Yesterday, federal prosecutors in Brooklyn revealed that an international team of thieves had stolen close to $45 million in the biggest ATM fraud case in history. The heist required some hacking and a lot of orchestration, so news organizations and police forces have been calling it high-tech and "sophisticated." Which it isn't, really! It's possible because the US--yes, specifically the US--is wildly behind the times in terms of transactional security, relying on a 50-year-old technology.
How did they do it? Hackers first broke into the system of a company in India that handles pre-paid debit cards, kind of like gift cards. They raised or eliminated the withdrawal limit on those cards--usually just a few hundred dollars--and jotted down the identifying data for these new, illicit cards-to-be. The heist until this point was all digital, a theft of modifying and stealing information rather than actual money. The money part came thanks to the decades-old magnetic strip technology.
The thieves evidently had a magnetic card reader/writer, the same kind hotels use to imprint code on magnetic room keys. Using any card with a magnetic strip--old credit cards, hotel keys--hell, you could use a driver's license, though you wouldn't want to use your own--they imprinted this new data. Now that old credit card is activated, carrying an invented code that will tell an ATM that it can withdraw a basically unlimited amount of money.
The thieves shipped these new cards out all over the world. Dozens, probably hundreds, of associates, on cue, hit ATMs. All over Manhattan, and in two dozen other countries, old cards masquerading as high-level gift cards withdrew money. The cash was used to buy expensive items--Rolexes, cars--for laundering purposes. The best part? Those original hackers could see exactly how much each of their invented codes was withdrawing. None of the associates could skim.
The prosecutor compared it to the movie Ocean's 11, but really, it was closer to Ocean's 13, a movie in which the thieves took down a casino's security system and rigged every game on the floor, leading to a manic blitz.
How is this possible? Well, the magnetic stripe card was invented by IBM in 1960, and went into mass production in 1970.
Magnetic stripe cards work by changing the magnetism of tiny iron-based particles, kind of like a Woolly Willy. They can be wiped and reset by cheap reader/writers, which you can buy for about 200 bucks. Typically, magnetic stripe pre-paid cards come with PIN numbers, but that doesn't provide any security at all when the thief is the one creating the card and the PIN, which is what happened with this heist.
Pretty much every other developed country got rid of magnetic stripe cards years ago, and many countries are multiple generations beyond that tech. In the UK and much of Europe, the "chip and PIN" card, properly called the EMV (for "Europay, MasterCard and Visa"), is dominant; it's a regular plastic card, but it's embedded with a tiny computer chip that serves as authentication in conjunction with a regular four-digit PIN. The EMV system is much more secure than the magnetic stripe card; when it was introduced to France, the country saw an 80% reduction in card fraud. (It was introduced in 1992, by the way. The France of 20 years ago was more advanced than the US is now.) The benefits: authentication is far more sophisticated than reading a simple magnetized strip; it incorporates actual encryption protocols like DES, the Data Encryption Standard.
The chief vulnerability of the EMV system? IT STILL HAS MAGNETIC STRIPES. EMV cards have a magnetic stripe so they can be used in dumber, slower countries, like the US, which can't read the chips. The only real hack of the EMV system relies on transferring information from the magnetic stripe, rather than the chip.
Japan's current standard is FeliCa, made by Sony--it's an RFID chip, so it's contactless, and benefits from some even more advanced security (Sony announced that the next-generation FeliCa standard would use AES, or the Advanced Encryption Standard).
What about the future? Hell, not even the future: right now, digital wallets are taking off in other countries. Osaifu-Keitai, in Japan, embeds FeliCa into phones from Japanese wireless carrier NTT DoCoMo. (It'd be like your Verizon phone had all your Visa info.) That system uses near-field communication, or NFC, to trigger transactions. Tap your phone on a point-of-sale device, enter a PIN, and your money's transferred. NFC isn't even new; modern Android phones and many Windows Phones have it right now!
