Tuesday, May 24, 2016

"Unlimited" ATM attack in Japan against South Africa's Standard Bank

We've written about Unlimited ATM attacks in this blog many times in the past, from 2008 until just a few months ago, but this newest attack is the first to feature Japanese ATM machines, to my knowledge.  In the early morning hours of 15MAY2016, at least 100 criminals visited at least 1,400 ATM machines and used a set of counterfeit ATM cards, cloned to correspond with accounts at Standard Bank in South Africa, to do the maximum 100,000 Yen withdraw ($913USD or £629) . . . about 14,000 times!

Standard Bank has confirmed the robbery to South African media that the event occurred, and has estimated the damage to the bank at around R200m (200 million South African Rand, or about $12.7M USD or about 1.4 billion Japanese Yen).  But is it truly an "Unlimited" attack?

The story was first reported in the 22MAY2016 Mainichi Daily News as "1.4 billion yen stolen from 1,400 convenience store ATMs across Japan".  The ATM machines are located in 7-Eleven convenience stores throughout Tokyo and 16 prefectures around the country.  The ATM machines in 7-Eleven stores in Japan are part of the bank network associated with Seven Bank.  Seven Bank's website invites international visitors to Japan to use their ATMs at 7-Eleven stores "Day or Night" which may be part of the appeal to these criminals.

www.sevenbank.co.jp/intlcard/index2.html


Several unique things happened in this account.  In previous "Unlimited" attacks, a very small number of accounts have had a related debit card "cloned" by making an exact copy of the magnetic stripe of the card.  In the past, an intruder onto the bank's network has been able to adjust the daily withdrawal limits of the cards, and reverse transactions, so that the same account could be used to perform hundreds or thousands of withdrawals.  The attacks are referred to as "Unlimited" attacks because a single account with a very small balance could be used to front millions of dollars worth of transactions, because each transaction is immediately reversed by the intruders who monitor the carefully orchestrated attack.  In the case of the most famous Unlimited attack, "The $9 Million World-Wide Bank Robbery", forty-four accounts were used to withdraw funds from 2,100 ATM machines in at least 280 cities around the world in a single evening.

In this case, it is not clear if this is what happened, primarily because the published reports say that at least 1,600 Standard Bank customers' accounts were used to perform the transactions. If this is true, with an estimate of 100 criminals involved in the "cash-out" portion of this robbery, that means on the average each criminal had access to 16 accounts that were unique to that criminal.  Also, with 1600 accounts in play, that means the average account holder's account would only have faced $7900 USD in charges.  This, however, contradicts the description of events that the BBC quotes, when it says that Standard Bank reported that "a small number" of fake cards were used in the event.  (The BBC article also places Standard Banks' estimated lossed at $19.25m, which, if you do the math, shows they chose the higher of the two contradictory values being reported in South Africa of either R200m or R300m.  R200m matches all of other figures being thrown about, while R300m is 50% higher.)

In my humble opinion, I believe that a journalist not versed in this type of cybercrime heard that 1600 counterfeit cards were used and assumed that they must belong to 1600 customers.  The key difference, and the most important with regards to Standard Bank, is that in a true "Unlimited" attack, the criminals would need to be controlling ATM accounts and logs INSIDE the Standard Bank network with administrator-level privileges. 

The Japan Times say "Japanese police have put suspects belonging to a Malaysian group on an international wanted list" relating to this event.  In reports from 2014, Japanese officials say that Chinese students are often used as money mules in Japan for withdrawing cash on behalf of organized cyber criminals, in much the same way that Russian money mules are used to withdraw cash from American banks.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.