Not exactly criminal masterminds, but the three Ukrainian nationals busted for stealing PINs and debits, creating false cards, and pocketing the cash did have a pretty good run. And reading the legal documents on the case in the U.S. Eastern District Court offers a handful of lessons about ATM fraud and pre-paid card fraud—including the value of rotating your wardrobe.
First, some of the facts in the case: three Ukrainians are charged with using fraudulent debit cards they used to withdraw hundreds of thousands of dollars from Citibank, WaMu and other bank ATMs in New York City. The thefts appear to begin in the fall of 2007, and ended in early 2008 when law enforcement pulled the plug on the ring.
Sometimes, your lucky shirt is not so lucky. On October, 1, 2007, a man later identified as Yuri Ryabinin is caught on surveillance video making 12 ATM withdrawals totalling just under $10k at a WaMu branch in Brooklyn, NY, wearing a tan sweatshirt with a dark blue or black front panel and dark trim at the zipper and collar. Same individual, same clothes, is also seen on other neighborhood bank videos making large withdrawals that night. About five months later, same guy is spotted making more suspect withdrawals at a Citibank branch, wearing the same sweatshirt. Ryabinin was also traced via his ICQ ID number to a Website for ham radio enthusiasts, where there’s a picture of him—taken five years earlier—wearing the same sweatshirt. The thought of Ryabinin wearing the same aged sweatshirt for all his exploits, and being identified thanks in part to its familiarity, is only more amusing when you learn that the FBI seized more than $800k in cash and his paid-for Mercedes when they arrested him and his wife at their Brooklyn home this spring.
ATM servers remain a serious vulnerability. Ryabinin’s enterprise has been traced to a hack that stole card and PIN data as it traveled the connection between ATMs and third party processors. This weakness is widespread, says Jim Stickley of TraceSecurity, noting that his company has uncovered thousands of unpatched ATM processing servers during routine compliance inspections. Says analyst Avivah Litan of Gartner, “I don’t think we can point fingers to any one party here — but we can say the security system in place for ATMs is essentially broken. There have been too many large breaches of PIN ATM/debit cards in the last two to three years to claim the existing security protocols are adequate.”
Finally, $5 million can disappear, overnight. On Oct. 3, 2007, First Bank of St. Louis notified the Secret Service that four iWire prepaid debit MasterCard accounts were compromised and fraudsters around the world—including Ryabinin in his lucky sweatshirt — made some 9,000 withdrawals or attempts netting approximately $5 million in ATM cash, all within a 24-hour period from Sept. 30 to Oct. 1, 2007. (c) 2008 Bank Technology News and SourceMedia, Inc. All Rights Reserved. http://www.banktechnews.com http://www.sourcemedia.com