Thieves make withdrawals after hacking into a database of prepaid debit cards. Seven arrests have been made in the U.S.
Officials say outmoded U.S.
card technology may be partly to blame for the theft of $45 million from
ATMs.
(Gene J. Puskar / Associated Press / January 5, 2013)
|
A worldwide gang of criminals
stole a total of $45 million in a matter of hours by hacking their way
into a database of prepaid debit cards and then draining cash machines
around the globe, federal prosecutors said.
How were they able to do it? Outmoded U.S. card technology may be partly to blame, the officials said.
Seven people have been arrested in the U.S. in connection with the case, which prosecutors said involved thousands of thefts from ATMs using bogus magnetic swipe cards carrying information from Middle Eastern banks. The fraudsters moved with astounding speed to loot financial institutions around the world, U.S. Atty. Loretta Lynch, who works in New York, said Thursday.
She called it "a massive 21st century bank heist" carried out by brazen thieves in two separate strikes, one in December and the other in February.
One of the suspects was caught on surveillance cameras, his backpack increasingly loaded down with cash, authorities said. Others took photos of themselves with giant wads of bills as they made their way up and down Manhattan.
Here's how it worked:
Hackers got into bank databases, eliminated withdrawal limits on prepaid debit cards and created access codes. Others loaded those data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as they carried the account data and correct access codes.
A network of operatives then fanned out to rapidly withdraw money in multiple cities, authorities said. The cells would take a cut of the money, then launder it through expensive purchases or ship it to the global ringleaders. Lynch didn't say where they were located.
The targets were reserves held by the banks to fund prepaid credit cards, not individual account holders, Lynch said.
She called it a "virtual criminal flash mob," and a security analyst said it was the biggest ATM fraud case she had heard of.
The attack in December reaped $5 million worldwide and the one in February snared about $40 million. The scheme involved attacks on two banks, Rakbank in the United Arab Emirates and the Bank Muscat in Oman, prosecutors said.
The plundered ATMs were in Japan, Russia, Romania, Egypt, Colombia, Britain, Sri Lanka, Canada and several other countries, and law enforcement agencies from more than a dozen nations were involved in the investigation, U.S. prosecutors said.
The accused ringleader in the U.S. cell, Alberto Yusi Lajud-Pena, was reportedly killed in the Dominican Republic late last month, prosecutors said. More investigations continue and other arrests have been made in other countries, but prosecutors did not have details.
An indictment unsealed Thursday accused Lajud-Pena and the other seven New York suspects of withdrawing $2.8 million in cash from hacked accounts in less than a day.
Such ATM fraud schemes are not uncommon, but the $45 million stolen in this one was at least double the amount involved in previously known cases, said Avivah Litan, an analyst who covers security issues for Gartner Inc.
Middle Eastern banks and payment processors are "a bit behind" on security and screening technologies that are supposed to prevent this kind of fraud, but it happens around the world, she said.
"It's a really easy way to turn digits into cash," Litan said.
Some of the fault lies with the ubiquitous magnetic strips on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor of ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic strips, they are still accepted around the world.
Lynch would not say who masterminded the attacks globally, who the hackers are or where they were located, citing an ongoing investigation.
The New York suspects were U.S. citizens originally from the Dominican Republic, who lived in the New York suburb of Yonkers and were mostly in their 20s. Lynch said they all knew one another and were recruited together, as were cells in other countries. They were charged with conspiracy and money laundering. If convicted, they face 10 years in prison.
Arrests began in March. Lajud-Pena was found dead with a suitcase full of about $100,000 in cash. The investigation into his death is continuing separately. Dominican officials said they arrested a man in the killing who said it was a botched robbery, and two other suspects were on the lam.
Lynch compared the ring with the $5.8 million in cash stolen from a Lufthansa Airlines vault at Kennedy Airport in 1978, a heist masterminded by Jimmy Burke, the inspiration for Robert De Niro's character in "Goodfellas."
Seven people have been arrested in the U.S. in connection with the case, which prosecutors said involved thousands of thefts from ATMs using bogus magnetic swipe cards carrying information from Middle Eastern banks. The fraudsters moved with astounding speed to loot financial institutions around the world, U.S. Atty. Loretta Lynch, who works in New York, said Thursday.
She called it "a massive 21st century bank heist" carried out by brazen thieves in two separate strikes, one in December and the other in February.
One of the suspects was caught on surveillance cameras, his backpack increasingly loaded down with cash, authorities said. Others took photos of themselves with giant wads of bills as they made their way up and down Manhattan.
Here's how it worked:
Hackers got into bank databases, eliminated withdrawal limits on prepaid debit cards and created access codes. Others loaded those data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as they carried the account data and correct access codes.
A network of operatives then fanned out to rapidly withdraw money in multiple cities, authorities said. The cells would take a cut of the money, then launder it through expensive purchases or ship it to the global ringleaders. Lynch didn't say where they were located.
The targets were reserves held by the banks to fund prepaid credit cards, not individual account holders, Lynch said.
She called it a "virtual criminal flash mob," and a security analyst said it was the biggest ATM fraud case she had heard of.
The attack in December reaped $5 million worldwide and the one in February snared about $40 million. The scheme involved attacks on two banks, Rakbank in the United Arab Emirates and the Bank Muscat in Oman, prosecutors said.
The plundered ATMs were in Japan, Russia, Romania, Egypt, Colombia, Britain, Sri Lanka, Canada and several other countries, and law enforcement agencies from more than a dozen nations were involved in the investigation, U.S. prosecutors said.
The accused ringleader in the U.S. cell, Alberto Yusi Lajud-Pena, was reportedly killed in the Dominican Republic late last month, prosecutors said. More investigations continue and other arrests have been made in other countries, but prosecutors did not have details.
An indictment unsealed Thursday accused Lajud-Pena and the other seven New York suspects of withdrawing $2.8 million in cash from hacked accounts in less than a day.
Such ATM fraud schemes are not uncommon, but the $45 million stolen in this one was at least double the amount involved in previously known cases, said Avivah Litan, an analyst who covers security issues for Gartner Inc.
Middle Eastern banks and payment processors are "a bit behind" on security and screening technologies that are supposed to prevent this kind of fraud, but it happens around the world, she said.
"It's a really easy way to turn digits into cash," Litan said.
Some of the fault lies with the ubiquitous magnetic strips on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor of ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic strips, they are still accepted around the world.
Lynch would not say who masterminded the attacks globally, who the hackers are or where they were located, citing an ongoing investigation.
The New York suspects were U.S. citizens originally from the Dominican Republic, who lived in the New York suburb of Yonkers and were mostly in their 20s. Lynch said they all knew one another and were recruited together, as were cells in other countries. They were charged with conspiracy and money laundering. If convicted, they face 10 years in prison.
Arrests began in March. Lajud-Pena was found dead with a suitcase full of about $100,000 in cash. The investigation into his death is continuing separately. Dominican officials said they arrested a man in the killing who said it was a botched robbery, and two other suspects were on the lam.
Lynch compared the ring with the $5.8 million in cash stolen from a Lufthansa Airlines vault at Kennedy Airport in 1978, a heist masterminded by Jimmy Burke, the inspiration for Robert De Niro's character in "Goodfellas."
No comments:
Post a Comment