So why is the US so far behind? Infrastructure is a major factor; countries like Japan and the UK are much smaller, so replacing all the old point-of-sale machines and ATMs is easier. Another problem is that American banks don't really care enough to invest in new infrastructure, and the US government has an awful lot of trouble making the banks do anything they'd rather not do.
Lots of modern heists rely on old-school methods. The amazing computer hacker-thief isn't really the norm; the world's most successful jewel heist ring, the Pink Panthers, are smash-and-grab artists. And this card fraud does require hacking, but it couldn't happen if the US transaction system didn't rely on a decades-old authentication system that can be negated with something you buy from Amazon.
Smart thieves, and also the U.S. should obviously change their system. This is the 2010s, not the 1960s.
1960 was 53 years ago. This is 50 year old technology.
bringing size as an excuse? half the country is empty forests and deserts.
Why isnt china lagging behind then... or even russia?
But if banks dont care... so what? its their money they are losing.
This article is unnecessarily aggressive. Why not look at the negatives of the Chip and PIN aside from the stripe still being on the card. How about chip harvesting or 'man-in-the-middle' card attacks or PIN cloning? What about all the serious issues with contactless payment methods that "benefits from some even more advanced security" that is not in place yet.
Why not bother to look at both sides of the issue before writing an article. Why not provide some other innovative methods of payment that are not at least a decade old, as is the Chip and PIN. Why not mention that most major credit card companies are planning on switching to Chip and PIN in the next few years?
As for the issue of size, it is a valid argument. Even if most of it is forests and deserts there are 3.794 million sq miles to cover to replace card machines in comparison to the UK's 94,058 sq miles. Not to mention the population difference.
Russia and China are not much better off, the credit card isn't a widely used tool in Russia and in China only 2% of merchants are equipped to handle credit or debit card transactions. A study by VISA showed the average transaction in China was $253 because most purchases were for items like houses, cars, boats and other expensive things. It would have been nice to read that in the 'article' above rather than have to research it myself. I honestly don't like any form of credit or debit card whether it be Chip and PIN, Chip and Signature (not even included in the 'article')magnetic stripe, or contactless. None of them are fool proof and can all be hacked or stolen.
I forgot about this
It's interesting that you bring up China; in that context, if you're using Visa as a reference of COURSE they've got less than 2% and skew high. It's UnionPay, the local card network, that has a far higher number of merchants linked to it alone (Discover has a cross-acceptance agreement with it). Speaking of which, my bank in China has notified me that they're already making chip-only cards available on request due to high levels of magstripe fraud. And the attack you link to wouldn't work on said cards because it works by assuming the card itself verifies the PIN, thus they can send a false "PIN OK" signal; Chinese cards don't work that way, because the PIN has to be sent to the issuing bank for verification. The option is available for me to set aside an amount of money with every deposit for no-PIN transactions, but I have to opt in and I can set limits on how large a transaction has to be before a PIN is prompted.
And that's why when I use my debit card to pay for things in China, the cashier always asks "No PIN? What if someone steals your debit card?"
A typical Nosowitz rant. Thanks Mike for providing a little balance.
I also wondered why there was no mention of the lax security that allowed hackers to have the account information to start with.
I have know for years how easy it is to copy those ATM strips cards or create them. Tolerance of this deserves a rant for the amount of time it has lingered. You may want to check you dress length ford, your ignorance is showing, lol.
Prior to the internet and since the internet the USA has been aware and news media does report of China hacking the USA daily. Now there is another tune to rant about as well. Considering the amount of R&D knowledge and economics, government information that is stolen by China, we the USA have lost billions yearly. What was need is a single giant diplomatic department to issue to China and other rogue countries persistent in hacking the USA encryption devices for the purpose of government communications and business. If we the USA must communicate with China for the sake of government and business, then a very precise encryption needs to be establish and ALL OTHER communications CLOSED.
We need more jobs in the USA. If we bought less cheap, broken, poisons products from China, yes we would pay higher for them in the USA to receive higher quality too and create more jobs in the USA.
