ATM hack: Organized crime or market forces?

In November of 2008, a single scam netted more than $9m in a global ATM heist. According to the FBI the attackers compromised pre-paid payroll cards from RBS WorldPay and gift cards, launching a coordinated attack against more than 130 ATMs in 49 cities around the world. The cards were exploited by "cashers" who withdrew money during a single 30 minute window.

In November of 2008, a single scam netted more than $9m in a global automated teller machine heist. According to the FBI the attackers compromised pre-paid payroll cards from RBS WorldPay and gift cards, launching a coordinated attack against more than 130 ATMs in 49 cities around the world. The cards were exploited by "cashers" who withdrew money during a single 30-minute window. If the preliminary findings of the FBI turn out to be true, this could represent one of the most organized attacks in cybercrime history.

Many security researchers have been looking at the rise of professional cybercrime as a uniquely worrying phenomenon. Gone are the days of the juvenile hacker working alone for fame and glory. Increasingly the motive for cybercrime is financial and the perpetrators appear to be professionals or loose groups of professionals. Looming in the background is the more frightening possibility of organized cybercrime, where multiple cyber-criminals work in vast conspiracies to pull off mega-heists. According to the FBI these are often connected to other criminal activities either as the sources or recipients of laundered funds for drugs, gambling, prostitution and even terrorism.

But crime doesn't have to be organized or conspiratorial to be large and worldwide. Where central control is not present, market forces can achieve the same or greater effect. My concern is not in a vast conspiracy of criminal organizations but in an even bigger result achieved purely through the loose-coupling of market forces. Let's take the ATM heist as an example - is it easier to pull off a command-and-control exploit across 49 countries with more than 130 subcontractors? Or were the cashiers simply the participants in a multi-level loosely coupled market?

A criminal organization that can harness 130 or more individuals and coordinate their actions in 49 countries is scary. But a marketplace that can lead to the emergent collaboration of 130 or more actors is far scarier.

Firstly, a conspiracy doesn't scale. Eventually it gets too big for its own good. Someone blows the whistle or someone already under legal surveillance gets involved and reveals the whole plan. It's hard to run any organization of that size without middle management and eventually even a criminal organization will have to deal with diminishing returns. But a market is altogether far more efficient. If once the cards were compromised they were sold to smaller organizations or individual cashers the entire scheme can scale to much greater size. Of course you would need to tell all the buyers that the card will only work during a 30 minute window and let their own profit motive keep them on time. Worse though are the implications for law enforcement. A market can operate through opaque and anonymous cash transactions. The "cashers" may have no idea who sold them the cards. The sellers in turn have no idea who cloned the cards, the cloners don't know who hacked the bank. The FBI has the photos of two of the cashers in a wanted poster.

Unfortunately, if this is not organized crime but loosely coupled markets at work, these cashers may have had as much contact with the hacking organization as a drug mule has with the opium farmer.

Learn more about this topic

A look into the dark underbelly of data breaches

FBI: Digital billboards have helped capture 14 scoundrels

Cisco scammer gets 5 years in jail

Largest coordinated ATM rip-off ever nets $9+ million in 30 minutes

Credit card thieves ran a polite, professional help desk

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)