back to article Bank Muscat hit by $39m ATM cash-out heist

Cybercrooks have pulled off a $39m ATM heist against a bank in Oman using pre-paid travel cards. Bank Muscat put out a statement through the Muscat Securities Market admitting the loss: 12 Bank Muscat prepaid Travel Cards were compromised on February 20, 2013. The gross value of transactions on these cards, which were …


This topic is closed for new posts.
  1. Anonymous Coward

    Probably the tip of the icberg

    How many banking security failures do we not hear about on the same scale and they insist the systems are infallible.

    Bollox !

    ps RBS just for a laugh uses java for their RBSMarketPlace applications.. How ironic is that ?

    1. Anonymous Coward
      Anonymous Coward

      One thing is certain

      If they get caught they will have theirs hands cut off.

      1. Fatman

        Re: If they get caught they will have theirs hands cut off.

        Then I have a whole bunch of worthless US bankers wankers who should suffer the same fate.

  2. I Am Spartacus

    What? No Velocity check?

    Way back in the early 90's I was involved in a card system. One of the first things we did then was implement a check to stop multiple repeated transactions, and to check the card velocity.

    Velocity is simple. Note where the card is first used as a lat/long (this assumes that all banks know where their card machines are), when the card is next used compute the distance, and the time it took to travel and hence compute the velocity. If the velocity is too great, block the card and get the customer to call in. To be honest, we did have another way of finding the location, but surely this is just so fundamental that the banks must have this.

    20 years later, it seems Bank of Muscat have not learnt this lesson.

    1. Xamol

      Re: What? No Velocity check?

      That's not what a velocity check is. A velocity check would simply be something like a daily withdrawal amount limit or a limit on the number of transactions a card can perform in a set time etc.

      Analysing the location of transactions on a per card basis and then applying fraud checking rules would be the job of a dedicated fraud prevention system, not done by the transaction processing system - it has enough to do without running complex algorithms to identify fraud.

      Also, in the article it says that their systems may have been compromised so these velocity checks may have been disabled.

      1. Alan Esworthy

        Re: What? No Velocity check?

        "Analysing the location of transactions on a per card basis and then applying fraud checking rules would be the job of a dedicated fraud prevention system, not done by the transaction processing system - it has enough to do without running complex algorithms to identify fraud."

        You'd be surprised. I can't comment further, unfortunately.

        1. Xamol

          Re: What? No Velocity check?

          OK, not all transaction processors have a dedicated fraud detection/prevention system so I'll accept that I should have written "should" rather than "would".

          Beer, because this is too much like the day job so I'm off for the weekend!

    2. Lee D Silver badge

      Re: What? No Velocity check?

      For someone in the industry, I don't think you understand how the scam works.

      The banks in question authorise the transactions before they are actually verified as having funds. There are plenty of terminals that are "offline" or just delay before actually collecting the payment. If you time it right, you can perform the same £10 hundreds of times across the globe and by the time actual authorisation is given by the originating bank, there's already a million pounds in cash gone from various places.

      Ever bought anything on a plane? Same system.

      They don't have live connections to ensure funds are available. Yes, it's incredibly stupid, but that's why the scam (and many others with similar tactics) works. By the way, this is pretty much all how the "pay-by-wave" systems work and rely on the card to remember that it has spent £15. Clone the card beforehand and you can have as many £15 as you like before the bank has to give a yes/no.

      Why is another reason why pay-by-wave is an incredibly stupid, even if "convenient", idea.

      1. Xamol

        Re: What? No Velocity check?

        Lee, almost all ATM transactions are online at least to the acquirer system (which may be permitted to carry out stand in processing if the card issuers systems are unavailable). Normal operation is that every transaction will be routed to the card issuer for authorisation before any money is dispensed apart from said stand in scenarios.

        I don't rule out the possibility of some deployments of ATMs allowing offline transactions but they should be limited to processing 'on us' transactions (for cards issued by the ATM deployer). They certainly shouldn't be authorising international cards offline. Having said that, these were pre-paid travel cards so the rules set for them can be different from normal credit/debit cards.

        AC is right that complex fraud checks aren't done before the transaction completes so there is a window there, but basic velocity checks can and should be done before authorisation.

