May 10, 4:41 PM (ET)
By COLLEEN LONG and MARTHA MENDOZA
|
(AP) In this undated photo provided by the United States Attorney’s Office for the Southern District of... Full Image |
|
|
|
NEW YORK (AP) - A bloodless bank heist that netted more than $45 million
has left even cybercrime experts impressed by the technical
sophistication, if not the virtue, of the con artists who pulled off a
remarkable internationally organized attack.
"It was pretty ingenious," Pace University computer science professor Darren Hayes said Friday.
On the creative side of the heist, a small team of highly skilled
hackers penetrated bank systems, erased withdrawal limits on prepaid
debit cards and stole account numbers. On the crude end, criminals used
handheld devices to change the information on the magnetic strips of old
hotel key cards, used credit cards and depleted debit cards.
Seven people were arrested in the U.S., accused of operating the New
York cell of what prosecutors said was a network that carried out thefts
at ATMs in 27 countries from Canada to Russia. Law enforcement agencies
from more than a dozen nations were involved in the investigation,
which was being led by the Secret Service.
|
(AP) This Feb. 19, 2013 surveillance image taken from a graphic released by the U.S. Attorney’s Office... Full Image |
|
|
Here's how it worked:
First, the hackers, quite possibly insiders, broke into computer records
at a few credit card processing companies, first in India and then the
U.S. This has happened before but here's what was new: They didn't just
take information. They actually raised the limit on prepaid debit cards
kept in reserves at two large banks.
"It's pretty scary if you think about it. They changed the account
balances. That's like the holy grail for a thief," said Chris Wysopal,
co-founder of security company Veracode.
The next step was technically simpler, almost an arts-and-crafts activity.
Crime ring members in 27 countries ran used plastic cards, just about
anything with a standard magnetic strip, through handheld magnetic
stripe encoders, widely available online for less than $300. Those
devices allow users to change information on magnetic stripes or to
write new cards with a simple swipe.
|
(AP) This Feb. 19, 2013 surveillance image released by the U.S. Attorney’s Office in New York City shows... Full Image |
|
|
In
this case, the stripes were rewritten with information from the
hackers. That allowed the thieves to turn the cards into gold, instantly
transforming them into prepaid debit cards with unlimited amounts of
money stored on them.
Finally it was time for action.
On two pre-arranged days - once in December and again in February -
criminals loaded with the lucrative debit cards and PIN numbers, headed
into city streets around the world, racing from one ATM to the next,
often taking out the maximum the cash machine would allow in a single
transaction: $800.
In December, they worked for about 2 1/2 hours, reaping $5 million
worldwide in about 4,500 transactions. Two months later, apparently
buoyed by their success, they hit the ATMs for 10 hours straight,
collecting $40 million in 36,000 transactions.
The New York money runners made off with $2.8 million, according to the
indictment, a fraction of the total amount yielded by the heist.
|
(AP) In this Saturday, Jan. 5, 2013 file photo, a person inserts a debit card into an ATM machine... Full Image |
|
|
Players
kept a cut but sent the bulk of the money back to the masterminds
through wire transfers and sometimes in person, prosecutors said.
One New York suspect, Elvis Rodriguez, 24, planned to travel to Romania
in January to pay about $300,000 to organizers of the operation, but
American Airlines canceled the reservation because the airline was
concerned it had been booked with a stolen credit card, according to the
criminal complaint. The reservation was canceled, but the suspect paid
for the trip in cash, it said.
Authorities said they seized his iPhone and found a photo of him and
another suspect posing with a stack of cash between them in a car.
"There were obviously a lot of great minds behind this exploit, and then
there were the pawns, the mules. They are entirely exploitable," said
Phyllis Scheck, vice president at the security firm McAfee who has
testified to Congress about how banks and small businesses need to
prepare for cyber thieves.
Scheck couldn't help be impressed by the choreography.
|
(AP) This undated graphic released by the U.S. Attorney’s Office in New York City shows ten photos of a... Full Image |
|
|
"They executed while the iron was hot. They got in and got out," she said.
In the end, the victims weren't individuals. They were two banks,
Rakbank in the United Arab Emirates and the Bank of Muscat in Oman,
which had their card processors breached, prosecutors said.
More investigations continue and other arrests have been made in other
countries, but New York prosecutors did not have details. More arrests
in the U.S. were possible, they said.
