Skip to main content

    How to steal $40 million in two days

    On February 20th, 2013, a group of criminals stole $40 million from ATMs across the world. The heist came in two parts: first, a quiet hack of a payment processor to raise withdrawal limits on specific cards, then a mad dash to withdraw as much cash as possible before the processor caught on. By the time the processor fixed the hack, criminals had made 26,000 withdrawals across 24 different countries.

    Not all of the cashers knew each other, but they were brought together by the economics of the criminal marketplace. Stealing ATM card information is a major business, and thieves are eager to get as much money as possible for each card. Automated fraud systems mean that thieves will typically only get a single withdrawal before the fraud is spotted — so when a crew of hackers offered to raise that limit in exchange for a share of the loot, there were plenty of people willing to take them up on it.

    The biggest problem is a weakness in the credit card itself. The magnetic stripe on your ATM card is easy to read and easy to clone, making it simple for thieves to steal and stockpile the data. The industry is moving toward smart chips, which are much harder to clone, but every card still comes with the same magnetic stripe. As long as that stripe stays on your debit card, it will be a target for criminals.