What do you think? Leave a respectful comment.

International ATM Cyber Hackers Hid ‘in Plain Sight’ to Overcome Computer System

The global network of thieves who targeted ATMs struck 2,904 machines over 10 hours in New York alone, withdrawing $2.4 million. For more on the attack and the aftermath, Jeffrey Brown talks with Loretta Lynch, the U.S. attorney for the eastern district of New York and the federal prosecutor in the heist case.

Read the Full Transcript


    And we're joined live now by the federal prosecutor in the case. Loretta Lynch is the U.S. attorney for the Eastern District of New York.

    Well, thanks for joining us. When you call this a 21st century bank heist, before we go through some of the details, explain what you mean by that.


    Well, Jeffrey, this was a situation where numerous banks were hit several times; in fact two banks in these two attacks, but using thousands and thousands of ATMs. So the banks were literally robbed in broad daylight without anyone entering their specific branches, the Bank of Muscat and the RAKBANK that were involved.

    It was one of the largest attacks of this type that we've seen, using this type of cyber attack.


    It's a global operation but one thing you have not said yet is who is behind it. What can you tell us? What do we know so far?


    Well, it is a global operation. The investigation is ongoing. We, obviously, are hoping to make inroads there, so we're not going to be able to give a lot of detail about who we think is behind it at this point in time.

    What we do know, however, is that it was a very sophisticated operation, that it had to have financial backing, that it had to have people with a great deal of computer expertise and a great deal of patience.

    It takes a long time to hack your way into the processors that were used here and essentially lie in wait, gathering data, increasing your access bit by bit, until you can literally take over the processor's functions.


    So just explain a little bit more the mechanics here. They were hacking into the processing companies, not the banks themselves, right? And they were — they were getting —


    That's correct.


    … and they were getting into these debit cards and upping the limit that was — the people could take out.


    Yes, absolutely. In fact, in the New York crew, during the second attack in February, those eight guys only had one account among them. And that account limit had been raised to $40 million dollars. They look at prepaid debit cards because they're not tied to an individual, they're not tied to an individual's checking or savings account. People tend to check those.

    You would notice if your own personal debit card limit shot up to $40 million dollars. And you'd probably call somebody.

    But the most sophisticated part of this attack is the hack itself. These are patient cyber criminals. It takes anywhere from two to 18 months to execute the kind of control needed to really get inside these credit card processors.

    As you mentioned, it's not the actual banks, it's the middlemen, the people who process the cards. And the money flows through them as someone uses a prepaid debit card. It's a very standard practice in the financial industry.

    The hackers, using malware, work their way into the processor's own systems. They essentially gain more and more security access, sort of like becoming a secret system administrator. They are hiding almost in plain sight in these computer systems.


    And the people — and the people that you — that you did arrest, that you announced yesterday, especially the eight in New York, say they're low level, right?

    I mean they're not doing the high tech stuff, they're essentially street criminals?


    Well, they're not doing the high tech stuff and — but we wouldn't call them low level, because without them, you could not plunder the bank accounts the way in which they were plundered. They were actually a vital part of the organization.

    Everyone seems to have equal importance, just a very, very different role in this.

    But these guys were the feet on the street, so to speak. They were the ones who were commanded and directed to go to the ATMs, to wait for that code, to spring into action and cash out as much money as they could before the credit card processor or the bank or someone else discovered what they were doing.


    Now, I know your investigation is still ongoing. We've talked about two Mideast — Middle East banks, but one — today, the head of one of those banks suggested that the fraud may have gone beyond those banks to many others around the world, including in the US.

    What — what can you say at this point?


    You know, what I can say is that certainly this is one of the largest of the unlimited operations that we've seen. And we're seeing more and more of them.

    It is a change in the way cyber criminals operate, and so we're watching them very carefully and we're shutting them down where they can.

    I think the message, you know, whether from that bank or certainly from us, is that every financial institution needs to remain vigilant.

    They need to work with law enforcement. There's been a great deal of cooperation so far, but everyone has to remain vigilant, because cyber criminals are changing their method of attack as we adapt to follow them.


    Who is responsible for money that was lost in these cases?

    I mean is it actual money that was lost, somebody's money?

    So who's responsible?

    Is it the — is it the banks, the credit card companies, the individuals?


    Right now, it's the banks. And certainly, they'll be looking to their insurance carriers and they'll be working out those details as the time goes on.

    No individual accounts were compromised in this. And that's actually very important to say. So no individuals lost this sum total of $45 million dollars.

    We have, of course, in the past, seen other hacking operations where individual accounts have been compromised.

    So people should not feel that because the cyber criminals have morphed into this direction that they're going to ignore those individual accounts.


    Well, let me just ask — that's what I want to ask you just briefly here, at the end, is is there any message for individuals as consumers as to their vulnerability and for you, in law enforcement, as — as a — as you said, the criminals find new ways to do this in cyberspace?


    Well, I think there are several messages here. In terms of law enforcement, we work very closely with the financial industry to watch the types of attacks that are being launched and to help them protect themselves.

    But we need their help, as well. We urge all financial industry companies, as, frankly, all of — of private industry, to remain vigilant. When they spot a problem, notify us.

    Often, companies think that because a lot of the hacking occurs overseas, it may be too late to do something. But we've actually had a great deal of success working with our overseas counterparts.

    For individuals, they, too, have to remain vigilant.

    It's a great thing to live in a digital age. It's convenient, it's fast. You know, we haven't quite hit that cashless society yet, as the pictures illustrate. But people are very used to the convenience of being able to electronically live their lives.

    But they have to recognize that a lot of that comes at a cost. And there may be times when we ask them to step back a bit and to bear with us as we work out trying to make them as safe as possible.


    U.S. Attorney Loretta Lynch.

    Thanks so much.


    Thank you, Jeffrey.