Breathtaking ATM hack nets $45M in hours

The US District Attorney for the Eastern District of New York has indicted eight residents of Yonkers for allegedly participating in a global ATM heist that involved removing the withdrawal limits on prepaid debit cards, cloning them, and then getting confederates all over the world to hit ATMs at the same time and clean them out. The DA says that the scam netted $45M worldwide; $400K in NYC alone. One of the indicted defendants was murdered in the Dominican Republic last month.

The first heist, which occurred on December 22 and targeted debit cards issued by the UAE bank, dispatched carders in about 20 countries that rapidly withdrew funds in more than 4,500 ATM transactions. In New York City alone, prosecutors said, the defendants and their co-conspirators withdrew almost $400,000 in some 750 fraudulent transactions from more than 140 different ATM locations. It took just two hours and 25 minutes for the New York cell to complete, prosecutors said. A second operation commenced on February 19 withdrew about $40 million in 36,000 transactions worldwide. In just 10 hours, the New York group allegedly withdrew about $2.4 million in almost 3,000 ATM transactions.

The operation exploited weaknesses in the way banks and payment processors handle prepaid debit cards, which usually are loaded with a finite amount of funds. These cards are often used by employers in place of paychecks and by charitable organizations to distribute disaster assistance. Once the accounts were hacked and the limits removed from accounts, cards were cloned and sent to cell groups throughout the world to make fraudulent withdrawals. Additional details of the operation are available in a press release outlining the charges.

A similar heist in 2011 got $13M in one night.

How hackers allegedly stole “unlimited” amounts of cash from banks in just hours [Ars Technica/Dan Goodin]