Skip to comments.Same Shirt, Different Heist (Ukrainians stole $800,000 from ATMs)
Posted on 08/16/2008 10:54:33 AM PDT by dennisw
Not exactly criminal masterminds, but the three Ukrainian nationals busted for stealing PINs and debits, creating false cards, and pocketing the cash did have a pretty good run. And reading the legal documents on the case in the U.S. Eastern District Court offers a handful of lessons about ATM fraud and pre-paid card fraudincluding the value of rotating your wardrobe.
First, some of the facts in the case: three Ukrainians are charged with using fraudulent debit cards they used to withdraw hundreds of thousands of dollars from Citibank, WaMu and other bank ATMs in New York City. The thefts appear to begin in the fall of 2007, and ended in early 2008 when law enforcement pulled the plug on the ring.
Sometimes, your lucky shirt is not so lucky. On October, 1, 2007, a man later identified as Yuri Ryabinin is caught on surveillance video making 12 ATM withdrawals totalling just under $10k at a WaMu branch in Brooklyn, NY, wearing a tan sweatshirt with a dark blue or black front panel and dark trim at the zipper and collar. Same individual, same clothes, is also seen on other neighborhood bank videos making large withdrawals that night. About five months later, same guy is spotted making more suspect withdrawals at a Citibank branch, wearing the same sweatshirt. Ryabinin was also traced via his ICQ ID number to a Website for ham radio enthusiasts, where theres a picture of himtaken five years earlierwearing the same sweatshirt. The thought of Ryabinin wearing the same aged sweatshirt for all his exploits, and being identified thanks in part to its familiarity, is only more amusing when you learn that the FBI seized more than $800k in cash and his paid-for Mercedes when they arrested him and his wife at their Brooklyn home this spring.
ATM servers remain a serious vulnerability. Ryabinins enterprise has been traced to a hack that stole card and PIN data as it traveled the connection between ATMs and third party processors. This weakness is widespread, says Jim Stickley of TraceSecurity, noting that his company has uncovered thousands of unpatched ATM processing servers during routine compliance inspections. Says analyst Avivah Litan of Gartner, I dont think we can point fingers to any one party here but we can say the security system in place for ATMs is essentially broken. There have been too many large breaches of PIN ATM/debit cards in the last two to three years to claim the existing security protocols are adequate.
Finally, $5 million can disappear, overnight. On Oct. 3, 2007, First Bank of St. Louis notified the Secret Service that four iWire prepaid debit MasterCard accounts were compromised and fraudsters around the worldincluding Ryabinin in his lucky sweatshirt made some 9,000 withdrawals or attempts netting approximately $5 million in ATM cash, all within a 24-hour period from Sept. 30 to Oct. 1, 2007. (c) 2008 Bank Technology News and SourceMedia, Inc. All Rights Reserved. http://www.banktechnews.com http://www.sourcemedia.com
He had his good luck sweatshirt and wore it for every ATM rip off...made him easy to identify
“ATM servers remain a serious vulnerability. Ryabinins enterprise has been traced to a hack that stole card and PIN data as it traveled the connection between ATMs and third party processors.”
In other words the banks didn’t have the data encrypted when it left the ATM. Pretty stupid of them.
That is about $833 per withdraw. Most banks will let you set a lower limit. I set a limit for $300 per 24 hour period. The weakest link is a store terminal not the banks severs.
Yep, screams “lucky shirt” syndrome ‘cept all the luck had been washed out, it would appear.
His lucky sweatshirt.
In April, Miami Beach police busted a ring of Bulgarian nationals who’d allegedly been planting skimmers on area ATMs for two years. The gang installed pin-hole cameras in the ceiling of the ATM to record the PIN numbers. They allegedly used the stolen data to pull more than $160,000 from bank customer accounts in the span of just two weeks last February.
The Secret Service took over the Miami Beach case, and the four defendants were each released on a $100,000 cash and signature bond. Three, including alleged ringleader Nikolai Hristov Arabov, jumped bail and went on the lam last month.
Yeah but just happens to have $800,000 lying around around in his aprtmnat
He and a co-defendant "received over the internet information related to Citibank customers, which information had previously been stolen from Citibank," according to an indictment (.pdf) in the case.
Plenty prison time for that too
‘Encryption can still be broken”
In other stories it was stated the connections had NO encryption.
“In fact with more powerful computers today, it is even easier.”
A standard encryption (AES 256) is beyond the brute force capabilities of most individuals and would take a significant amount of time.
You can bet they were warned but heeding the warning would have cost more... or so they thought.
“You can bet they were warned but heeding the warning would have cost more... or so they thought.”
Most of the bigger banks are pretty secure now days. The problem usually lies with one of their vendors who cut costs to keep prices down. Banks are supposed to make sure their vendors comply with security regulations but enforcement is weak and is highly dependent on the vendors honesty.
Encrypted, but probably ancient DES. Just enough encryption to prevent just anybody from tapping the phone line and copying verbatim, basically. Stops “normal” people but woefully inadequate today with the crooks these days.