Yesterday, federal prosecutors in Brooklyn revealed that an international team of thieves had stolen close to $45 million in the biggest ATM fraud case in history. The heist required some hacking and a lot of orchestration, so news organizations and police forces have been calling it high-tech and “sophisticated.” Which it isn’t, really! It’s possible because the US–yes, specifically the US–is wildly behind the times in terms of transactional security, relying on a 50-year-old technology.
How did they do it? Hackers first broke into the system of a company in India that handles pre-paid debit cards, kind of like gift cards. They raised or eliminated the withdrawal limit on those cards–usually just a few hundred dollars–and jotted down the identifying data for these new, illicit cards-to-be. The heist until this point was all digital, a theft of modifying and stealing information rather than actual money. The money part came thanks to the decades-old magnetic strip technology.
The thieves evidently had a magnetic card reader/writer, the same kind hotels use to imprint code on magnetic room keys. Using any card with a magnetic strip–old credit cards, hotel keys–hell, you could use a driver’s license, though you wouldn’t want to use your own–they imprinted this new data. Now that old credit card is activated, carrying an invented code that will tell an ATM that it can withdraw a basically unlimited amount of money.
The thieves shipped these new cards out all over the world. Dozens, probably hundreds, of associates, on cue, hit ATMs. All over Manhattan, and in two dozen other countries, old cards masquerading as high-level gift cards withdrew money. The cash was used to buy expensive items–Rolexes, cars–for laundering purposes. The best part? Those original hackers could see exactly how much each of their invented codes was withdrawing. None of the associates could skim.
The prosecutor compared it to the movie Ocean’s 11, but really, it was closer to Ocean’s 13, a movie in which the thieves took down a casino’s security system and rigged every game on the floor, leading to a manic blitz.
How is this possible? Well, the magnetic stripe card was invented by IBM in 1960, and went into mass production in 1970.
Magnetic stripe cards work by changing the magnetism of tiny iron-based particles, kind of like a Woolly Willy. They can be wiped and reset by cheap reader/writers, which you can buy for about 200 bucks. Typically, magnetic stripe pre-paid cards come with PIN numbers, but that doesn’t provide any security at all when the thief is the one creating the card and the PIN, which is what happened with this heist.
Pretty much every other developed country got rid of magnetic stripe cards years ago, and many countries are multiple generations beyond that tech. In the UK and much of Europe, the “chip and PIN” card, properly called the EMV (for “Europay, MasterCard and Visa”), is dominant; it’s a regular plastic card, but it’s embedded with a tiny computer chip that serves as authentication in conjunction with a regular four-digit PIN. The EMV system is much more secure than the magnetic stripe card; when it was introduced to France, the country saw an 80% reduction in card fraud. (It was introduced in 1992, by the way. The France of 20 years ago was more advanced than the US is now.) The benefits: authentication is far more sophisticated than reading a simple magnetized strip; it incorporates actual encryption protocols like DES, the Data Encryption Standard.
The chief vulnerability of the EMV system? IT STILL HAS MAGNETIC STRIPES. EMV cards have a magnetic stripe so they can be used in dumber, slower countries, like the US, which can’t read the chips. The only real hack of the EMV system relies on transferring information from the magnetic stripe, rather than the chip.
Japan’s current standard is FeliCa, made by Sony–it’s an RFID chip, so it’s contactless, and benefits from some even more advanced security (Sony announced that the next-generation FeliCa standard would use AES, or the Advanced Encryption Standard).
What about the future? Hell, not even the future: right now, digital wallets are taking off in other countries. Osaifu-Keitai, in Japan, embeds FeliCa into phones from Japanese wireless carrier NTT DoCoMo. (It’d be like your Verizon phone had all your Visa info.) That system uses near-field communication, or NFC, to trigger transactions. Tap your phone on a point-of-sale device, enter a PIN, and your money’s transferred. NFC isn’t even new; modern Android phones and many Windows Phones have it right now!
So why is the US so far behind? Infrastructure is a major factor; countries like Japan and the UK are much smaller, so replacing all the old point-of-sale machines and ATMs is easier. Another problem is that American banks don’t really care enough to invest in new infrastructure, and the US government has an awful lot of trouble making the banks do anything they’d rather not do.
Lots of modern heists rely on old-school methods. The amazing computer hacker-thief isn’t really the norm; the world’s most successful jewel heist ring, the Pink Panthers, are smash-and-grab artists. And this card fraud does require hacking, but it couldn’t happen if the US transaction system didn’t rely on a decades-old authentication system that can be negated with something you buy from Amazon.