Dog Bites Man — Internet Bank Heist Version

Least suprising story of the year here:

…in two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, the organization was able to steal $45 million from thousands of A.T.M.’s in a matter of hours.

In New York City alone, the thieves responsible for A.T.M. withdrawals struck 2,904 machines over 10 hours on Feb. 19, withdrawing $2.4 million.

The scam was simple and very smart:  hack credit card processing companies in India and the US; then raise the credit limits on pre-paid debit cards issued by a couple of banks in the Persian Gulf.  Clone the data on said cards so that teams IRL could hit machines in multiple countries, stuffing wads of cash in backpacks that surveillance video shows getting heavier and heavier. Rince, repeat, profit.

Constant_Wauters_Der_ertappte_Hausdiener

All this comes out of an unsealed indictment for a New York City crew of eight involved in the impressively effortful spree noted in the quote above.

Don’t try this at home, kids — not only is it a pretty hefty felony, and not your money and all that — but then there’s this:

The authorities said the leader of the New York cashing crew was Alberto Lajud-Peña, 23, who also went by the name Prime. His body was found in the Dominican Republic on April 27 and prosecutors said they believe he was killed.

I have no doubt that there are folks involved in this that you really, really don’t want to irritate.  None of the putative kingpins have been identified, but in an even less surprising footnote to the tale, the authorities are tracking down some of the loot in predictable forms:

The authorities have already seized hundreds of thousands of dollars from bank accounts, two Rolex watches and a Mercedes S.U.V., and are in the process of seizing a Porsche Panamera.

Part of me says that this is something to note because so much of the financial life of individuals and the economy writ large depends on the secure functioning of — and user trust in — global banking systems at every level from the corner ATM to the massive inter-bank clearing mechanisms.

The cyber security people I talk to have to hold their hands over the mouths to stop themselves from blurting “WAKE UP SHEEPLE!!!!!” — as that trust rests on a rickety tangle of hardware and software.  So while there’s a kind of Great Train Robbery thrill to the idea of capers like these, this could get ugly indeed.

The real question, though, is what role George Clooney will play.

Image: Constant Wauters, The servant as a thief1845.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Pinterest
Share On Reddit

35 replies
  1. 1
    Trollhattan says:

    Wow, that’s pretty darn brazen for an organization not called Enron. Speaking of caper movies that Must be Made, I demand the Belgian diamond heist be given the Guy Ritchie treatment.

    http://www.bbc.co.uk/news/world-europe-22460557

  2. 2
    EthylEster says:

    This really slays me.

    The experts have been warning about security breaches for YEARS. And they will only get worse.

    And today I logged into my XXX financial services account for the first time and was prompted to enter a new password. It has to be all numeric. Is that dumb or what? And the security questions are LAME as well.

  3. 3
    efgoldman says:

    @Trollhattan:

    I demand the Belgian diamond heist be given the Guy Ritchie treatment.

    Any conspiracy involving that many people before, during, and after, was bound to break down. Which is why birthers, truthers, moon no-landers, vaxxers and other dead enders will never have any credibility. They expect thousands of people to contravene human nature.

  4. 4
    Brother Machine Gun of Desirable Mindfulness (fka AWS) says:

    @Trollhattan:

    Wow, that’s pretty darn brazen for an organization not called Enron a Wall Street Bank.

    FTFY

  5. 5
    joes527 says:

    3000 ATM withdraws in 10 hours?

    That’s a metric fuckton of people that need to be involved. Unless the folks in the center of this kept their identity from the foot soldiers, there is no way that this wouldn’t blow wide open.

    So smart, and so stupid.

  6. 6
    MikeJ says:

    @EthylEster:

    And today I logged into my XXX financial services account for the first time and was prompted to enter a new password

    If they aren’t using two factor auth, don’t connect over the internet.

  7. 7
    lumpkin says:

    >>>The cyber security people I talk to have to hold their hands over the mouths to stop themselves from blurting “WAKE UP SHEEPLE!!!!!” — as that trust rests on a rickety tangle of hardware and software. So while there’s a kind of Great Train Robbery thrill to the idea of capers like these, this could get ugly indeed<<<

    I dunno – $45M from multiple banks that have $billions? Sure it's a crime and they should do the time, but seriously – is this something to freak about? I'm sure that way more than $45M gets stolen every day via conventional means.

  8. 8
    Gordon, the Big Express Engine says:

    @EthylEster: my password is baloney1. It used to just be baloney, but now they make you add *number*

  9. 9
    Another Halocene Human says:

    CapitalOne inherited INGDirect’s online banking business and they seemed to have pretty good security although I’ve noticed they slacked up (trying to close out my accounts because CapitalOne are a bunch of thieves). Dunno what it’s like behind the scenes. I think Ing required pin and password and the pin would rotate the secured alphanumerics (essentially, you memorized where the buttons were on the screen) sent to authorize you, AND Ing would send you an image confirming it was them and NOT a phishing site.

