Bank Muscat hit by $39m ATM cash-out heist Cybercrooks have pulled off a $39m ATM heist against a bank in Oman using pre-paid travel cards. Bank Muscat put out a statement through the Muscat Securities Market admitting the loss: 12 Bank Muscat prepaid Travel Cards were compromised on February 20, 2013. The gross value of transactions on these cards, which were …
Way back in the early 90's I was involved in a card system. One of the first things we did then was implement a check to stop multiple repeated transactions, and to check the card velocity.
Velocity is simple. Note where the card is first used as a lat/long (this assumes that all banks know where their card machines are), when the card is next used compute the distance, and the time it took to travel and hence compute the velocity. If the velocity is too great, block the card and get the customer to call in. To be honest, we did have another way of finding the location, but surely this is just so fundamental that the banks must have this.
20 years later, it seems Bank of Muscat have not learnt this lesson.
That's not what a velocity check is. A velocity check would simply be something like a daily withdrawal amount limit or a limit on the number of transactions a card can perform in a set time etc.
Analysing the location of transactions on a per card basis and then applying fraud checking rules would be the job of a dedicated fraud prevention system, not done by the transaction processing system - it has enough to do without running complex algorithms to identify fraud.
Also, in the article it says that their systems may have been compromised so these velocity checks may have been disabled.
"Analysing the location of transactions on a per card basis and then applying fraud checking rules would be the job of a dedicated fraud prevention system, not done by the transaction processing system - it has enough to do without running complex algorithms to identify fraud."
You'd be surprised. I can't comment further, unfortunately.
For someone in the industry, I don't think you understand how the scam works.
The banks in question authorise the transactions before they are actually verified as having funds. There are plenty of terminals that are "offline" or just delay before actually collecting the payment. If you time it right, you can perform the same £10 hundreds of times across the globe and by the time actual authorisation is given by the originating bank, there's already a million pounds in cash gone from various places.
Ever bought anything on a plane? Same system.
They don't have live connections to ensure funds are available. Yes, it's incredibly stupid, but that's why the scam (and many others with similar tactics) works. By the way, this is pretty much all how the "pay-by-wave" systems work and rely on the card to remember that it has spent £15. Clone the card beforehand and you can have as many £15 as you like before the bank has to give a yes/no.
Why is another reason why pay-by-wave is an incredibly stupid, even if "convenient", idea.
Lee, almost all ATM transactions are online at least to the acquirer system (which may be permitted to carry out stand in processing if the card issuers systems are unavailable). Normal operation is that every transaction will be routed to the card issuer for authorisation before any money is dispensed apart from said stand in scenarios.
I don't rule out the possibility of some deployments of ATMs allowing offline transactions but they should be limited to processing 'on us' transactions (for cards issued by the ATM deployer). They certainly shouldn't be authorising international cards offline. Having said that, these were pre-paid travel cards so the rules set for them can be different from normal credit/debit cards.
AC is right that complex fraud checks aren't done before the transaction completes so there is a window there, but basic velocity checks can and should be done before authorisation.
It's a business decision:
Option 1 - bank refuses withdrawal because it can't get a secure realtime direct link from the foreign ATM to its HQ, or because a businessman buying a coffee in New York 12 hours after buying a heathrow express ticket is somehow "suspicous". Business man returns home furious, cancels all his accounts, moves his mortgage, pension and life insurance - bank loses $1000s in fees.
Option 2 - bank allows some extra risks on a pre-paid credit card that accounts for 0.1% of its business.
You can always add more security - the question is whether requiring a 15digit pin and a DNA sample everytime a customer uses their card is a win for you in the long term
Someone raises this every time a card-cloning scam comes up, and it's an example of the classic security research vs security in the real world clash.
Yes, you could check every transaction against a central database of past transactions and check if they're sane, but the problem is this would be really, really slow. Really slow. Remember most ATMs are lucky to have anything faster than dial up on board. Checking the validity of a card and its transaction limit are relatively simple, asking a server to do a lat/lon sanity calculation every time someone connects isn't. It takes time.
As a result, while dozens of these "Do these transactions make sense?" calculations take place, they usually take place after the fact, as anyone who's had their card cloned knows. The trick, and it's probably the trick used here, is to use the cloned cards in a synchronised manner, to not give the system time to respond. Pick ATMs you know to be particularly slow, get your gang of ill-intentioned ruffians to spread out amongst them and hit them for everything they've got all at the same time. The transaction system will do what it was designed to do - complete the transaction, and they'll be off with the cash long, long before any security system catches up.
Putting the security up-front would slow down the process immensely, almost certainly costing banks a hell of a lot more than they lose from once-in-a-blue-moon card cloning scams.
If 3 masked robbers with guns stole $xxx million euros/dollars/etc in a daylight heist from any bank in the world the news feeds would go crazy with useless facts about every heist in history and so-called journalists going on about other journalist's opinions about why it happened and how awful it all is. Organized crime doing it thru a stupidly overlooked crack in computer security procedures......no news.
Conspiracy angle, the bank needed to unload some cash quickly to a local prince and hired the bad boys to create a crime so no suspicion is raised when the money moves. No taxes due either.
This would require too much smarts for those guys.
Simpler approach would be (is being used) is to either use drug money or smuggling (or if your in somalia why not try piracy - like the "on a boat in the sea" type)...or if your in Afghanistan set up a "transport mafia" and have the Americans pay you millions to protect their trucks from...well, yourself!
I understand the concept of duplicated cards used multiple times, but the numbers don't stack up.
£39,000,000 stolen. Assuming an ATM allows £1,000 per transaction, that's 39,000 transactions!!!
Assuming you got 1,000 mules at 39 transactions each in one day, you're chances of a snitch being in there are quite high.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
