NEW YORK – The sophistication of a global network of thieves who drained cash machines around the globe of an astonishing $45 million in mere hours sent ripples through the security world, not merely for the size of the operation and ease with which it was carried out, but also for the threat that more such thefts might be in store.
Seven people were arrested in the U.S., accused of operating the New York cell of what prosecutors said was a network that carried out thefts at ATMs in 27 countries from Canada to Russia. Law enforcement agencies from more than a dozen nations were involved in the investigation, U.S. prosecutors in New York said Thursday.
“Unfortunately these types of cybercrimes involving ATMs, where you’ve got a flash mob going out across the globe, are becoming more and more common,” said Rose Romero, a former federal prosecutor and regional director for the U.S. Securities and Exchange Commission.
“I expect there will be many more” of these types of crimes, she said.
Some of the fault lies with the magnetic strips on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor of ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic strips, they are still accepted around the world.
Brooklyn U.S. Attorney Loretta Lynch, who called the theft “a massive 21st-century bank heist,” announced the case Thursday in New York.
Hackers got into bank databases, eliminated withdrawal limits on pre-paid debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine.
Operatives then fanned out to withdraw money in multiple cities, authorities said. The cells would take a cut of the money, then launder it through purchases or ship it wholesale to the global ringleaders.
Lynch didn’t say where they were located.
It appears no individuals lost money. The thieves plundered funds held by the banks that back up prepaid credit cards, not individual or business accounts, Lynch said.
Ori Eisen, a cybercrime expert and founder of 41st Parameter, a fraud detection and prevention firm, said the $45 million heist was on the “high-end” of what can be done by cybercriminals who exploit banking systems connected to the Internet.
“Given the scale of the global credit card networks, it is almost impossible to detect every kind of attack,” he said. “This attack is not the last one, and if the modus operandi proves to be successful crooks will exploit it time and again.”