RBS WorldPay’s systems once again. Once this was done they had the power to reload the payroll cards with new fake deposits that they could turn into cold hard cash via an ATM withdrawal.
Third, the bad guys had to clone the card info they stole into thousands of real ATM payroll cards. This is easily and cheaply done using various over the counter card printing devices. Given that this market is completely non-regulated, anyone can buy all of the gear necessary to make your very own credit, ATM, Bank, etc. Cards.
Fourth, the bad guys needed to recruit an Army of “cashers” to physically go to an ATM machine with the newly minted counterfeit (but valid) payroll cards and withdrawal cash. Cashers is the name given to the street-level thugs that do the actual cash withdrawals at ATMs. It is hypothesized that there were dozens of them recruited for this scam.
Fifth, the bad guys developed an incredibly precise global attack plan. It is alleged that they mapped out exactly what ATMs they would hit, the order they would hit them in and on what global time schedule. This attack plan covered at least 49 different cities around the world for a total of approximately 130 ATM machines. The cities targeted include Atlanta, Chicago, Montreal, New York, Moscow and Hong Kong. The whole attack was choreographed to happen within a 30-minute timeframe. It is the first time anyone has seen this type of precision and coordination achieved in an ATM rip-off.
Finally, the perpetrators briefed all of their “cashers” on the plan of attack. Then on November 8th, 2008 they launched their attack. All 130 of the targeted ATM machines around the world were hit during a 30-minute time period. During the attack the bad guys reloaded (via their hack) the payroll cards as needed. When all was said and done it is thought that the thieves walked away with over $9 Million bucks in cold cash.
As far as I can tell the FBI still does not have any suspects in custody from this theft. They do have wanted posters [1] out with pictures of some of the “cashers” caught on the ATM cameras. If you know any of these nice folks please report them to the FBI.
RBS Worldpay has issued a press release [1] stating they are working to resolve the security issues associated with this fraud so it doesn’t happen again.
In addition to the 100 cards used to commit the cash haul, a statement by RBS WorldPay says, “Certain personal information of approximately 1.5 million cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1 million people may have been accessed.” This exposure is due to the successful hacks performed during the payroll card attack.