        1. Yet Another Anonymous coward Silver badge

          Re: What? No Velocity check?

          It's a business decision:

          Option 1 - bank refuses withdrawal because it can't get a secure realtime direct link from the foreign ATM to its HQ, or because a businessman buying a coffee in New York 12 hours after buying a heathrow express ticket is somehow "suspicous". Business man returns home furious, cancels all his accounts, moves his mortgage, pension and life insurance - bank loses $1000s in fees.

          Option 2 - bank allows some extra risks on a pre-paid credit card that accounts for 0.1% of its business.

          You can always add more security - the question is whether requiring a 15digit pin and a DNA sample everytime a customer uses their card is a win for you in the long term

    3. Anonymous Coward
      Anonymous Coward

      Re: What? No Velocity check?

      Someone raises this every time a card-cloning scam comes up, and it's an example of the classic security research vs security in the real world clash.

      Yes, you could check every transaction against a central database of past transactions and check if they're sane, but the problem is this would be really, really slow. Really slow. Remember most ATMs are lucky to have anything faster than dial up on board. Checking the validity of a card and its transaction limit are relatively simple, asking a server to do a lat/lon sanity calculation every time someone connects isn't. It takes time.

      As a result, while dozens of these "Do these transactions make sense?" calculations take place, they usually take place after the fact, as anyone who's had their card cloned knows. The trick, and it's probably the trick used here, is to use the cloned cards in a synchronised manner, to not give the system time to respond. Pick ATMs you know to be particularly slow, get your gang of ill-intentioned ruffians to spread out amongst them and hit them for everything they've got all at the same time. The transaction system will do what it was designed to do - complete the transaction, and they'll be off with the cash long, long before any security system catches up.

      Putting the security up-front would slow down the process immensely, almost certainly costing banks a hell of a lot more than they lose from once-in-a-blue-moon card cloning scams.

  3. Gord

    not news any more

    If 3 masked robbers with guns stole $xxx million euros/dollars/etc in a daylight heist from any bank in the world the news feeds would go crazy with useless facts about every heist in history and so-called journalists going on about other journalist's opinions about why it happened and how awful it all is. Organized crime doing it thru a stupidly overlooked crack in computer security news.

    Conspiracy angle, the bank needed to unload some cash quickly to a local prince and hired the bad boys to create a crime so no suspicion is raised when the money moves. No taxes due either.

    1. Anonymous Coward
      Anonymous Coward

      Re: not news any more

      Theft inolving risk to life is different. It's also why white collar crime is generally treated more leniently.

      1. Bronek Kozicki

        Re: not news any more

        Right, the risk to life makes a difference, yet such heist would be all over the news even if there was no risk to life. E.g. guards crooked or cooperating by fear of actually bogus weapons.

  4. minky

    12 Bank Muscat prepaid Travel Cards were compromised... RO 15 million.

    Fucking hell, last time I bought a Travel Card it cost about 40 quid.

  5. Tank boy
    Black Helicopters

    The terrorists need new cash flow.

    Now that Bin Laden is sleeping with the fishes, I suspect that they are in dire need of a new revenue stream.

    1. tonysmith

      Re: The terrorists need new cash flow.

      This would require too much smarts for those guys.

      Simpler approach would be (is being used) is to either use drug money or smuggling (or if your in somalia why not try piracy - like the "on a boat in the sea" type)...or if your in Afghanistan set up a "transport mafia" and have the Americans pay you millions to protect their trucks from...well, yourself!

      1. JaitcH

        Re: The terrorists need new cash flow.

        In Afghanistan they ship billions into the state bank and then officials do some creative printing and loan out all sorts of money to friends of the government.

        Time that Switzerland really opened up the accounts for near failed states and their citizens.

  6. Anonymous Coward
    Anonymous Coward


    Meh, the cost of an extended lunch for these Sultana guys.

  7. Velv

    I understand the concept of duplicated cards used multiple times, but the numbers don't stack up.

    £39,000,000 stolen. Assuming an ATM allows £1,000 per transaction, that's 39,000 transactions!!!

    Assuming you got 1,000 mules at 39 transactions each in one day, you're chances of a snitch being in there are quite high.

This topic is closed for new posts.