World grapples with rise in cyber crime

May 11, 2013 by Paisley Dodds
In this undated photo provided by the United States Attorney's Office for the Southern District of New York, Elvis Rafael Rodriguez, left, and Emir Yasser Yeje, pose with bundles of cash allegedly stolen using bogus magnetic swipe cards at cash machines throughout New York. Prosecutors in New York on Thursday, May 9, 2013 said that they are members of worldwide gang of criminals who stole $45 million in hours by hacking into a database of prepaid debit cards and draining cash machines around the globe. An indictment unsealed Thursday accused U.S. cell ringleader Alberto Yusi Lajud-Pena and seven other New York suspects of withdrawing $2.8 million in cash from hacked accounts in less than a day. (AP Photos/U.S. Attorney's Office for the Southern District of New York)

International law enforcement agencies say the recent $45 million dollar ATM heist is just one of many scams they're fighting in an unprecedented wave of sophisticated cyberattacks.

Old-school robberies by masked criminals are being eclipsed by stealth multimillion dollar cybercrime operations which are catching companies and investigators by surprise.

"We are seeing an unprecedented number of cyberscams that include phishing for financial data, viruses, and others," Marcin Skowronek, an investigator at Europol's European Cybercrime Center in The Hague said on Saturday.

"In Europe, we are generally quite well protected against some types of fraud because of the chip and pin technology we use, but there are still shops and machines around the world who still take cards without chips. And the most popular destinations for this type of fraud are the United States and the Dominican Republic."

U.S. Investigators said Thursday a gang hit cash machines in 27 countries in two attacks—the first netting $5 million in December and then $40 million in February in a 10-hour spree that involved about 36,000 transactions.

Hackers got into bank databases, eliminated withdrawal limits on prepaid debit cards and created . Others loaded that data onto any plastic card—even a hotel keycard—with a magnetic stripe

A similar scam yielded some 50 arrests this year in Europe during a joint police operation between Romanian police and Europol, Skowronek said.

The operation took more than a year, involved some 400 police officers across Europe and required work comparing bank losses to illegal transactions and then cross-referencing suspects, said Skowronek, who said many national police forces were beefing up their undercover work in the cyberworld to catch criminals.

Investigators found illegal workshops for producing devices and software to manipulate point-of-sale terminals. Illegal electronic equipment, financial data, cloned cards and cash were seized in raids in Britain and Romania.

The group stole credit and debit card numbers and PIN codes by implanting card reading devices and malicious software on point-of-sale terminals. The criminals then used counterfeit payment cards with stolen data for further illegal transactions in countries that included Argentina, Colombia, the Dominican Republic, Japan, Mexico, South Korea, Sri Lanka, Thailand and the United States.

Some 36,000 debit card and credit card holders in some 16 countries were affected, Skowronek said. The amount stolen was unclear.

Bank fraud, ATM scams and phishing are common in Romania, one of the most corrupt countries in the European Union, according to Transparency International which monitors and measures graft.

Under the late communist dictator Nicolae Ceausescu, who was ousted and executed in 1989, Romanians specialized in mathematics and computer coding and criminal gangs have tapped into those skills. The tradition has continued and Romanian school students are more advanced in mathematics than many of their European counterparts.

Nadine Spanu, a spokeswoman for Romania's anti-crime prosecutors, said Saturday she had no statement to offer on the $45 million heist or a possible Romania connection.

Skimming works when criminals place devices on ATMs that copy consumers' card details and leave them vulnerable to fraud. There have been similar cases in the United States and Britain.

The EU is the world's largest market for payment card transactions and it is estimated that organized crime groups derive more than 1.5 billion euros ($1.9 billion) a year from payment card fraud in the EU.

Mike Urban, director of financial crime solutions at Fiserv, a Brookfield-Wisconsin-based company that provides financial technology to banks, credit unions and corporations across the world, says banks have not caught up with the threat of electronic crime.

"Compare this to a physical bank security. If someone walks in today, they're probably not going to get very much money, the dye pack is going to explode, they will be caught on video, they're probably not going to get away with it, and they're probably going to spend a long time in jail," said Urban. "Online, in the cyberworld, we're not there yet."

One security loophole thieves have learned to exploit is the lack of real-time transactions in ATM-speak.