    Fuckin’ sucks that the pimped OptionARMs like nobody’s business and completely blew up their US division. Also went down hard in Netherlands but their gov’t bailed them out. IngDirect was sold to a US bank.

    Local coop banking for me from now on.

  10. 10
    Another Halocene Human says:

    @Gordon, the Big Express Engine: Ha ha, I did that for years, not because it was required, but to hopefully fuck up dictionary attacks on my password.

    Old license plate codes are good too, but only if someone close to you isn’t likely to steal your identity and, sadly, maybe 25-30% of identity theft is family members? Ugh.

    Some of these clowns that ruin their kid’s credit don’t even think it’s wrong. Nor do I understand why banks don’t kind of catch on that, hey, the DOB here is a little off, hey, isn’t this actually the guy who charged off two loans here three years ago? Oh wait, that would mean not having low pay, high turnover, commission paid assholes as your main floor staff. Oops.

  11. 11
    Schlemizel says:

    I am cyber security professional. There are people out there very capable of pulling this off but the smart ones are doing it more slowly.

    BTW – this is all small potatoes to what the Chinese are doing. They have deeply implanted backdoors into millions of computers including a lot that you wouldn’t think had any real value. But they are playing a long game & all info they gather has value. And they use it in credibly smart ways. For instance they were able to pull all the cost data out of one company’s systems and managed to know exactly how much to bid to take business away from that company. The joint government/industry partnership will own us all

  12. 12
    Baud says:

    @Schlemizel:

    What do you think of CISPA?

  13. 13

    The cipherpunks were almost right. It turns that that without good security which, yes, includes strong encryption, it becomes impossible to rely on computer networks in a free civil society.

    And now, over to the future, where we all are arriving, one day at a time.

  14. 14

    A general rule of thumb is that passwords are weak to sort-of-OK security. If we intend to keep using computer networks for our day-to-day business, we had best change.

  15. 15
    Another Halocene Human says:

    @lumpkin: The scandal is that the banks will gather all these infos on you, keep them on unsecured dbs within their walls, and don’t give a shit–probably won’t even tell you–when organized crime (usually their own employees) steals tens of thousands of account holders info.

    Banks have always been about the bullshit. I mean look at their early 20th century facades. Look at their names. They’ve always been a game but one with I guess a purpose, though it’s not like government couldn’t give out loans to businesses and shit. But that’s not how the West was won, gov’t gave out tax breaks and used eminent domain powers, while fly-by-night banks provided the cheap credit the boom towns and homesteaders needed. Savings institutions? Ha ha ha. Keep it under the FDIC limit, kiddies.

    What sucks among so many things that sucks about stupid Americans is that we flip out about government and privacy, which is fair enough, but don’t seem to care that private institutions have almost no restrictions on getting our information, keeping them in unsafe ways, not restricting who has access to it, selling it, etc. HIPAA put some limits on some sorts of data but nothing like what people imagine it does. Then add in the absolutely incorrect info being perpetuated in peoples’ credit records with no recourse that counts for anything and now drop in identity theft into that mix. This shit is extremely destructive (financially and emotionally) to the little guy. Private profits, personal risk, while the “good cop” of the gov’t sits back… Wall Street paid Uncle Sam off.

  16. 16
    Gordon, the Big Express Engine says:

    @Another Halocene Human: I was quoting Mr. Chow from The Hangover 2… I don’t really do that!

  17. 17
    David Koch says:

    inb4 “I blame Obama”

  18. 18
    Bill Arnold says:

    @Schlemizel:
    Out of curiousity, how many such back doors have been found, e.g. through reverse engineering?

  19. 19
    The prophet Nostradumbass says:

    In the last week or so, my mom has received two phone calls from some guy in India pretending that her computer was infected with and spreading viruses, trying to get her to do something. The first time, she hung up on him herself, and the second, she handed the phone to me.

  20. 20
    Roger Moore says:

    One of the big ways they deal with this is to hang the losses from fraud on the banks rather than account holders. This has two beneficial effects:

    1) It keeps the little people sheeple from panicking and abandoning the system, since they are protected from losses better than if they tried to keep their money as cash, and

    2) It gives the banks a huge incentive to keep security tight. Yeah, they got taken for $45 million in this caper, but when was the last time you heard of anyone pulling anything close to that big against a major bank? It’s very rare, and is a good sign that the banks’ security is pretty tight.

