Crews in two dozen countries set out over 10 hours, withdrawing $40 million in cash in 36,000 transactions. About $2.4 million was taken from ATMs in New York.
The thieves, according to the indictment, took a variety of steps to dispose of the money.
One defendant allegedly deposited nearly $150,000 worth of $20 bills in a bank branch in Miami. Others allegedly bought expensive items such as Rolex watches and a Mercedes SUV.
Authorities from around the world, from Canada to Thailand, were involved in the investigation. The defendants in New York could each face 17 1
2 years in prison and up to $250,000 fines if convicted.
Henry Schwarz, a security expert who provides consulting to ATM companies, said the main vulnerability lay with the networks that were penetrated by hackers. He said it is extremely difficult to break into a network and obtain a regular customer’s four-digit personal identification number.
“The vulnerability was the ability to hack into the card processors’ servers,” he said. With a PIN, he said, “it’s very difficult because a PIN is stored by the card issuer in a heavily fortified” server.
Brian Riley, senior research director at CEB TowerGroup, said that although most people would suffer a terrible inconvenience, they would be protected if their ATMs were hacked.
“There’s no doubt it will be a major inconvenience to get your way through this,” he said. “Consumers are generally protected by the terms and agreements they signed up for with the card.”
He added that there will always be growing threats as companies seek to broaden access to financial transactions through new technologies.
“The first thing the card business is trying to do is to make it easier for people to transact,” Riley said. “As you do that, you’re opening up new areas to get attacked in. You’re opening up new vulnerabilities that never existed.”