Police in Duesseldorf, Germany, said a 56-year-old woman and her
34-year-old son were linked to the case earlier this year and are still
in investigative detention after having been arrested in February. They
have refused to speak to police.
In New York, the cell was led by Alberto Lajud Pena, 23, who was found
dead in the Dominican Republic with $100,000 in cash on him, prosecutors
said. A man arrested in his death told authorities it was a botched
robbery, and two other suspects were on the lam.
According to court documents, Lajud Pena communicated via email with a
Russian criminal organization that specializes in laundering money and
wrote to his shadowy bosses in charge of the operation. He wired money
and deposited cash into several accounts.
"I sent scanned deposit slips," Lajud Pena writes in one.
"Deposit has cleared. Order paid. Good job," the sender replies.
Prosecutors said Lajud Pena recruited men he knew from Yonkers, some of
whom worked as bus drivers for a company that provided services to
special-needs students.
All but one of the surviving suspects were in jail, and it wasn't clear
who was representing them. In Yonkers Friday, neighbors at the basement
apartment where authorities said they seized $3,740 of the stolen money
said police had visited two days in a row last month.
About $2 million is still missing, officials said.
---
Associated Press writers Peter Svensson and James Fitzgerald in New
York, Frank Jordans in Berlin and writer Ezequiel Abiú López in Santo
Domingo, Dominican Republic, contributed to this report.
From the New York Times=
It was a brazen bank heist, but a 21st-century version in which the
criminals never wore ski masks, threatened a teller or set foot in a
vault.
In two precision operations that involved people in more than two dozen
countries acting in close coordination and with surgical precision,
thieves stole $45 million from thousands of A.T.M.'s in a matter of
hours.
In New York City alone, the thieves responsible for A.T.M. withdrawals
struck 2,904 machines over 10 hours starting on Feb. 19, withdrawing
$2.4 million.
The operation included sophisticated computer experts operating in the
shadowy world of Internet hacking, manipulating financial information
with the stroke of a few keys, as well as common street criminals, who
used that information to loot the automated teller machines.
The first to be caught was a street crew operating in New York, their
pictures captured as, prosecutors said, they traveled the city
withdrawing money and stuffing backpacks with cash.
On Thursday, federal prosecutors in Brooklyn unsealed an indictment
charging eight men — including their suspected ringleader, who was found
dead in the Dominican Republic last month. The indictment and criminal
complaints in the case offer a glimpse into what the authorities said
was one of the most sophisticated and effective cybercrime attacks ever
uncovered.
It was, prosecutors said, one of the largest heists in New York City
history, rivaling the 1978 Lufthansa robbery, which inspired a scene in
the movie “Goodfellas.”
Beyond the sheer amount of money involved, law enforcement officials
said, the thefts underscored the vulnerability of financial institutions
around the world to clever criminals working to stay a step ahead of
the latest technologies designed to thwart them.
“In the place of guns and masks, this cybercrime organization used
laptops and the Internet,” said Loretta E. Lynch, the United States
attorney in Brooklyn. “Moving as swiftly as data over the Internet, the
organization worked its way from the computer systems of international
corporations to the streets of New York City, with the defendants
fanning out across Manhattan to steal millions of dollars from hundreds
of A.T.M.'s in a matter of hours.”
The indictment outlined how the criminals were able to steal data from
banks, relay that information to a far-flung network of so-called
cashing crews, and then have the stolen money laundered in purchases of
luxury items like Rolex watches and expensive cars.
In the first operation, hackers infiltrated the system of an unnamed
Indian credit-card processing company that handles Visa and MasterCard
prepaid debit cards. Such companies are attractive to cybercriminals
because they are considered less secure than financial institutions,
computer security experts say.
The hackers, who are not named in the indictment, then raised the
withdrawal limits on prepaid MasterCard debit accounts issued by the
National Bank of Ras Al-Khaimah, also known as RakBank, which is in
United Arab Emirates.
Once the withdrawal limits have been eliminated, “even a few compromised
bank account numbers can result in tremendous financial loss to the
victim financial institution,” the indictment states. And by using
prepaid cards, the thieves were able to take money without draining the
bank accounts of individuals, which might have set off alarms more
quickly.
