Run into more customer service bots lately? Let Marketplace Tech know. More info

ATM heist reveals vulnerabilities in global security

May 10, 2013

ATM heist reveals vulnerabilities in global security

May 10, 2013

In just a few hours, POOF. $40 million. Gone. 

In what may be the largest heist of its kind, thieves across two dozen countries made off with $40 million dollars from thousands of atms around the world on February 19. 

In a similar scheme in December, they made off with $5 million.

Here’s how it worked: 

  1. Hackers stole prepaid card numbers.
  2. They hacked into card processing centers and raised the withdrawal limits on those cards.
  3. They made fake cards.
  4. They sent legions of thieves out to withdraw money from thousands of ATMS. 


“We’ve seen a pattern in these kinds of attacks in the past few years,” says Tom Cross, director of computer security research at Lancope. “There’ve been a few heists like this one.”

He says what’s surprising about this instance isn’t any technical novelty, but rather “the coordination of the cash out network where large amounts of cash was withdrawn by ATMs by multiple people almost simultaneously.”


That card processing centers continue to be subject to – in this case – spectacularly successful hacking is itself a major issue. “It shows a significant weakness in how people get access to cash,” says Ken Pickering, development manager of security intelligence at Boston-based CORE Security. There’s something wrong with “the infrastructure of how transactions are authorized,” he says.

Cross, with Lancope, says there’s another weak link in the chain mail around the world’s cash.

 Many ATMs, he says, don’t talk to each other. “A large financial institution may operate large numbers of ATMs, and can analyze transactions across their network” to detect signs of fraud. But many ATMs are run by small businesses and individuals who are not connected up to a financial institution, so one machine may not know that a card was just used five times at five other machines. “That coordination doesn’t exist today.” 

Pickering adds another weak point to the list: those magnetic strips on credit and debit cards. “Anyone who has access to the swipe or digital readout of the swipe can replicate the card,” says Pickering. In much of the rest of the world, cards use harder to fake embedded chips. 

Replacing those strips would involve changing not only all the cards in the U.S., but also all the readers. 

“I don’t think until fraud hits a certain level would people be willing to incur the cost of that,” he says. He notes that in 2008, credit and debit card fraud was over a billion dollars. “I think we’re getting pretty close.”

Several alleged footmen, responsible for withdrawing cash from ATMs in New York City, have been apprehended. But so far, the masterminds of the scheme remain at large.

We’re here to help you navigate this changed world and economy.

Our mission at Marketplace is to raise the economic intelligence of the country. It’s a tough task, but it’s never been more important.

In the past year, we’ve seen record unemployment, stimulus bills, and reddit users influencing the stock market. Marketplace helps you understand it all, will fact-based, approachable, and unbiased reporting.

Generous support from listeners and readers is what powers our nonprofit news—and your donation today will help provide this essential service. For just $5/month, you can sustain independent journalism that keeps you and thousands of others informed.