Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Cash Withdrawal Scam Based On Tampering With Pre-Paid Limits

Lieberman Software : 01 September, 2011  (Technical Article)
A Florida bank has lost millions through hack which altered debit card limits which were used over extended periods with clones to drain ATM equipment
Cash Withdrawal Scam Based On Tampering With Pre-Paid Limits
News that a Florida-based bank has been left holding the baby in a $13 million ATM fraud highlights the increasingly complex world of cybercrime and the multi-faceted layers of security needed to defend against it, says Lieberman Software.

According to Philip Lieberman, President and CEO of Lieberman Software, the privileged identity management and security management specialist, the case is an interesting one as it appears to involve the hacking of the affected financial institution's computer system that controlled the bank's pre-paid debit card security parameters.

“The cybercriminals appear to have tampered with the daily cash withdrawal limits on 22 pre-paid cards, effectively allowing the cards – and their clones – to drain all the cash from a machine, and then some. Conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs,” he said.

“You don't need to be a maths genius to realise that each of the pre-paid cards – and their clones – were used to withdraw an average of around $590,000 per card. Assuming an average ATM transaction limit of $400, that's around 1,500 individual ATM sessions per card account,” he added.

Lieberman - whose company supplies multi-faceted security technologies to large companies seeking to simplify their complex IT security, reporting and auditing systems - went on to say that, given that the fraud must have taken place over a few days – possibly a holiday weekend – the scale of the ATM withdrawal project must have been immense.

Had the fraudsters staged their cash withdrawal scam over a longer period, he explained, then the bank's fraud analysis systems would have kicked in and the card cash withdrawal facility been locked down pending a full-scale investigation.

The Lieberman Software president says that the simple act of the hackers gaining access to the card database system and manipulating the cash withdrawal limits for the 22 cards has had immense consequences for the bank concerned, although the fact that in-bank ATMs typically hold around $80,000 - and smaller machines hold around $30,000 – probably saved the bank from losing more than $13 million.

In fact, when you crunch the numbers, says Lieberman, you come up with the interesting analysis that, assuming an average ATM cash capacity of $50,000, the fraudsters must have drained the cash from around 260 ATMs in total, suggesting that they probably targeted the machines in a limited area with several hundred mules on the ground drawing the cash.

“This raises the interesting question as to how much more the fraudsters could have withdrawn if they had more mules on the ground, and more cloned cards in their possession. It also begs the question why the bank's own anti-fraud pattern analysis systems didn't spot what was going on before they did,” he said.

“According to security researcher Brian Krebs' report on this fascinating saga, the FBI, banks and other agencies are not saying a lot about the fraud, which I think speaks volumes. It also suggests that defending against multi-faceted fraud of this nature, even if you are a bank, is easier said than done,” he added.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo