Comments on: Crooks Net Millions in Coordinated ATM Heists

By: TDJ UK

TDJ UK — Thu, 28 Feb 2013 17:08:14 +0000

Muscat Bank didn’t heed Visa’s warning and has been relieved of $39 million through its MasterCard pre-paid travel card and ATMs around the world, including the UK.

(http://gulfbusiness.com/2013/02/omans-bank-muscat-hit-by-39m-prepaid-card-fraud/)

Whilst only 12 card numbers were reported used, multiple clones were used.

By: DeborahS

DeborahS — Wed, 20 Feb 2013 01:39:59 +0000

Ha ha – go Brian! Shake dat tree!

By: DeborahS

DeborahS — Wed, 20 Feb 2013 01:38:12 +0000

But George asked another very interesting question, and that is how long the system of “plastic” money can survive this level of attack.

To some extent we’ll all just have to wait and see how this pans out. But I’m thinking that when there was only cash (or gold or kewpie beads or whatever the physical means of exchange was), banks never did and still haven’t made themselves invulnerable to bank robbers. They learned how to better protect themselves, which minimizes their losses, but to a certain extent they just have to accept it as a cost of doing business. And then either do it or give up, and let somebody else take their lumps at it.

Interestingly, not many bankers have chosen the latter option, in the olden days or the present day.

By: DeborahS

DeborahS — Wed, 20 Feb 2013 01:27:05 +0000

Sorry to be so late to the party, but I really must protest.

There may not be (and is not) a customer account associated with each card, but each card does have a unique number, I’m assuming. And there is nothing preventing the processors from creating a separate database that tracks the history of each numbered card. Well, nothing but their not having thought of it and done it.

And it would be a simple matter to set up triggers to issue alerts to the appropriate person for review when the activity on that cardnumber goes outside the parameters considered normal. Granted, the hackers could endeavor to find out what the trigger parameters are and attempt to stay inside of them, but this would significantly cramp their style and speed. They might also attempt to disable or rewrite the triggers if they have full access to the database, but it is possible to have triggers (as well as the cardnumber database itself) reside and execute from outside the database, preferably on a machine that either can’t be reached from the machine the compromised database is being hacked from, or it’s name/location can be made to appear unknown to the compromised machine. Probably you’d want to make it completely unknown, so that only the trigger machine could initiate and validate the connection. If done correctly, the hackers would have no way to dodge the triggers short of full access to the entire network and the means to find and hack the triggers themselves. Sure, eventually they might do that, but some ingenuity in hiding the triggers and cardnumber database would stall them for a good long while. And through the wonders of mirrored and replicated databases that don’t have to even be on the same local network, it should be possible to detect when the triggers are hacked. By detecting mismatching data if nothing else, and many more clever tricks are pretty easily possible with no changes to standard database languages needed.

So the technology does exist to monitor these cards (I could do it), it’s just that no one has chosen to and done it.

By: voksalna

voksalna — Fri, 15 Feb 2013 06:36:49 +0000

I’m confused, are you saying that anonymous money should not be allowed? That ‘anonymous Visas’ should be non-permitted? This is very pro-Big-Brother and I am not sure how you are not seeing this. Money should not be able to be tracked. It’s not the ‘greed’ of Visa in having ‘anonymous cards’ (and actually anybody who has tried to get an American card would know the headache of doing so *legitimately*. It actually is easier to get an *illegitimate* card for many people. Why should peoples’ spending be tracked at all? Whose business is this? Surely not Visas or the governments’.

Hacks like this have nothing to do with ‘anonymity’, anyway. Manipulating SQL on a server to raise an arbitrary field repeatedly only sounds complicated but the truth is a lot of these cards probably never existed to begin with — they were probably inserted as a line into the SQL database themselves.

Your ‘argument’ is severely flawed, lacks logic, and speaks of listening too much to propaganda spewed by governments about what will keep you safe.

Let’s look at 11 million dollars another way, if you want: This is maybe not even the ATM plus POS fees for a single day for many banks. While it is surely a sizeable sum of money, it is not something that happens every day. I would say a payment processor gets ‘hacked’ on this level every 2 or 3 years. In other words it happens less often than a major plane crash.

People, stop buying into FUD just because you do not understand how such things are ‘committed’. You are only going to become more and more slaves to a world that insists on tracking your every movements. Actually, we almost all are, already — why rush it?

By: fsgdfgdfg

fsgdfgdfg — Tue, 12 Feb 2013 11:38:57 +0000

I 100% agree with you . Banksters rule the world . And this one sound like an inside job .

By: janis

janis — Tue, 12 Feb 2013 08:38:37 +0000

Plastic industry will collapse if some “poor” countries like USA continue to use ancient technologies as magnetic stripe and do not andvance in transaction security – at least VbV for issuers and acquirers and PCI DSS and so on.

By: wrdlbrmpfts

wrdlbrmpfts — Tue, 12 Feb 2013 07:38:19 +0000

The issuers are most likely and often “crooks” themselves. Money transfer and e-cash companies who built their fortune on dialers, added value packets on cell phones, etc…which rip off their customers with small amounts. Its Visas greediness that allows anonymous credit cards in the first place. The money robbed in these heists is going to be moved in the same e-money infrastructure, collected and laundered by banksters it will be used to create new banks. new payment service companies, new mekash-playsafe-blingbling-companies, which again will be robbed and so on. Its a nice vicious circle and one can simply step out of it as much as possible. I pay with cash most of the time. I have ZERO empathy for these ripped off companies. The gangsters are being cradled by the banksters, who in turn lament that their clients turned sour once they became banksters themselves, learned all tricks of the trade only to go on such cyberheists and rip off their former teachers? I can only watch from a distance and laugh.

By: Richard Steven Hack

Richard Steven Hack — Mon, 11 Feb 2013 23:25:16 +0000

Ah, I see now. The card is continually refreshed or its balance is continually renewed due to the hackers controlling the database record amount, and then the card is cloned and money is withdrawn multiple times from multiple locations by multiple people.

So the card is just an access mechanism and there is no $500K on one card per se at any one time. That would be the total over a given set of refreshes.

Most likely while the card limit is frequently increased they stay below a limit that would be detected even if that limit is higher than normal withdrawal limits. By continually refreshing the card balance to that higher limit they can keep withdrawing until someone spots it presumably by the excessive number of withdrawal transactions.

By: Marty K

Marty K — Mon, 11 Feb 2013 15:58:00 +0000

As others mentioned:
There is no account tied to these prepaid cards – the issuer loses the money.

In regards to transfer: there is no transfer – it is cashed out at the ATM. the card is simply cloned and sent to different countries. There each card withdraws cash at various ATM’s until the limit is reached.
And yes – amazing that no transaction monitoring system caught this!