  21. 21
    mapaghimagsik says:

    Things are getting interesting, cyber-security wise, even a cyber security budgets seem to be getting smaller.

    I do code security. It’s pretty amazing how much training needs to be done.

  22. 22
    Uncle Cosmo says:

    I keep getting these phone messages that “this is your final notice to lower your credit card interest rate–press 1” blah blah blah.

    This morning I pressed 1 & a guy came on the line & said “Hi, do you want to lower your credit card interest rate?”

    I replied, “I want to know who you people are & why you keep calling me.”

    “Have a good day.” (click)

    Next time I have half a mind to say yes just to see what kind of personal information they want from me. I have half of that half a mind to make up a bunch of shit in advance to use to fuck with them.

  23. 23
    Bruce S says:

    Too bad some bodies of ringleaders of the REAL Great Bank Heist of ’08 didn’t turn up full of lead in the DR…

    It’s always the little guys who get caught or shot. This was ridiculously labor intensive and $45 million is peanuts. As they say, the best way to rob a bank is to own one.

  24. 24
    Gex says:

    Until financial institutions that fail to secure financial data (or ascertain that the person applying for credit is the person they say they are) these things will never stop.

    If the institutions that don’t bother to make sure that everything is on the up and up had to pay the costs associated with their in ability to protect consumer data, this shit would stop pretty quick. So long as the poor person who simply exists in this modern world has to pay the costs of his data being stolen, this will continue apace.

    The fact of the matter is that these big businesses are VERY good at making sure they don’t lose money. Watch how the RIAA manages to track nearly every bit on the Internet that is part of a song. It can be done. It just won’t be done because the costs are externalized.

  25. 25
    Jacques Anquetil says:

    I work for a large multinational bank in the merchant risk field and all I can say is this is only going to get worse. Note I did not say it worse before getting better, because it will simply get worse and worse.
    One example of banks and credit card companies trying to combat fraud is EMV enabled cards. These have a chip in them which theoretically makes it harder to hack than a simple magstripe. Most of the world has migrated to EMV, but the US is the laggard and we only expect full implementation in 2015. Know what that means? Data thieves will be out in full force stealing based on current card usage and will be learning how to beat EMV. This has already happened in GB where EMV has been around for a bit, and criminals are mastering man in the middle attacks to defeat the technology.
    The only way to fight this is to educate consumers who will fall for some of the stupidest shit imaginable. Merchants as well have their fair share of people you wonder how they managed to live thus far.
    Stupid people + payment method = THEFT 100% of the time.

  26. 26
    MattR says:

    @Uncle Cosmo: I had the same reaction when I politely asked them what financial institution they were associated with.

  27. 27
    BruceJ says:

    Well part if the problem is because the US is too damned backwards to move to smart cards like the rest of the goddamn civilized world.

    From the Washington Post story:

    “Some of the fault lies with the ubiquitous magnetic strips on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor of ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic strips, they are still accepted around the world.”

    They were loading this data onto old hotel keys, expired credit cards, anuythign with a strip on it.

  28. 28
    RepubAnon says:

    I expect the Bank’s next move will be have their pets in Congress pass legislation making the account holder liable if a hacker steals their money. The legislation will have ‘Homeland”, “For the Children” and “9/11” in the the title…

  29. 29
    Dr. Squid says:

    Wonder how much the banks collected in fees from all those transactions.

  30. 30
    catclub says:

    @The prophet Nostradumbass: My wife got that call, too. Or maybe we are married to the same person.

  31. 31
    catclub says:

    @Roger Moore: But the banks push debit cards over credit cards, because the debit card is directly linked to your bank account, and the protections for the consumer are much worse. So I am not in agreement with your faith in the banks.

    Somebody else noted that the US has not gone to chip and pin credit cards. Actually there are two banks (One is a maryland Credit Union) in the US that do issue chip and pin cards.

  32. 32
    El Cid says:

    They should have just pooled money, lobbied a few Congressmen to deregulate what they wanted to do, and then steal all this legally.

  33. 33
    Reuben says:

    I was recommended this blog through my cousin. I’m not sure whether this put up is written by means of him as nobody else understand such specific approximately my trouble. You are incredible! Thanks!

  34. 34

    […] says Tom Levenson at Balloon Juice. “I have no doubt that there are folks involved in this that you really, really don’t […]

  35. 35

    […] says Tom Levenson at Balloon Juice. “I have no doubt that there are folks involved in this that you really, really don’t […]

Trackbacks & Pingbacks

  1. […] says Tom Levenson at Balloon Juice. “I have no doubt that there are folks involved in this that you really, really don’t […]

  2. […] says Tom Levenson at Balloon Juice. “I have no doubt that there are folks involved in this that you really, really don’t […]

Comments are closed.