F. China, we do not need you or any other country persistent in hacking the USA!
I don't see what's so great about the new technology. Especially wireless. Couldn't someone build a device to charge bogus purchases, and just walk around a crowd of people, charging their wireless credit cards for a purchase they did not even know about? Good security comes from the methods of implementation, not from the technology itself.
The problem here is that hackers we able to create money in debit cards in India. Not that magnetic pin technology failed. It might have been slightly harder to counterfeit more up to date technology, but the results would have been exactly the same. After all the whole idea behind the technology is that an individual can get his/her money by successfully supplying security information. If the hackers were unable to make the cards appear loaded with money the theft never would have occurred.
No, the weak point was the offshore computer and lack of security on it!
So, unless I completely misunderstand how bank cards work, I don't think the magnetic strip would make a difference.
Doesn't the mag strip only refer to an account to draft the "money" from? If that's the case, how hard would it be to spoof accounts using any other technology?
I like the idea of NFC, but only to remove all the cards except my Id from my wallet. It seems that NFC would have the same security flaws as the magnetic strip.
@lifestream: Europe of 20 years ago was much smaller than the U.S., economically. Since you brought up the geographic size, in some truly boondock areas of the country the old carbon imprint machines can still be found. It takes a long time to get people to change their habits - I'm sure a pre-paid smart phone and a square reader would be cheeper for those 'ma&'pa stores, but...
@ford2go: I respectfully disagree. This is not a typical Nosowitz rant, as it was mostly grammatically correct and made an *attempt at being balanced.
Lifestream: It's the banks money, what do we care?
ALL losses get passed down to the consumer one way or another.
Banks never lose "their own" money, because they never use it. They take my money, loan it to you, amd charge use BOTH enough to offset the cost of operating the bank, any insurance they have to pay against possible "losses" (of OUR money) and tack on a fat profit. American banks don't want to upgrade because they see no need. As long as we continue to pay their exorbitant fees and interest rates they turn a healthy profit, regardless of how antiquated and leaky the transactional system is. If it was really costing them any profit, then they might sit up and take notice.
Also their technology in cars, TV format (NTSC), 120 volts in their homes and many more, are all inferior and outdated.
45 million.... Somebody is smoking something. Try 45 BILLION. Its epidemic. AND still they are using the magnetic strip... What a farce.
There is a way to stop this.
1. Stop making the cards ubiquitous, in other words, the card can be used by the card holder only...
2. Fingerprint comparison card holder, to card. No match no money or no purchase.
3. Capture the fingerprint of the person using the cloned, or stolen card.
Put these three into operation, end of problem.
If I were the banks I would do the same thing.
Why throw away money fixing the problem when the customers will accept things as they are, and even defend my failures?
People defend delinquent companies all the time. Banks would be idiots to waste money on customers like that.
ATMS and debit cards can make you fat cause cancer and is the cause for global warming.
Don't use them!
FYI, buying a new or used card encoder is easy.
Second, coping cards is further easy.
Last, programing cards is easy as well.
The USA government goes to great length to make it hard to copy money, but is rather simple to create or copy the strip on the back of a card, HELLO?!
Dan Nosowitz, you are hardly convincing when you write such a one sided article. I would suggest you research your subject more thoroughly first. One reason they don't like to use mag strips overseas is due to the fact that many establishments are not wired up for instant communications with the banks as we are here in the USA.
Every transaction in the USA is processed real-time and can be rejected when a problem is found. Countries that don't have the infrastructure in place have to rely on embedded chips in the credit card. These have issues as well.
The real problem is the original hack into the banking system.
I doubt that the size of the USA is the issue. Canada has had chip cards for 10 years now and we are twice as big as the USA. I think it is greedy banks not wanting to spend money. Our Canadian chip cards still have to carry the mag strip so we can use them in the US, comprimising the security. Most Candadian card also have NFC so you can wave the card at the terminal to pay. This is not very secore as there are programs that allow a thief to walk through a mall carrying a laptop and skim the card data. Banks will have to up the ante once again.
Having built a company in this industry, financed by founders in the mag stripe industry, I can tell you it is all about the economics. $45M is well less than 1% of what it would cost to upgrade the card acceptance network, terminals, processors and all cards in the US to a modern system versus mag stripes. The other big obstacle is that mag stripe cards actually have a very high convenience factor, with a very cost effective risk per transaction. It will be interesting to see if all of us having smartphones and related digital wallets can help overcome this. It would be nice!
quatra1001 - try not to be such an a$$. Neither PAL nor NTSC are inherently superior - they are simply different and incompatible. Same goes for 120VAC @ 60 hz vs 240VAC @ 50 hz. In point of fact, 240VAC being twice the voltage, administers twice the amperage when shocked by it. That greatly increases the chance of electrocution.
In the future, try to not act like such an arrogant jerk with a superiority complex - you'll make more friends.
As for the article, yeah, a little balance would have been nice. As many pointed out - the REAL weakness was the system that let them modify and create the accounts in the first place.
and then this "It'd be like your Verizon phone had all your Visa info."
Good GOD!! At the rate phones are being hacked? No thanks.
It used to be the depositors' money. But they get to keep it and spend it as they please.
more information here:
-I started out with nothing, and I still have most of it left.
Unfortunately the REAL problem IS the magnetic strip. My ATM card is by default not valid in the USA. When I go over there I have to validate it for magnetic strip use for a few weeks up front, then use it overthere and after that it gets invalidated for magnetic use automaticaly.
After all our cards got chips and the magnetic stip was no longer in use overhere the theft went down for a while and then came back up. It turns out the thieves had found out that they could still use "old school" trics to copy the magnetic strip and get the 4 digit PIN code. Then send the data to someone in the US, have him/her put the data on a blank strip and get the money from the ATM overthere.
So it IS the fact that the US is using old techniques that makes it vulnerable.
@LongTimeReader: The fact that we use chips on the ATM cards has nothing to do with what you point out, cards that can store a balance on the chip. The money is NOT stored on the debet card chip, it is merely used for validation.
The author is in idiot. There are problems with magnetic strips, but this attack has exactly <em>nothing</em> to do with them.
The magnetic strips worked exactly as designed in figuring out which account should be debited for the withdrawal.
The security vulnerability that was exploited was that the bank's computers could be forced into a fallback mode where they didn't check that the account actually had funds available!
The essence of the attack was to put some money into an account and withdraw it thousands of times, then disappear when the bank tried to demand repayment for the overdraft.
Quite simply, trying to make something that has to be mass-produced cheaply and handed out to millions of customers uncopyable is very difficult, and it takes many years and numerous revisions to produce something that <em>mostly</em> works. Just ask the U.S. Mint.
Eliminating "skimming" by making it difficult to copy <em>without the active cooperation of the posessor</em> is a useful goal, but that's irrelevant in this case. For the amout they made, they could hire someone with an e-beam prober to crack the security of any "smart card" ever designed or proposed.
This is a very poorly written article one of the worst I've ever read.
The failure is not in the magnetic card technology but in the poorly secured offshore computer.
With smart chips or NFC the results would have been identical.
RFID and NFC have been cracked in fact an RFID card is actually much less secure then a magstrip card.
A hacker can clone an RFID in less then 5 minutes without you ever knowing it's happening.
Magstrip and contact smart cards require gaining physical access to the card and reading it both are easily cloned.
NFC cards are probably the least secure kind of card there is.
To steal your account a thief only needs an NFC enabled smart phone and some software installed on it.
The most secure kind of card might be the contact smart card similar to the cards used in DBS and cable TV boxes.
But still the chain is only as strong as it's weakest link and in this case the weak link was the computer system being unsecured.
Esp hilarious is he suggests FeliCa which has been cracked.
If you have one of these cards I suggest keeping it in a Faraday wallet when not in use.
If you have it in a phone deactivate it ASAP.