The story of the $45 million ATM heist is a good example of just how sophisticated cybercrime has become. It also shows that there are many facets to cybercrime, and no business can afford to become focused on stopping one thing (like a data breach). The criminals will simply find another way to steal.
The scammers targeted banks that processed pre-paid debit cards, used a hack to erase the limit on those cards, and called on a network of criminals across the globe to withdraw millions from ATMs in a matter of hours.
It certainly isn’t the first time ATMs have been hacked, but it was definitely a large-scale attack. How big was the $45 million? As Ori Eisen, CEO and founder, 41st Parameter, told me in an email, in the world of cybercrime, any attack over $1 million is considered “professional.” I would say, then, that this was a heist in the superstar category.
But it wasn’t just the amount of money that made this heist so noteworthy. It was how it was done. Tom Cross, director of security research at Lancope, explained to me:
What makes this type of attack unique is not just the technical skill required to pull it off, but the level of logistical coordination needed to perform nearly simultaneous withdrawals from large numbers of ATM machines. Unfortunately, while breaches like this are often reported to the public, we rarely hear the specific technical vulnerabilities that the attackers were able to exploit in order to pull off the attack. It would be helpful if more organizations publicly disclosed the technical vulnerabilities associated with network security breaches. This information helps their peers prioritize the steps that they are taking to lock down their own networks.
Cross makes an interesting point. If cybercriminals can work together as these did to commit a crime – allegedly, it was a coordinated group of criminals in two dozen countries working together – shouldn’t enterprise pull together to prevent potential crime?
In this particular crime, Dodi Glenn, director of AV Labs, ThreatTrack Security, speculated:
The hackers most likely received vital bank information by compromising a customer service web portal with a SQL injection – and then most likely a keylogger and remote access tool (RAT) was used – which gave them access to the CVC or CVV data stored on the magnetic strips of prepaid credit cards. They would have also accessed a bank identification number (BIN) database and duplicated the necessary data to access funds via a closed ATM network. They then used magnetic strip writers to put the proper account information on the backs of gift cards or hotel room keys, creating a new card that they could then use to withdraw funds from multiple ATM sites.
Okay, that’s a start to a discussion on how it happened and what the potential vulnerabilities might be. Now it is time to go deeper and understand why these breaches are happening and how to prevent them in the future.