Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

ATM heist clears $1 million exploiting Citigroup e-payment flaw

From: InfoSec News <alerts () infosecnews org>
Date: Wed, 31 Oct 2012 01:50:44 -0500 (CDT)
http://arstechnica.com/security/2012/10/atm-heist-clears-1-million-exploiting-citigroup-e-payment-flaw/

By Dan Goodin
Ars Technica
Oct 30 2012
Federal authorities said they uncovered an advanced bank heist that defrauded Citigroup of more than $1 million by exploiting a security loophole in the way it handles electronic payments.
The scam worked by simultaneously withdrawing funds from cash advance kiosks maintained in at least 11 casinos located in California and Nevada, according to an indictment unsealed late last week in federal court in San Diego. Alleged ringleader Ara Keshishyan recruited at least 13 people to make transactions from different kiosks in each location. To exploit the weakness, the multiple advance requests had to be near identical and had to be made in the same 60-second window, FBI officials said in a press release.
"In order to obtain the case, the conspirators exploited a loophole in Citi's account security protocols, which caused Citi's account reconciliation systems to treat identical, near-simultaneous withdrawals as duplicates of a single withdrawal from an individual Citi Checking account," prosecutors alleged in the indictment. "In exploiting this loophole, the conspirators withdrew identical sums of money in succession from a single Citi checking account all within a specific time window. This allowed the conspirators to fraudulently withdraw several times the amount of money deposited into each account."
The defendants obtained more than $1 million from Citigroup, prosecutors said. To conceal the scam, they kept withdrawal below $10,000 to avoid federal transaction reporting requirements. The kiosks were operated by Global Cash Access, a Las Vegas-based financial transaction services company. They allow casino patrons to get cash that's held in personal banking accounts. The Citigroup loophole has been closed, The Press-Enterprise reported. 

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org
Previous By Date Next
Previous By Thread Next

Current thread: