back to article The great $45m bank cyber-heist: Seven New Yorkers cuffed

Crooks allegedly stole $45m in hours from ATMs after hacking into a database of prepaid debit cards. The gang created counterfeit cards using the data swiped from two Middle Eastern banks, investigators claim, and emptied the compromised accounts of greenbacks as quickly as possible – thus minimising the possibility that the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Why is the US lagging so far behind on card security?

    "A lot of these attacks would go away by getting rid of the stripe and updating the US payment systems to use the chips. Even then, it's true that the attacks won't go away, but they will for sure decrease or become a lot harder."

    Visited US last year and had my card compromised. Possibly skimmed at a computer store, or one of Amazon's payment processors got hit. Why aren't stores forced to use chip & pin everywhere? I'm no fan of Verified by Visa, but at least its an attempt to halt card-not-present fraud IMHO....

    1. Anonymous Coward
      Anonymous Coward

      Why aren't stores forced to use chip & pin everywhere?

      "Why aren't stores forced to use chip & pin everywhere?"

      I think you have the question backwards: what would force stores to use chip and pin?

      Look who gets hurt in a credit fraud:

      Usually, not the account holder - if they can prove the fraud is not their fault they usually are not held responsible for most, if not all, of the cost.

      Not the credit card company - almost always, they just reverse the fraudulent charges back to the merchants.

      So it's only the merchants who have any motivation to deploy anything more secure. However, the "invisible hand" only works when there are real alternatives, and since the credit card companies don't really offer a meaningful alternative to mag-stripe, the merchants have no choice - they take what they can get (mag-stripe) or they don't handle credit transactions (read: they don't get any business, because who can be bothered to carry cash or checks in this spend-spend-spend era?)

      I knew of a guy involved with a very large company's web site, who detected a massive credit fraud-in-progress. He held the transactions, contacted the credit card company, said "I can give you the address they are wanting the goods shipped to: call the police, nab them in the act, done!" The credit card company's response? "Don't care, not our problem, don't let the transactions go through or we'll just charge it back to you, bye now<click>".

  2. Gene Cash Silver badge
    Headmaster

    "shot dead at his house while playing dominoes"

    Damn, these dudes play like my grandfather!

    Seriously though, a question for the Brits: When you go to a restaurant, sit down, have your meal, In the US the waitress brings the bill, you stick the card in there, she goes back and swipes it for the amount (and possibly writes the number & for fraud later), brings it back, you take the card, note down the tip and leave. The amount goes on your card and is later updated with the tip amount.

    How does that work in the UK? How would chip/pin affect it? I'd think chip/pin would kill the "go back and swipe" step. Or do I misunderstand?

    1. Zimmer

      Re: "shot dead at his house while playing dominoes"

      The chip holds the PIN and using the terminal it verifies/authenticates the PIN used. Most terminals are now wireless in Restaurants etc. and are brought to the table so the card does not leave your sight.

      1. Gene Cash Silver badge
        Unhappy

        Re: "shot dead at his house while playing dominoes"

        Ah ok. A couple daring restaurants tried the swipe-it-yourself wireless terminal and found Americans were too dumb/lazy to figure it out. It was quickly canned.

    2. frank ly

      Re: "shot dead at his house while playing dominoes"

      Many retail outlets now have small portable card readers that have a wireless link to the shop's server, especially if the staff have to walk around to customers. ( My dentist's reception desk also has one of these, maybe because it's more convenient that a cabled reader or a fixed one.)

      In a restaurant, the staff would present you with the bill and the reader, put your card in the reader for you and ask you to enter the amount on the reader keyboard, press Enter, then your PIN and press Enter; hinting that a tip added to the amount would be most welcome. The card never leaves your sight.

      If they have a payment desk, it's the same process but the card reader is fixed to an adjustable stand of some kind. Many people, especially in large groups dining out, prefer to leave cash on the table as a tip, knowing that that staff are more likely to get it if it lands in their hands directly.

    3. Phil O'Sophical Silver badge

      Re: "shot dead at his house while playing dominoes"

      Its absolutely forbidden for the card to leave the customer's sight, I've seen waitresses at Heathrow having to insist (to American customers) that they must bring the machine to the table, and cannot take the card away.

  3. Anonymous Coward
    Anonymous Coward

    card readers

    Card readers in the US are usually the property of the retailer who is then on the hook for new equipment when the system is changed, in Europe the equipment is typically supplied by the bank and charged for in the fees so it''s easier to upgrade everyone.

    I was amazed when I went to the a US branch office six years ago to see they were stilling going around on payday and handing people cheques (or checks if you prefer) the system is so far behind on electronic payment it's crazy. In Canada I found out that to even initiate the equivalent of of a direct debit you usually have to supply a blank void cheque, though at least Canada has largely moved to chip and pin.

    1. MachDiamond Silver badge

      Re: card readers

      I prefer getting a check vs. direct deposit at the moment. If all of your finances are electronic, The Man can intercept your money at any time. With a paper check, you have the opportunity to take it to the bank and receive cash. Another problem I have with purely electronic transactions are the banks hold on to the money for an extra day or three. I never noticed this with direct deposit of a pay check, but it happened all of the time with wire transfers and BillPay services.

      1. Richard 12 Silver badge

        Re: card readers

        Intercepting a cheque is beyond trivial, and if you pay it into an account in your name, the money takes a week or more to "clear", and even then can still be taken away from you if the cheque is later declared fraudulent.

        That's why those "cheques cashed" services charge a hefty percentage, to cover that risk.

        If "the man" wants to screw you over, a cheque's the best way to do it! That's why so few EU shops accept them!

        Incidentally, in the EU we now have "faster payments", which transfer cleared money between bank accounts in under 2 hours, usually in seconds. It did take a Government action to force that though, as the three-day clearing is a nice little earner for the banks!

    2. Tom 13

      Re: stilling going around on payday and handing people cheques

      The last time this 'Merkin received an actual check for payday was about 12 years ago and the circumstances were rather unique. It was a small shop with no more than 9 employees including the boss. At the end of the pay period he sat down in his office, wrote out the check, and handed it to each of his employees. Everywhere else I've worked I've either been required to take direct deposit, or the banks have required it for their "free checking" services.

      So I'd say your experience was most unusual.

  4. Anonymous Coward
    Anonymous Coward

    "Another problem I have with purely electronic transactions are the banks hold on to the money for an extra day or three."

    If I pay a cheque into my UK bank account then it needs three working days before any of the cash can be withdrawn. Some banks will allow you to withdraw a small amount before then. Only a cash deposit over the counter is credited to the account the same day.

    My electronic monthly salary goes into the bank on a specific date each month. If it is a weekend or public holiday then it arrives on the previous working day. It's there ready to use immediately.

    My online banking works in a similar way. My credit card bills are paid the same day. Even a transfer to my PayPal account shows up in seconds. If a friend wants a temporary loan until payday - it is usually because they want to buy something time-limited on eBay. An onward transfer between PayPal accounts is instant - and with no handling charges within the UK.

    The online banking system does warn that some transfers may take longer if the recipient financial organisation isn't able to process FAST payments. At the moment it is limited to payments within the UK - but that may change. The payments have to be less than £10k by banking authority "laundering" rules..

    My bank's security system for home online banking uses my chip card and its pin to generate a real-time authentication code from a home offline device.

    1. Tom 13

      @AC 7:32 GMT

      My experience in the US is similar, sans chip and pin.

      In fact, I generally don't even have a hold on check deposits. The only exception to that is if for some reason I transfer money directly to the savings account. But that's never been a problem since I don't intend to spend what is transferred to savings.

  5. Yet Another Anonymous coward Silver badge

    $ Million

    These days that hardly counts as a bank robbery.

    The bankers were probably laughing and throwing money at them saying - Million? call that a bank robbery!

  6. All names Taken

    What gets me ...

    ... is that a tardy, lairy, few individuals get grubby hands on a paltry few meelleeonz and end up on the wrong side of the law.

    Another set of tardy, lairy individuals get grubby hands on many beelleeonz and end up lots of additional state sponsorship to ensure that their lifestyles are not compromised

  7. zanto
    FAIL

    Another result of sending work to India

    http://timesofindia.indiatimes.com/india/Cyber-cheats-hacked-Pune-Bangalore-companies/articleshow/20008913.cms

    quoting verbatim:

    "Since the time the incident occurred, EnStage has retained independent security experts to analyze the intrusion and to recommend enhancements to its information security infrastructure. EnStage has implemented both these enhancements as well as additional monitoring capabilities"

    which in other words means "I don't know what the fuck happened, but I do know how to dish out comforting sound bites to those gullible pale skinned westerners."

    never ever ever trust an indian company with financial details, that's just asking to be robbed.

  8. Anonymous Coward
    Anonymous Coward

    Layers

    I'll keep banging on about this until everyone implements it. Security needs to be done in LAYERS, the more the better.

    Blaming the magnetic strip and American reliance on it is only part of the story. How was the card data stolen in the first place? An insecure Bank.

    Too many businesses don't invest in layered security, believing all you need is "some".

    "we force a 14 digit complex password, that's our strong security".

    "It's SSL with long keys, that's our security".

    "The database is encrypted on disk, that's our security".

    Each on their own is only one layer. They need to ALL be applied, and more.

    And it's getting worse. Some of the major retail businesses in the world are diversifying and new operators are running the IT for Banks. Hackers stealing your supermarket stock database won't help them steal tins of beans off your shelf. But if hackers steal your card database, bye bye money, bye bye banking license, bye bye shareholders.

    1. Tom 13

      Re: Layers

      And in this instance, one of the most important layers wasn't even an IT security layer!

      It was a standard financial practices layer: No unlimited accounts and certainly no unlimited accounts with a single signature.

This topic is closed for new posts.

Other stories you might like