In The News The Nitty Gritty

Money For Nothing


A few weeks ago, a story broke about arrests made related to a series of incredible ATM heists. A group of criminals struck twice, in over 25 countries and took in over $45 million. The thefts were incredible, not only because they took in so much money, but also because of how well-executed they were, with the thieves striking quickly and efficiently, in so many cities across the globe. How were they able to do this?

They began with prepaid debit cards. Computer hackers hacked into the systems of two prepaid debit card processors and stole debit card numbers. The first time they stole five prepaid debit card numbers from a processor in India and the second time they stole twelve account numbers from a United States based processor. After stealing the numbers, they raised the limits on the debit cards, or removed them completely. This was possible, in part, because prepaid debit cards start out as a blank slate, unconnected to an individual’s account. The limits are set by the amount of cash paid into the account. This information is what was manipulated by the hackers. The hackers then sent the card information to their team members who were scattered around in over 25 countries around the world.

In the same way that a hotel programs a key card for a guest’s room, these criminals programmed the magnetic strips on blank cards, using a machine known as a skimmer, and cloned the prepaid debit cards. In fact, even hotel key cards can be used to clone debit or credit cards, as the technology used to create bank cards is the same technology used to make hotel room cards – not very comforting, is it? Finally, armed with cloned prepaid seemingly limitless debit cards, teams went out onto the streets and withdrew cash. A  lot of cash. During the first heist, using five prepaid numbers, the thieves withdrew $5 million from ATMs in 20 countries. During the second heist, using twelve prepaid accounts, the thieves withdrew $40 million from ATMs in 26 countries in under 10 hours. This is not the first time that this has occurred – theft using prepaid debit card information has happened several times – but this is the grandest scale to date. In a highly coordinated and organized action, the teams of people went from ATM to ATM, swiftly withdrawing funds. They knew which ATMs had the highest maximum withdrawal limits and they knew the most efficient routes to take in order to maximize their intake in the least amount of time. The New York Times reported that from the ATM cameras, one can see a crew member’s backpack getting heavier and heavier, as he went from one machine to the next. There is something to be said for the criminal network; reporting on the shutdown of Liberty Reserve stated that the ATM thieves laundered some of their ill-gotten gains through the shady currency exchange business. When MasterCard, noticed that something was amiss with their prepaid debit cards, they contacted the Secret Service who, among other things, investigates various financial crimes.

The thieves likely targeted prepaid debit cards because of several weaknesses that they were able to exploit. Regular debit cards are connected to a person’s checking account meaning, generally, that a thief is limited to stealing the victim’s checking account balance and not much more than that. A credit card, though a thief can try to go to town with it, is connected to individuals who will notice pretty quickly if a lot of money is taken out of their account. Also, because credit cards come with the history of the user, credit card companies tend to flag them if they notice behavior that is out of the ordinary. The prepaid debit card is a different animal. Prepaid debit cards are a very convenient way for people, who do not wish or are unable to use bank accounts, to go cashless. For a small fee, cash is simply loaded onto a card that will then work as a regular debit card, until the money pre-loaded onto the card is used up. Because it is not connected to a person’s account or spending history, if this card is manipulated, it will take a while before anyone notices that something is amiss.

Because of the nature of the prepaid debit card – that it is not connected to an individual’s account – the thieves needed to steal only a few numbers and raise the limits on a few cards to very high levels. Because only a few were taken, again, it decreased the risk of the theft being immediately noticed. When credit or regular debit cards are stolen, thieves tend to have to steal great numbers of them if they want to make a lot of money out of them. Once a lot of cards are stolen, the chances that someone will notice go up a lot.

As I mentioned before, debit and credit card technology itself is not secure. The magnetic strip technology used on credit and debit cards in the US, is the same technology used to program hotel room keys. The technology has not changed in decades and the machines used to clone credit and debit cards can be bought for $25. The US is the only nation in the G-20 that still uses this magnetic strip technology. The other members use newer chip technology that is more secure.

There are several benefits to the prepaid debit card, some of which are:

  • They can be cheaper for some than having to pay all the fees involved in having a bank account;
  • Despite the skimming and cloning risk, they tend to be safer than holding large amounts of cash;
  • They are good for travel, especially since traveler’s checks are no longer as widely accepted as they used to be and debit cards can be used wherever credit cards are accepted;
  • They are great gift cards as they are not limited to a particular vendor.

One challenge for the issuers and processors of these prepaid debit cards is to make them more secure so that they do not end up losing more and more money to heists such as these ones. Though US banks may believe that newer card technology is too expensive, as thieves steal more and more, they may decide that the benefits of the technology outweigh its costs.  There is also the challenge of protecting the banks and processors against hackers. There have been arrests of the team members who made the ATM withdrawals, and one has even been found shot dead, however the hackers are still at large. They are probably the most dangerous, for without them the prepaid debit account information could not have been stolen and manipulated. That is an ongoing battle that financial institutions and law enforcement fight; as our systems become more sophisticated, so too do cyber criminals.

Where We Are

The Big Secret


Just about any time people talk about the United States Secret Service, they speak about it in connection with its protection of Presidents and other prominent political figures. Almost never do people speak about the Secret Service’s other mandate, which actually turns out to have been its original mandate. Let me tell you a little about it.

Back in the 1800s, the US financial system looked nothing like it does now. Each state issued its own currency through its local banks. Therefore, New York currency was different from Minnesota currency, and so on. Because there were so many different types of legal currency, opportunities for counterfeiting were rife and taken. By the time Abraham Lincoln was president, more than a third of the currency in circulation was counterfeit. So, upon the advice of Hugh McColloch, the Secretary of Treasury at the time, Lincoln established a commission to put a stop to the rampant counterfeiting. On 14 April 1865, Lincoln created the United States Secret Service to carry out the recommendations of the commission. If 14 April 1865 seems like a familiar date to you, it is because on the evening of 14 April 1865, the same day that the Secret Service was established, Abraham Lincoln was assassinated. The Secret Service officially started work on 5 July 1865 and its mission was to suppress the counterfeiting of currency. By 1867, this mission had been expanded to include “detecting persons perpetrating frauds against the government”.

Although the assassination of Abraham Lincoln got congress thinking about adding presidential protection to the list of duties performed by the Secret Service, it was not until 1901, 36 years later, that this happened. In that time, two more presidents, James Garfield and William McKinley, were assassinated.

Since 1901, therefore, the Secret Service has had two areas of responsibility – its original area of preventing and investigation financial crimes and its second area of the protection of national leaders. It is in the area of financial crimes where you are likely to find forensic accounting experts active in the Secret Service. These forensic accountants may serve as Secret Service special agents or as unarmed professionals. In either case, the forensic accountant will provide valuable expertise in the investigation of financial crimes. After September 11, 2001, the Patriot Act expanded the Secret Service’s role in investigating cyber-crime. Also, in 2003, the Secret Service was transferred from the Treasury Department to the then newly established Department of Homeland Security, where it remains still.

Financial crime cases investigated by the Secret Service run the gamut from credit and debit card fraud, Federal Deposit Insurance Corporation (FDIC) investigations (that’s the body that insures your bank deposits), some organized crimes and, of course, counterfeiting currency, Treasury bills and other government financial documents. Between 2003 and 2008, among its many successes, the Secret Service seized almost $300 million in counterfeit currency.  The Secret Service has even set up shop to bring Nigerian confidence scammers to justice.

So, when you see those agents in their suits with their ear pieces and sunglasses, providing physical protection, remember that there is so much more going on with them. Their secret service extends to protecting our financial systems, in roles where you are very likely to find qualified financial forensics professionals at work.