Monday, May 23, 2016

Coordinated heist steals $12.7 million from 1,400 ATMs in Japan

"Automatic teller machine trailer" by Thilo Parg, used under license CC BY-SA 3.0

This is a bit more sophisticated than the run-of-the-mill ‪heist. On May 15, an as-yet unidentified crime ring pulled off the theft of the equivalent of $12.7 million USD, using 1600 stolen payment cards at 1400 Japanese ATMs, all in the span of 2 hours.

This is not the first coordinated attack against ATMs. A similar heist in 2011 used prepaid cards from a Florida bank to withdraw some $13 million USD from ATMs across Europe. Then, in February 2013, yet another crime organization pulled off the theft of over $40 million USD from ATMs around the world in a coordinated attack lasting 10 hours.

The details of the most recent attack are a little bit unclear to me - I suspect something may be lost in translation. The original story says the attack used cloned credit cards stolen from South Africa, but ‪ATM‬ withdrawals require PIN transactions, which typically means debit or ATM cards. Regardless, there are a few things you can do to protect yourself.

  • Avoid the use of debit / ATM cards as much as possible. A debit or ATM card is directly connected to your ‪bank account, while a credit card is using the bank's money until you pay the bill at the end of the month.
     
  • When withdrawing cash from an ATM, if you have a choice, favor an ATM indoors at a brick-and-mortar bank. Brian Krebs has done some enlightening research into ATM ‪skimmers, including a fascinating series on a particular ATM fraud method in Mexico. ATMs in public places (shopping centers, hotels, convenience stores, event venues) are prime targets for crooks to steal card data.

    It takes only a few seconds to insert a skimmer - a physical device that copies the card information when you insert a card into the machine.  More sophisticated attacks will place the skimmer inside the machine, or install malware on the machine so the machine itself will copy the card data and send it to the attacker. ATMs inside legitimate banks are less likely to be compromised, simply because there is greater risk to the criminal.
     
  • Set up transaction alerts with your bank. Your bank will send you an email or SMS/text message, generally for transactions over a set dollar amount. While this does not prevent the fraud from happening, the sooner you know about it and report it to your bank, the sooner the fraudulent transactions can be reversed.




Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.