The 21st century bank heist
Bank robbery is still a fact of life, but the days of tunnelling into banks, or the armed raids involving sawn-off shotguns are largely in decline. There are still too many armed robberies, but nowadays the modern blagger does his bank robbery online.
Bank robbery in the UK fell by 30% in London over the past ten years, and by up to 90% across the UK. There are lots of reasons for that trend. More banks now have security grills, panic buttons, and barriers which can trap the gang in the building. Explosive dye packs can render money useless and DNA sprays which are very hard to wash off can uniquely identify people as being at the scene of the robbery. Many more surveillance cameras both inside the banks and on the streets provides much more evidence for police. And most of all, banks now carry much less cash as more and more transactions occur electronically.
In the US, a hacker has recently been found guilty of millions of dollars worth of online theft and now faces over fifty years in prison. Ercan Findikoglu, 34, a citizen of Turkey, had masterminded several online heists before being arrested by police in Frankfurt in 2013 during a visit to Germany. After a long legal battle, he was finally extradited to the US last summer where he was put on trial.
Starting with stolen customer data files and hacked or stolen credentials for central systems, Findikoglu's robberies targetted the ATM system and involved removing the withdrawal limits against certain customer accounts. Each of the gang members were given cloned cards for the compromised accounts. Once the hack was in place, the gang members withdrew as much cash as possible from ATM machines and kept doing so until the system intrusion was detected. The hacker meanwhile was busily cancelling transactions so that to the central computer systems it looked like the money was still in the ATMs, and because the attack was distributed across many cities, countries and ATM machines, the anomalies were harder to spot.
There are at least three well documented robberies committed by Findikoglu and his partners in crime. In 2011, the gang used this method to target American Red Cross and withdrew $10 million from ATM machines spread across two dozen countries (including ATMs located in New York), money which was intended to go to disaster relief victims. 2012 saw the gang steal $5 million from an India-based payment processor servicing a bank in the UAE, and its biggest heist, in February 2013, saw the gang target a California-based payment processor and a bank in Oman when it performed 36,000 ATM withdrawals in a matter of a few hours, across 24 countries, resulting in a haul of $40 million.
This gang's robberies pale into insignificance though compared to an attempted robbery about a month ago. Fraudsters used stolen credentials for the Bangladeshi Government's Reserves account at the Federal Reserves Bank of New York. Using spyware which they'd managed to get into the Bangladesh Bank systems, the would-be thieves studied the transfer procedures and authorisation codes and then made a series of electronic transfers to other bank accounts. Thirty transactions were entered into the system, and the first four were processed successfully, resulting in the transfer of $81 million, but the fifth was blocked when Deutsche Bank's systems detected a spelling mistake in the name of the recipient. The word "Foundation" had been typed as "Fandation". If all thirty transactions had been processed, the Bangladeshi Government could have lost up to $1 billion.
The banks have worked together to freeze accounts and recover funds where possible, but some had already been laundered through online casinos, and $30 million was wired to a bank in Manila, Philippines, where a "man of chinese ethnicity" withdrew it in cash, on a day when the security cameras were not working.
29th March 2016
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content. If you would like to receive the newsletter direct to your inbox each month, please SUBSCRIBE here. It is free, and you don't get added to any other mailing lists. It uses best-practice confirmed opt-in only, and you may unsubscribe at any time.