National News

May 10, 2013

Feds in NYC: Hackers stole $45M in ATM card breach

NEW YORK — A worldwide gang of criminals stole $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then draining cash machines around the globe, federal prosecutors said Thursday — and outmoded U.S. card technology may be partly to blame.

Seven people are under arrest in the U.S. in connection with the case, which prosecutors said involved thousands of thefts from ATMs using bogus magnetic swipe cards carrying information from Middle Eastern banks. The fraudsters moved with astounding speed to loot financial institutions around the world, working in cells including one in New York, Brooklyn U.S. Attorney Loretta Lynch said.

She called it “a massive 21st-century bank heist” carried out by brazen thieves.

One of the suspects was caught on surveillance cameras, his backpack increasingly loaded down with cash, authorities said. Others took photos of themselves with giant wads of bills as they made their way up and down Manhattan.

Here’s how it worked:

Hackers got into bank databases, eliminated withdrawal limits on pre-paid debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes.

A network of operatives then fanned out to rapidly withdraw money in multiple cities, authorities said. The cells would take a cut of the money, then launder it through expensive purchases or ship it wholesale to the global ringleaders. Lynch didn’t say where they were located.

It appears no individuals lost money. The thieves plundered funds held by the banks that back up prepaid credit cards, not individual or business accounts, Lynch said.

She called it a “virtual criminal flash mob,” and a security analyst said it was the biggest ATM fraud case she had heard of.

There were two separate attacks, one in December that reaped $5 million worldwide and one in February that snared about $40 million in 10 hours with about 36,000 transactions. The scheme involved attacks on two banks, Rakbank in the United Arab Emirates and the Bank of Muscat in Oman, prosecutors said.

The plundered ATMs were in Japan, Russia, Romania, Egypt, Colombia, Britain, Sri Lanka, Canada and several other countries, and law enforcement agencies from more than a dozen nations were involved in the investigation, U.S. prosecutors said.

The accused ringleader in the U.S. cell, Alberto Yusi Lajud-Pena, was reportedly killed in the Dominican Republic late last month, prosecutors said. More investigations continue and other arrests have been made in other countries, but prosecutors did not have details.

An indictment unsealed Thursday accused Lajud-Pena and the other seven New York suspects of withdrawing $2.8 million in cash from hacked accounts in less than a day.

Such ATM fraud schemes are not uncommon, but the $45 million stolen in this one was at least double the amount involved in previously known cases, said Avivah Litan, an analyst who covers security issues for Gartner Inc.

Middle Eastern banks and payment processors are “a bit behind” on security and screening technologies that are supposed to prevent this kind of fraud, but it happens around the world, she said.

“It’s a really easy way to turn digits into cash,” Litan said.

Some of the fault lies with the ubiquitous magnetic strips on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor of ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic strips, they are still accepted around the world.

Lynch would not say who masterminded the attacks globally, who the hackers are or where they were located, citing an ongoing investigation.

The New York suspects were U.S. citizens originally from the Dominican Republic, lived in the New York City suburb orf Yonkers and were mostly in their 20s. Lynch said they all knew one another and were recruited together, as were cells in other countries. They were charged with conspiracy and money laundering. If convicted, they face 10 years in prison.

Arrests began in March.

Lajud-Pena was found dead with a suitcase full of about $100,000 in cash, and the investigation into his death is continuing separately. Dominican officials said they arrested a man in the killing who said it was a botched robbery, and two other suspects were on the lam.

The first federal study of ATM fraud was 30 years ago, when the use of computers in the financial community was growing rapidly. At the time, the Bureau of Justice Statistics found nationwide ATM bank loss from fraud ranged from $70 and $100 million a year.

By 2008, that had risen to about $1 billion a year, said Ken Pickering, who works in security intelligence at CORE Security, a white-hat hacking firm that offers security to businesses.

He said he expects news of the latest ring to inspire other criminals.

“Once you see a large attack like this, that they made off with $45 million, that’s going to wake up the cybercrime community,” he said.

“Ripping off cash, you don’t get that back,” he said. “There are suitcases full of cash floating around now, and that’s just gone.”

1
Text Only
National News
  • Remembering an officer slain after bombs went off

    Like many other youngsters, Sean Collier wanted to be a police officer. Unlike most, he brought that dream to life — and then died doing it, becoming a central character in one of the most gripping manhunts the nation has ever seen.

    April 18, 2014

  • Gabriel Garcia Marquez, Nobel laureate, dies at 87

    Nobel laureate Gabriel Garcia Marquez crafted intoxicating fiction from the fatalism, fantasy, cruelty and heroics of the world that set his mind churning as a child growing up on Colombia’s Caribbean coast.

    April 18, 2014

  • 10 Things to Know for Friday

    Your daily look at late-breaking news, upcoming events and the stories that will be talked about Friday.

    April 17, 2014

  • Why high oil prices are actually good for airlines

    Airline executives frequently complain about fuel costs. But the truth is higher prices actually have been good for business.

    April 17, 2014

  • Armed robber was never told to report to prison

    After he was convicted of armed robbery in 2000, Cornealious Anderson was sentenced to 13 years behind bars and told to await instructions on when and where to report to prison. But those instructions never came.

    April 17, 2014

  • Hot models at this year’s New York Auto Show

    With more than 1 million visitors annually, the New York International Auto Show is one of the most important shows for the U.S. auto industry. Here are some of the vehicles debuting this year. The show opens to the public Friday.

    April 17, 2014

  • Study: Diabetic heart attacks and strokes falling

    In the midst of the diabetes epidemic, a glimmer of good news: Heart attacks, strokes and other complications from the disease are plummeting.

    April 17, 2014

  • 10 Things to Know for Thursday

    Your daily look at late-breaking news, upcoming events and the stories that will be talked about Thursday:

    April 17, 2014

  • Players protest rehiring of fired Minnesota coach

    The University of Minnesota-Mankato football team Wednesday boycotted the fired head coach who won his job back in an arbitrator's ruling last week, nearly two years after fighting accusations of child pornography and other misconduct.

    April 16, 2014

  • A year after background check defeat, modest goals

    Democratic worries about this November’s elections, a lack of Senate votes and House opposition are forcing congressional gun-control supporters to significantly winnow their 2014 agenda, a year after lawmakers scuttled President Barack Obama’s effort to pass new curbs on firearms.

    April 16, 2014