Known as the "Gone in 60 Seconds" scam, thieves deposit money and then make coordinated cash-advance withdrawals in various places—but all in less than 60 seconds so the machines essentially regard all of the withdrawals as one transaction.

In October, some 14 people were charged following an FBI-led investigation into the theft of more than $1 million from Citibank using the 60-second scam. The simultaneous transactions at casinos in California and Nevada tricked the system into thinking that they were one transaction. Even on some joint accounts where both partners have cards for the same account, users can often bypass withdrawal limits if the transactions are done at the same time.

"This type of attack might be preventable if ATM networks were able to monitor transactions in real time for unusually large numbers of transactions involving individual cards or cards from the same issuing institution. Unfortunately, that type of infrastructure doesn't exist today, but perhaps it's time to consider creating and implementing it now, especially after this latest attack," said Tom Cross, director of security research at the Lancope, a company specializing in flow analysis for security and network performance based in Alpharetta, Georgia.

Police Maj. Gen. Pisit Paoin, chief of Thailand's Technology Crime Suppression Division, said in a telephone interview Saturday that Thai police have arrested more than 20 suspects involved in the $45 million cyber heist including those from Bulgaria, Bangladesh and eastern Europe.

He said that in the latest arrest in early April, a group of Bangladeshi and Malaysian suspects were using about 50 cards to withdraw cash from machines in Bangkok for a month and took out about 10 million baht ($336,000).

Explore further: Twitter admits to diversity problem in workforce

5 /5 (2 votes)
add to favorites email to friend print save as pdf

Related Stories

Hackers stole $45 million in bank card breach (Update)

May 09, 2013

A worldwide gang of criminals stole $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then draining cash machines around the globe, federal prosecutors said—and ...

B&N: PIN pad tampering was "sophisticated" crime

Oct 24, 2012

(AP)—Barnes & Noble Inc. said Wednesday the tampering of devices used by customers to swipe credit and debit cards in 63 of its stores was a "sophisticated criminal effort" to steal information, and reiterated it's working ...

Honor among (credit card) thieves?

Apr 22, 2013

A Michigan State University criminologist dug into the seamy underbelly of online credit card theft and uncovered a surprisingly sophisticated network of crooks that is unique in the cybercrime domain.

Visa, MasterCard scramble after massive data breach

Mar 30, 2012

Credit card giants Visa and MasterCard were scrambling on Friday to thwart cyber crooks who looted a massive trove of precious account data, evidently from a payment processor in New York.

Recommended for you

UK: Former reporter sentenced for phone hacking

3 hours ago

(AP)—A former British tabloid reporter was given a 10-month suspended prison sentence Thursday for his role in the long-running phone hacking scandal that shook Rupert Murdoch's media empire.

Evaluating system security by analyzing spam volume

3 hours ago

The Center for Research on Electronic Commerce (CREC) at The University of Texas at Austin is working to protect consumer data by using a company's spam volume to evaluate its security vulnerability through the SpamRankings.net ...

Surveillance a part of everyday life

4 hours ago

Details of casual conversations and a comprehensive store of 'deleted' information were just some of what Victoria University of Wellington students found during a project to uncover what records companies ...

European Central Bank hit by data theft

4 hours ago

(AP)—The European Central Bank said Thursday that email addresses and other contact information have been stolen from a database that serves its public website, though it stressed that no internal systems or market-sensitive ...

Twitter admits to diversity problem in workforce

7 hours ago

(AP)—Twitter acknowledged Wednesday that it has been hiring too many white and Asian men to fill high-paying technology jobs, just like several other major companies in Silicon Valley.

Social Security spent $300M on 'IT boondoggle'

18 hours ago

(AP)—Six years ago the Social Security Administration embarked on an aggressive plan to replace outdated computer systems overwhelmed by a growing flood of disability claims.

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

alfie_null
not rated yet May 12, 2013
Any prospect for banks and merchants in the United States replacing their magnetic strip reading technology? Who would bear the cost?

Aside from the $45 million, how much is the investigation and prosecution of this crime going to cost, across the world? Who bears that cost?

I would be unsurprised if this didn't turn out to be one of those "acceptable loss" things, from the bank's perspective.