Wed Oct 31, 2012, 12:57 PM

60-Second Cash Kiosk Hackers Steal $1 Million: FBI

Source: Information Week

By Mathew J. Schwartz InformationWeek
October 31, 2012 12:02 PM

The FBI has arrested more than a dozen people on charges that they participated in a gang that stole over $1 million via cash-advance kiosks at 11 casinos and resorts.

According to the FBI, the related indictment, unsealed Friday, said the gang "stole the money by exploiting a gap--which required multiple withdrawals all within 60 seconds--in Citibank's electronic transaction security protocols." The gang predominantly targeted casinos and resorts in Las Vegas and southern California.
....

According to court documents, accused ringleader Ara Keshishyan, 29, recruited other members of the gang to open multiple Citibank checking accounts, which he filled with seed money. "When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw -- all within 60 seconds -- several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered."
....

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security.

Read more: http://www.informationweek.com/security/attacks/60-second-cash-kiosk-hackers-steal-1-mil/240012604

14 replies, 2065 views

Thread info Bookmark this thread Trash this thread

Reply to this thread

Always highlight: 10 newest replies | Replies posted after I mark a forum

Replies to this discussion thread

14 replies	Author	Time	Post
60-Second Cash Kiosk Hackers Steal $1 Million: FBI (Original post)	mahatmakanejeeves	Oct 2012	OP
No honor among thieves	corkhead	Oct 2012	#1
You said it!	SoapBox	Oct 2012	#3
But Republicans that steal BILLIONS can't ever be found.	Ikonoklast	Oct 2012	#2
It is pretty lousy programming.	cosmicone	Oct 2012	#4
Exactly. Whatever happened to record locking?	mikeytherat	Oct 2012	#5
Can citibank make money in 60 seconds?	DoBotherMe	Oct 2012	#7
Or security costs money they'd rather funnel to themselves than the 99%. nt	Doremus	Oct 2012	#10
i'm guessing	Kelvin Mace	Oct 2012	#9
Comp Sci 101	htuttle	Oct 2012	#12
they stole the money that Citibank stole from the taxpayers during the bailout.	olddad56	Oct 2012	#6
I want to know more about this "security gap"	dixiegrrrrl	Oct 2012	#8
I bet we see...	PopeOxycontinI	Oct 2012	#11
I know it's tantamount to supporting vigilante justice,	Volaris	Oct 2012	#13
Time to send in...	KansDem	Oct 2012	#14

Response to mahatmakanejeeves (Original post)

Wed Oct 31, 2012, 01:01 PM

corkhead (3,989 posts)

1. No honor among thieves

Poor Shitibank

Reply to this post

Response to corkhead (Reply #1)

Wed Oct 31, 2012, 01:04 PM

SoapBox (5,909 posts)

3. You said it!

Reply to this post

Response to mahatmakanejeeves (Original post)

Wed Oct 31, 2012, 01:04 PM

Ikonoklast (21,699 posts)

2. But Republicans that steal BILLIONS can't ever be found.

Reply to this post

Response to mahatmakanejeeves (Original post)

Wed Oct 31, 2012, 01:04 PM

cosmicone (3,428 posts)

4. It is pretty lousy programming.

When one transaction opens, it should lock the account until it is complete before another transaction can be started whether in 60 seconds or not.

Reply to this post

Response to cosmicone (Reply #4)

Wed Oct 31, 2012, 01:17 PM

mikeytherat (6,827 posts)

5. Exactly. Whatever happened to record locking?

That's old school.

mikey_the_rat

Reply to this post

Response to cosmicone (Reply #4)

Wed Oct 31, 2012, 02:03 PM

DoBotherMe (1,778 posts)

7. Can citibank make money in 60 seconds?

That would be a reason to overlook security. Dana ; )

Reply to this post

Response to DoBotherMe (Reply #7)

Wed Oct 31, 2012, 02:27 PM

Doremus (5,161 posts)

10. Or security costs money they'd rather funnel to themselves than the 99%. nt

Reply to this post

Response to cosmicone (Reply #4)

Wed Oct 31, 2012, 02:25 PM

Kelvin Mace (9,904 posts)

9. i'm guessing

based on when I worked installing PCs in banks and got to ask lots of questions of the ATM guys that they are sacrificing security for speed. But, this all begs the question: Why is the source code for ATMs on the net? Didn't Diebold learn anything with the voting machine fiasco?

Reply to this post

Response to cosmicone (Reply #4)

Wed Oct 31, 2012, 05:55 PM

htuttle (21,196 posts)

12. Comp Sci 101

Writing a simple transaction engine that locks the account and avoids issues like this is often one of the class assignments.

Guess the ATM programmers didn't take that class?

Reply to this post

Response to mahatmakanejeeves (Original post)

Wed Oct 31, 2012, 01:44 PM

olddad56 (2,867 posts)