Cyber-heists: Organised crime's credit card theft rampage
- Published
It takes a surprising amount of planning and co-ordination to pull off a major hi-tech heist.
In the old days, someone stealing a credit card - a pickpocket, say, would have just enough time before the card was cancelled to be able to buy a few high value things, stuff easily resold and turned to cash. A huge pain for everyone concerned, certainly, but it was a small crime: a couple of grand at most.
But in recent years, we've heard of websites, and store-based retailers, falling victim to hackers and losing lists of millions of credit card numbers.
Not the physical cards: simply the numbers. And here was the thing. How did the hackers turn their successful data breach into cold hard cash?
This is an important question, because as organised crime expert Misha Glenny, points out, the liberation of millions of credit card numbers has far outstripped the day-to-day robbery of one card at a time.
So how do they do it? How do hackers turn their success in the virtual world into money in the physical one?
The answer, it turns out, involves a remarkable level of international organisation, the coming together for a single project of gangs of criminals, mutually untrusting and anonymous, and the smuggling of huge amounts of cash across borders.
Here's how one heist worked. In late 2012, a group of hackers, so far uncaught, but probably in the Ukraine, broke into a credit card processing system used by Bank Muscat, a large bank in the Middle East.
There they were able to discover the numbers of some prepaid credit cards issued by Bank Muscat, remove the credit limit from the cards, and change their Pin numbers.
Then it gets complicated.
Armed with the numbers usually found on the magnetic stripe on the back of these cards, the hackers were able to go online to various websites dedicated to criminal activity.
Like any online job board, they could use these services to recruit teams of low-level street criminals, smugglers, and money launderers, to come together for this one project.
These sites are like any legitimate website offering freelancers' services: people are reviewed and rated, and their reputations made or ruined by the way they execute their criminal plans.
And so, with teams organised around the world, the hackers were able to send them the mag stripe information.
Credit card making hardware is easy to buy online, as are blank credit cards, so the gangs could make their own cards from the data provided.
And then, on the day of the operation, with the hackers still logged into the computer system and able to watch everything that was going on - making sure they weren't being ripped off themselves - they distributed the Pin numbers and the gangs went to work, walking the streets of their cities and withdrawing money from every ATM they could find.
Keeping their agreed percentage, they passed the money on to other teams, who, in turn, laundered and smuggled it back to the masterminds.
In all, gangs in 26 countries had simultaneously withdrawn $40m (£25m) in more than 36,000 ATM withdrawals.
A magnificent crime - but also one that suggests the way that businesses, legitimate this time, might evolve in the future.
As businesses in the developed, post-industrial world, move from physical manufacturing to the creation of digital goods, or to providing services worldwide, there is less and less need to gather people together in one place, or to keep them together once the job has been done.
The future of work seems to be increasingly one of ad hoc groups of freelancers coalescing around a single project, doing the job, rating each other, and then dispersing for the next opportunity.
And it's this sort of organisation that this new generation of cybercriminals have perfected.
So, while we must study these groups in order to catch them, we could also study them to find out how they work.
And while we hope that they don't profit from their crimes, we, in the end, just might.
Cybercrimes with Ben Hammersley is being broadcast on the BBC News Channel, BBC World News and iPlayer. See schedule information here.
- Published6 November 2014
- Published21 October 2014
- Published30 December 2013