With only 100 compromised ATM cards thieves were able to grab $9 million bucks from the banking system in a new style of attack. Law enforcement sources told Fox 5 it's one of the most frightening well-coordinated heists they've ever seen. "We've seen similar attempts to defraud a bank through ATM machines but not, not anywhere near the scale we have here," FBI Agent Ross Rice told Fox 5. "We've never seen one this well coordinated," the FBI said.
How did the hackers steal $9 million in one 30-minute time period using only 100 ATM cards you ask? That shouldn’t be possible given the daily limits (usually about $500/day) placed on all ATM cards. Well it turns out that the hackers applied military like precision to old ATM Scam techniques and added a touch of devious ingenuity to pull this one off. Here is a look at how the theft was perpetrated.
First, the bad guys had to obtain the ATM cards. To accomplish this they hacked into RBS WorldPay and stole at least 100 payroll cards. According to RBS WorldPay, “Payroll cards are used by a growing number of U.S. firms to pay wages to employees. A payroll card is a reloadable stored value card that can be used at any point of sale that accepts credit and debit cards.”
Second, the bad guys had to figure out how to reload the cards. To accomplish this they hacked into RBS WorldPay’s systems once again. Once this was done they had the power to reload the payroll cards with new fake deposits that they could turn into cold hard cash via an ATM withdrawal.
Third, the bad guys had to clone the card info they stole into thousands of real ATM payroll cards. This is easily and cheaply done using various over the counter card printing devices. Given that this market is completely non-regulated, anyone can buy all of the gear necessary to make your very own credit, ATM, Bank, etc. Cards.
Fourth, the bad guys needed to recruit an Army of “cashers” to physically go to an ATM machine with the newly minted counterfeit (but valid) payroll cards and withdrawal cash. Cashers is the name given to the street-level thugs that do the actual cash withdrawals at ATMs. It is hypothesized that there were dozens of them recruited for this scam.