With five account numbers in hand, the hackers distributed the
information to individuals in 20 countries who then encoded the
information on magnetic-stripe cards. On Dec. 21, the cashing crews made
4,500 A.T.M. transactions worldwide, stealing $5 million, according to
the indictment.
While the street crews were taking money out of bank machines, the
computer experts were watching the financial transactions from afar,
ensuring that they would not be shortchanged on their cut, according to
court documents.
MasterCard alerted the Secret Service to the activity soon after the
transactions were completed, said a law enforcement official, who
declined to be identified discussing a continuing investigation.
Robert D. Rodriguez, a special agent with the Secret Service for 22 years and now the chairman of
Security Innovation Network,
said that in some ways the crime was as old as money itself: bad guys
trying to find weaknesses in a system and exploiting that weakness.
“The difference today is that the dynamics of the Internet and
cyberspace are so fast that we have a hard time staying ahead of the
adversary,” he said. And because these crimes are global, he said, even
when the authorities figure out who is behind them they might not be
able to arrest them or persuade another law enforcement agency to take
action.
After pulling off the December theft, the organization grew more bold,
and two months later it struck again — this time nabbing $40 million.
On Feb. 19, cashing crews were in place at A.T.M.'s across Manhattan and
in two dozen other countries waiting for word to spring into action.
This time, the hackers had infiltrated a credit-card processing company
based in the United States that also handles Visa and MasterCard prepaid
debit cards. Prosecutors did not disclose the company’s name.
After securing 12 account numbers for cards issued by the Bank of Muscat
in Oman and raising the withdrawal limits, the cashing crews were set
in motion. Starting at 3 p.m., the crews made 36,000 transactions and
withdrew about $40 million from machines in the various countries in
about 10 hours. In New York City, a team of eight people made 2,904
withdrawals, stealing $2.4 million.
Surveillance photos of one suspect at various A.T.M.'s showed the man’s
backpack getting heavier and heavier, Ms. Lynch said, comparing the
series of thefts to the caper at the center of the movie
“Ocean’s Eleven.”
While the New York crew had a productive spree, the crews in Japan seem
to have been the most successful, stealing around $10 million, probably
because some banks in Japan allow withdrawals of as much as $10,000 from
a single bank machine.
“The significance here is they are manipulating the financial system to
be able to change these balance limits and withdrawal limits,” said Kim
Peretti, a former prosecutor in the computer crime division of the
Justice Department who is now a partner in the law firm Alston &
Bird. “When you have a scheme like this, where the system can be
manipulated to quickly get access to millions of dollars that in some
sense did not exist before, it could be a systemic risk to our financial
system.”
It was unclear to whom the hacked accounts belonged, and who might ultimately be responsible for the losses.
The indictment suggests a far-reaching operation, but there were few
details about the people responsible for conducting the hacking or who
might be leading the global operation. Law enforcement agencies in more
than a dozen countries are still investigating, according to federal
prosecutors. The authorities said the leader of the New York cashing
crew was Alberto Lajud-Peña, 23, whose body was found in the Dominican
Republic late last month. Seven other people were charged with
conspiracy to commit “access device fraud” and money laundering.
The prosecutors said they were all American citizens and were based in
Yonkers. The age of one defendant was given as 35; the others were all
said to be 22 to 24. Mr. Lajud-Peña fled the United States just as the
authorities were starting to make arrests of members of his crew, the
law enforcement official said.
On April 27, according to news reports from the Dominican Republic, two
hooded gunmen stormed a house where he was playing dominoes and began
shooting. A manila envelope containing about $100,000 in cash remained
untouched.
Nicole Perlroth, Frances Robles and Mosi Secret contributed reporting.
This article has been revised to reflect the following correction:
Correction: May 11, 2013
An
article on Friday about a sophisticated hacking crime in which $45
million was stolen from bank A.T.M.’s within hours misspelled, in some
editions, the surname of a former prosecutor in the computer crime
division of the Justice Department who commented on the case. She is Kim
Peretti, not Paretti. The article also overstated the connection
between the movie “Goodfellas” and the Lufthansa robbery in 1978, to
which the A.T.M. case was compared. The Lufthansa robbery was only a
plotline in the film; the movie itself was based on the book “Wise Guy,”
written by Nicholas Pileggi, about the mobster Henry Hill.
Source:
http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html?src=me&ref=general