$45 Million Dollar Bank Heist Fades Into Obscurity

RSS

I decided to wait a little to see how the reporting of the $45 million dollar bank heist progressed. It was big news for about a week and it has quickly faded into obscurity as other news has pushed it out of the public’s consciousness.

Just in case you blinked while this was going on, Alberto Yusi Lajud Pena was allegedly the leader of a gang of cyber criminals that stole $45 milllion from ATM machines around the world. He was found dead in the Dominican Republic awhile ago and many of the people involved in the caper have been caught or are being tracked down by law enforcement. Federal prosecutors in New York state have handed down indictments for over half a dozen people.

The effort involved prepaid debit cards and it appears that only 17 cards may have been involved in this mess. The trick was to generate the cards and then bypass the limits normal mortals face when using these cards at ATMs. The culprits had to hack a number of systems but not a lot.

To start with, they attacked a card processing company and changed the account balances for a batch of MasterCard debit cards from the National Bank of Ras Al-Khaimah that is located in the United Arab Emirates. They also essentially eliminated the withdrawal limits on the cards. This is something that should have been limited at the ATM but it meant that the hackers did not have to modify the ATMs which would have been a much harder task.

This was not the first attack by the group and the subsequent attack which amounted in the larger loss was similar in execution but it involved a dozen debit cards from another bank. There was also a larger group of co-conspirators involved in a larger geographic area.

A number of discussions have arisen about how to prevent these attacks in the future and what areas were really under attack since details about were initially few and banks were not interested in providing a lot of additional detail. Questions arose about the security associated with the ATMs to that of the third parties involved in the creation and distribution of the debit cards.

This actually meshes well with a security article I recently wrote on security (see Embedded Devices Gird Up Against Cyber Threats). I do not address financial attacks but I do take a look at legacy and consumer devices. One of the ideas floated in various discussions was the vulnerability of the ATMs and how that should be changed. The same idea arises for many legacy systems. Adding a firewalls is one approach that works well although one needs to consider the number of systems that might be involved in any kind of upgrade. That could be millions in the case of ATMs.

As it turns out, the ATMs were really not the problem although they were involved in delivering the cash to the crooks. Still, there are methods of attack that would compromise the ATMs so their protection should not be overlooked.

In general, features like secure boot and the use of more secure programming languages like Ada or static analysis tools for C or C++ applications need to be utilized on a much more regular basis by developers. A fixed limit on withdrawals from an ATM would have limited the problems of the debit card attack but only if it was difficult or impossible to change the limit.

Likewise, building monitoring tools into a system is part of the initial design. They may not catch an attack immediately but they can help identify a set of attacks as part of a trend. Unfortunately, these tools can often deliver too much information so that it is ignored instead of utilized. This is often what happens with diagnostic tools from trace facilities to static analysis results. If the tools do not provide a way of refining or filtering the results there is simply too much information left to process.

Proper design and security tools may not eliminate the possibility of this type of attack in the future but they could make it much more difficult and less damaging in the long run. Hopefully security does not fade into obscurity.

 

Newsletter Signup

Please or Register to post comments.

What's alt.embedded?

Blogs focusing on embedded, software and systems

Contributors

William Wong

Bill Wong covers Digital, Embedded, Systems and Software topics at Electronic Design. He writes a number of columns, including Lab Bench and alt.embedded, plus Bill's Workbench hands-on column....
Commentaries and Blogs
Guest Blogs
Nov 11, 2014
blog

How to Outsource Your Project to Failure 4

This article will address failure to carefully vet a potential manufacturing or “turnkey” partner and/or failure to transfer sufficient information and requirements to such a partner, a very common problem I have seen again and again with my clients over the years, and have been the shoulder cried upon by several relatives and clients in the past....More
Nov 11, 2014
blog

Transition from the Academe to the Industry Unraveled 1

There have been many arguments here and there about how short-comings of universities and colleges yield engineers with skill sets that do not cater to the demands of the industry. There have been many arguments here and there about an imminent shortage of engineers lacking knowledge in the sciences. There have been many arguments here and there about how the experience and know-how of engineers in the industry may vanish due to the fact that they can’t be passed on because the academic curriculum deviates from it....More
Nov 11, 2014
blog

Small Beginnings 5

About 10 years ago I received a phone call from an acquaintance. He had found a new opportunity selling some sort of investments and he wanted to share it with me in case I was interested. Ken had done fairly well for many years as a contract software developer primarily in the financial services sector. His specialty was writing RPG code. (RPG is often referred to as a write only language.) But he was seeing the handwriting on the wall as the industry moved on to other methods, and saw himself becoming a fossil....More

Sponsored Introduction Continue on to (or wait seconds) ×