With a haul of $45 million, it's being billed as possibly the biggest cyber-heist in history. But in reality, experts and authorities say, it was thousands of small but highly coordinated thefts.
As we reported on Thursday, federal prosecutors charged eight people with being the just New York cell of an operation that allegedly encompassed criminal cohorts in 26 countries.
The scheme, according to prosecutors, involved basically two parts:
First, hackers gained access to bank computers and downloaded prepaid debit card data while erasing their withdrawal limits.
Second, they passed the data to numerous "cashers" who cloned the cards and got to work withdrawing millions of dollars from ATMs.
Neither of those things by themselves is terribly unusual, but put them together and it's not quite so common, says Chuck Somers, vice president of core systems and ATM security at Diebold.
For instance, little more than a year ago, Visa and Mastercard were hacked, compromising up to 3 million accounts, Somers points out.
"It's quite possible that these hacks may have been inside jobs," says John Trobough, president of Narus, which handles cybersecurity for governments and commercial enterprises. It could be current or former employees, he says.
As for reproducing debit cards? It's just one component of so-called "skimming," devices are illegally attached to ATM card readers to record the information stored on the magnetic stripe. The cards are then duplicated.
"On a smaller scale, that's so common nowadays that it's barely newsworthy," Somers says.
"Most magnetic stripe cards can be converted to function as ATM cards because the format is an industry standard," says Trobough. "For example, you can use a hotel key as an ATM card if it is properly re-coded."
What's arguably more astounding than accomplishing both the hack and the cloning, is the coordination and the apparent clockwork precision with which the operation was carried out once thieves had cloned the cards.
According to the federal indictment, on one occasion the eight individuals in the New York cell siphoned "at least $2.8 million from more than 750 ATMs in 2.5 hours."
Let's do the math: If all eight were working together, they would have had to hit "at least" one ATM every 96 seconds, averaging $2,333 per withdrawal.
Somers agrees it was well-coordinated. "Does it sound doable? I have no reason to doubt it could be done," he says.
Tom Cross, director of computer security research at Lancope, tells American Public Media's Marketplace that he was surprised by "the coordination of the cash-out network" — in other words, the people running from ATM to ATM.
In an even larger tranche of the master theft, cashers elsewhere (we don't know how many) used 12 card accounts with the withdrawal limits deactivated and got $40 million in 36,000 transactions over a 10-hour period.
More math: That's one withdrawal averaging $1,111 every 10 seconds.
In this second case, it seems fair to assume that many duplicate cards might have been used to speed up the process.
"Surveillance photos of one suspect at various ATMs showed the man's backpack getting heavier and heavier, [U.S. attorney in Brooklyn Loretta] Lynch said, comparing the series of thefts to the caper at the center of the movie Ocean's Eleven."
So, the keys to the crime were inadequate cybersecurity that allowed hackers to penetrate the back-end systems at banks. Better security protocols and more secure networks could solve that problem, experts agree.
"With increased employee oversight and stringent electronic monitoring within the bank, it would be more difficult for this type of theft to occur," says Narus' Trobough.
The second issue is the venerable magnetic stripe, a technology that Jim Pettitt, director of ATM security strategy and planning at Diebold, says has been around since the 1960s.
"Criminal organizations have exploited that pretty extensively and we've seen an upsurge of skimming since 2005," he says.
Encrypted chip technology is more secure. Europe has largely adopted it and the U.S. is "on the on-ramp," he says.
But don't expect that transition to come quickly; Pettitt says it could take a decade.