An international cybercrime operation responsible for a $45 million ATM heist carried out over a matter of hours is being called one of the most sophisticated digital attacks ever uncovered, the New York Times reported. Incorporating stolen payment processing information obtained through a financial transaction system software exploit and an extensive ground operation, the attack involved thousands of ATM withdrawals in more than two dozen countries.
The eight-person street crew responsible for the withdrawals in New York City was recently caught and indicted, offering a glimpse into a criminal undertaking that is still being investigated and in which the hackers at its root remain at large. In New York, the thieves made $2.4 million worth of withdrawals at 2.904 machines in 10 hours on February 19 – making it one of the largest heists in the city’s history. However, the operation extended worldwide, accounting for 36,000 withdrawals worth $40 million that day. A previous operation in December by the same ring netted $5 million.
“In the place of guns and masks, this cybercrime organization used laptops and the Internet,” said Loretta E. Lynch, the United States attorney in Brooklyn, according to the New York Times.
Inside the heist
The ground crew responsible for the ATM withdrawals carried out their theft using information provided by a ring of hackers, who stole prepaid debit card account numbers from at least two credit card processing companies. The hackers programmed these accounts to have massive withdrawal limits, thus making the cards essentially unlimited. Then they transferred the account numbers to the magnetic strips on dummy cards distributed to the ground crews who would make the withdrawals.
Payment processing companies make a more attractive target than banks because they are typically less secure, and prepaid debit cards were preferable to individual accounts because they do not have the same automated controls, the New York Times noted. Additionally, the speed at which the withdrawals were made was such that the financial firms involved did not have time to react or stop the thieves, Doug Johnson, vice president of risk management and policy at the American Bankers Association, told The Verge.
Exploiting a vulnerability
Although full details of the hack leading to the theft have not emerged, the indictment suggests they took advantage of a software vulnerability to extract data from the payment processing companies, The Verge reported. In particular, the vulnerability appears to be tied to the fragmented system used to connect providers and ensure cash is dispensed to customers.
Part of the problem may be that such payment processing and financial exchange systems are increasing in complexity to a point that maintaining oversight is complicated. Additionally, criminals are employing more advanced tactics.
“There’s an increasing sophistication,” Johnson told The Verge. “As our systems get more sophisticated, so do the criminals. We as financial institutions are very well aware of the fact that we’re part of a new environment. The convenience that you enjoy as a consumer is something that a criminal tries to use to their advantage.”
Cyberattacks targeting ATMs appear to be on the rise in general, The Verge noted. A Symantec report earlier this year highlighted an attack in which hackers took $9 million from one European bank’s ATMs in 46 cities and noted that tens of millions of dollars have have been stolen from European banks this way in the past year.
To diminish the likelihood of such carefully coordinated attacks, increasing the software security of financial systems at every level is essential. Through the use of tools such as static analysis software, financial firms can catch vulnerabilities that may enable attackers to gain access to information such as payment card data and prevent such errors from reaching production.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.