60-Second Cash Kiosk Hackers Steal $1 Million: FBI
Source: Information Week
By Mathew J. Schwartz InformationWeek
October 31, 2012 12:02 PM
The FBI has arrested more than a dozen people on charges that they participated in a gang that stole over $1 million via cash-advance kiosks at 11 casinos and resorts.
According to the FBI, the related indictment, unsealed Friday, said the gang "stole the money by exploiting a gap--which required multiple withdrawals all within 60 seconds--in Citibank's electronic transaction security protocols." The gang predominantly targeted casinos and resorts in Las Vegas and southern California.
....
According to court documents, accused ringleader Ara Keshishyan, 29, recruited other members of the gang to open multiple Citibank checking accounts, which he filled with seed money. "When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw -- all within 60 seconds -- several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered."
....
Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security.
Read more: http://www.informationweek.com/security/attacks/60-second-cash-kiosk-hackers-steal-1-mil/240012604
corkhead
(6,119 posts)Poor Shitibank
SoapBox
(18,791 posts)Ikonoklast
(23,973 posts)cosmicone
(11,014 posts)When one transaction opens, it should lock the account until it is complete before another transaction can be started whether in 60 seconds or not.
mikeytherat
(6,829 posts)That's old school.
mikey_the_rat
DoBotherMe
(2,340 posts)That would be a reason to overlook security. Dana ; )
Doremus
(7,261 posts)Kelvin Mace
(17,469 posts)based on when I worked installing PCs in banks and got to ask lots of questions of the ATM guys that they are sacrificing security for speed. But, this all begs the question: Why is the source code for ATMs on the net? Didn't Diebold learn anything with the voting machine fiasco?
htuttle
(23,738 posts)Writing a simple transaction engine that locks the account and avoids issues like this is often one of the class assignments.
Guess the ATM programmers didn't take that class?
olddad56
(5,732 posts)dixiegrrrrl
(60,010 posts)( pen and paper at the ready....)
PopeOxycontinI
(176 posts)a lot of this shit after Sandy. Lots of people camping out at
unsecured wi-fi spots. Easy for a hacker to get your shit that
way.
Volaris
(10,274 posts)but honestly, I almost can't feel bad for Citibank. Fuck em.
KansDem
(28,498 posts)Robert De Niro!
Anyone got a hammer?