Marketplace is a public service newsroom powered by you. Give Now

ATM heist reveals vulnerabilities in global security

Sabri Ben-Achour May 10, 2013

ATM heist reveals vulnerabilities in global security

Sabri Ben-Achour May 10, 2013

In just a few hours, POOF. $40 million. Gone. 

In what may be the largest heist of its kind, thieves across two dozen countries made off with $40 million dollars from thousands of atms around the world on February 19. 

In a similar scheme in December, they made off with $5 million.

Here’s how it worked: 

  1. Hackers stole prepaid card numbers.
  2. They hacked into card processing centers and raised the withdrawal limits on those cards.
  3. They made fake cards.
  4. They sent legions of thieves out to withdraw money from thousands of ATMS. 


“We’ve seen a pattern in these kinds of attacks in the past few years,” says Tom Cross, director of computer security research at Lancope. “There’ve been a few heists like this one.”

He says what’s surprising about this instance isn’t any technical novelty, but rather “the coordination of the cash out network where large amounts of cash was withdrawn by ATMs by multiple people almost simultaneously.”


That card processing centers continue to be subject to – in this case – spectacularly successful hacking is itself a major issue. “It shows a significant weakness in how people get access to cash,” says Ken Pickering, development manager of security intelligence at Boston-based CORE Security. There’s something wrong with “the infrastructure of how transactions are authorized,” he says.

Cross, with Lancope, says there’s another weak link in the chain mail around the world’s cash.

 Many ATMs, he says, don’t talk to each other. “A large financial institution may operate large numbers of ATMs, and can analyze transactions across their network” to detect signs of fraud. But many ATMs are run by small businesses and individuals who are not connected up to a financial institution, so one machine may not know that a card was just used five times at five other machines. “That coordination doesn’t exist today.” 

Pickering adds another weak point to the list: those magnetic strips on credit and debit cards. “Anyone who has access to the swipe or digital readout of the swipe can replicate the card,” says Pickering. In much of the rest of the world, cards use harder to fake embedded chips. 

Replacing those strips would involve changing not only all the cards in the U.S., but also all the readers. 

“I don’t think until fraud hits a certain level would people be willing to incur the cost of that,” he says. He notes that in 2008, credit and debit card fraud was over a billion dollars. “I think we’re getting pretty close.”

Several alleged footmen, responsible for withdrawing cash from ATMs in New York City, have been apprehended. But so far, the masterminds of the scheme remain at large.

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.