Tens of Suspects Arrested For Cashing-out Santander ATMs Using Software Glitch (zdnet.com) 59
An anonymous reader writes: The FBI and local police have made tens of arrests across the tri-state area this week as part of a crackdown against multiple criminal gangs who exploited a glitch in the software of Santander ATMs to cash-out more money than was stored on cards. According to reports in local media, the bulk of the arrests took place in Hamilton (20 suspects), across towns in Morris County (19), and Sayreville (11). Smaller groups of suspects were also detained in Bloomfield, Robbinsville, and Holmdel, while reports of suspicious cash-outs were also recorded in Woodbridge, towns across the Middlesex County, Booton, Randolph, Montville, South Windsor, Hoboken, Newark, and even in New York City itself, in Brooklyn. Based on information ZDNet received from a Santander spokesperson, sources in the threat intelligence community, and details released by police departments in the affected towns, criminal gangs appear to have found a bug in the software of Santander ATMs.
the bug works like this (Score:5, Informative)
if you withdraw money, then cancel the transaction but not the ATM session, and withdraw again, you could pull out 2x the amount of money while only doing a balance check once. you could repeat the process until you hit the daily card limit or $1000 for non santandar bank cards. obviously carding gangs were running through a deck of cards and some people were caught with over $12000 (!!) on them
Don't take all the bills (Score:3, Interesting)
Re:Don't take all the bills (Score:4, Insightful)
Obviously the answer is both.
If a criminal breaches security, the criminal is arrested for trespassing, and the security provider is, at best, dumped by the client, or at worst, sued by the client or their insurance company.
Re: (Score:2)
presumably this error would be corrected when the bank balances it's books and inspects the transactions.
The only bummer is meantime you have a higher postive balanced reported then you actually have and are likely to overdraft.
Re: (Score:2)
But this doesn't seem to involve bank balances. It involves 'stored value' cards
Re: (Score:2)
It is computer fraud. You are hacking the system to expressly attack the computer and make it spit out more money than it should. So a computer crime. Clearly an insider job, that fault might have even have been built in on purpose. So many people involved, clearly all planned out and the more people, the easier it is for the authorities, specifically the NSA to listen on in and the FBI to arrange for the largest groups to be specifically targeted. Those others, they will get latter.
The wire tap information
Re: (Score:3)
"If a criminal breaches security, the criminal is arrested for trespassing, "
Forgetting a 5er in the ATM is trespassing? How do you figure?
Re: (Score:3)
You're right. Taking money by fraud is theft, not trespassing. Typical state law:
CHAPTER 31. THEFT
Sec. 31.01. DEFINITIONS. In this chapter:
(1) "Deception" means:
(A) creating or confirming by words or conduct a false impression of law or fact that is likely to affect the judgment of another in the transaction, and that the actor does not believe to be true; [ tricking the ATM operator regarding the fact of whether the money was received ] ...
Consent is not effective if:
(A) induced by deception ...
THEF
Re: (Score:2)
That's a tricky one. If you knowingly and deliberately pull that trick, it's theft. If you just aren't paying attention and do that, it's not. That is, if you take out $100 and take only 4 of the 5 $20 the machine spits out without noticing, it's just a mis-understanding. Especially if you don't even know that the machine can take the money back and cancel the transaction.
Of course if you do that multiple times and especially at multiple ATMs, you'll look fairly guilty.
Re:Don't take all the bills (Score:5, Insightful)
I came here expecting for this comment. "It's not theft if you exploit a technical glitch"
Allow me to offer a counterexample - you leave a window open at your house, and someone sneaks in and stealsall your stuff. Should they not be arrested since it was your failure to secure the premises that let them do it?
Heck - lets say your house is locked tight, but they pick the door lock (which is trivially easy unless the lock is outlandishly expensive). Should the lock manufacturer be held responsible rather than the thief?
Taking something that doesn't belong to you is theft - it doesn't matter if you snatch someone's purse off their shoulder, circumvent security, or exploit a software flaw.
Now I would fully expect the bank to hold the ATM manufacturers feet to the fire - but that's something completely separate from the fact that the people taking the money are thieves.
Scam by deception is theft. Here's the law (Score:4, Insightful)
> It's a scam, not a theft. The difference is that you're convincing someone to make a deal grossly not in their favor under false pretenses
Taking property under false pretenses is theft. Typical state law:
CHAPTER 31. THEFT
Sec. 31.01. DEFINITIONS. In this chapter:
(1) "Deception" means:
(A) creating or confirming by words or conduct a false impression of law or fact that is likely to affect the judgment of another in the transaction, and that the actor does not believe to be true; [ tricking the ATM operator regarding the fact of whether the money was received or whatever ] ...
Consent is not effective if:
(A) induced by deception ...
THEFT. (a) A person commits an offense if he unlawfully appropriates property with intent to deprive the owner of property.
(b) Appropriation of property is unlawful if:
(1) it is without the owner's effective consent;
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
Allow me to quote you:
> Robbery is theft in person
>Burglary is theft that required you to enter where you were not authorized
You are correct in both of those
And now the dictionary definition
>Theft. A criminal act in which property belonging to another is taken without that person's consent.
https://legal-dictionary.thefr... [thefreedictionary.com]
Theft is the general term for all such acts. Robbery, burglary, etc. are more precise terms for specifc kinds of theft, but they are all still theft.
Re: (Score:2)
Why? These aren't people that accidentally triggered a glitch and took some money without realizing it wasn't theirs - I'd totally agree "just make it right" would be the proper solution in that case.
These are people that knowingly and with premeditation explioted a glitch in order to steal the money. Obviously they need to give the money back, but they *also* need to be punished to discourage them (and others) from doing that sort of thing.
I mean, if the worst case scenario is that you have to give the mo
Re: (Score:2)
Of course you should be arrested, the money isn't yours and you know it. You can be arrested if you FIND money and keep it without attempting to find the rightful owner.
Re: (Score:2)
You can be arrested if you FIND money and keep it without attempting to find the rightful owner.
That seems unlikely, depending on the circumstances. If you find a wallet with some form of identification that includes a name or address, and you keep the money before returning it, sure, that would be theft. If you find just a $20 bill on the ground somewhere, though, you have no way of knowing who it belongs to, and if someone answers an announcement that you make, they have no way to prove that it's theirs.
Re:Don't take all the bills (Score:4, Funny)
It is still against the law to con a stupid person out of his money.
(If you don't believe me, please send me $5000 in unmarked bills as a test.)
Re: (Score:1)
don't change them with hacking as that is an bad p (Score:2)
don't change them with hacking as that is an bad precedent to set. As the last thing that we need is for any bug that let's you get stuff for free / discount can be seen as hacking even when it's done with just the open to any user UI.
Re: (Score:3)
The blame should go to both.
1. There are too many people who are trying to game the system. Normally they try to justify it as It isn't illegal if... (what ever safeguards are not there or are broken) If it isn't yours don't take it. It isn't yours unless both parties agree that you may have it. A computer is not qualified to make that agreement.
2. The maker of the systems to these transactions should take the property it holds very seriously and if it found out that it will give out wrong amounts. Th
Re: (Score:3)
If you do this, should you be arrest or should the blame be on the company that makes the ATM?
If you do it knowingly/premeditatedly then it's a crime. Theft is theft, even if there's a machine in the middle.
Re: (Score:1)
I would expect the refund to take place once the machine has been serviced and the uncollected cash vault emptied and counted.
There would still be an issue if multiple people did this and the bank was unable to determine who took some of the money and who did not.
Shitty summary (Score:5, Interesting)
Is it too much to ask the editors to post a meaningful summary, instead of crap like "tri-state area", and maybe append state names to cities?
While I realize that New Yorker's might think that they're the center of the world, there are a whole lot of tri-state areas in the United States. Given that we're speaking English and most other English speaking countries don't consist of "states," I'll venture that we can assume this is the United States from existing context.
Re: (Score:2)
And they also mentioned the FBI. While they do assist international counterparts from time to time they are mostly a domestic law enforcement agency. But yeah which tri-state area? Lazy editors not editing and also lazy Zdnet, a site that caters to readers all over the world, for not giving more context as well.
Re: (Score:2)
OK, so the FBI reference makes it an US location.
I live on the West Coast, but I graduated in Cambridge, so I know that 'tri-state area' is used in Boston, New York, and Philadelphia, and in each city, they mean a different area.
So the article is still a dumb copy-paste.
Re: (Score:2)
I live on the West Coast, but I graduated in Cambridge, so I know that 'tri-state area' is used in Boston, New York, and Philadelphia, and in each city, they mean a different area.
What "tri-state area" is there that includes Boston? The closest I've ever heard is Maine, New Hampshire, and Vermont, and that wasn't very commonly used.
Re: (Score:3)
Call me stupid, but I had to skim to halfway through the article to confirm that Santander is a bank. Never heard of them.
Re: (Score:2)
All I know about them is that they had a sponsorship with Ferrari. Never knew what they did, assumed they were foreign.
Re: (Score:2)
Agreed. Until they got to Hoboken, I was just going, "That's nice. Where the hell are these places?" New York City is fairly well-known, but it's a bit much to ask your readers to get to the end of the list before knowing what you're talking about.
Re: (Score:1)
Re: Shitty summary (Score:1)
Re: (Score:2)
Is it too much to ask the editors to post a meaningful summary, instead of crap like "tri-state area", and maybe append state names to cities?
Around here, "Tri-state" is the desolate area where the spiky southern endpoint of Nevada comes down between California and Arizona. Central Siberia has a higher population. But since Santander is a Spanish bank whose only presence in the US is in Boston metro, because of the large Portuguese population there, that must be where the article refers to.
If you read European news sources, roughly every other horror story about bank accounts being hacked and money diverted involves Santander. They must get their software and security procedures from Bank of America.
Aren't ALL BUT ONE internal vertices tri-state? (Score:2)
... there are a whole lot of tri-state areas in the United States.
No kidding. EVERY intersection of more than two US states is an intersection of three, with the single exception of "four corners" (Colorado, Utah, Arizona, and New Mexico).
Re: (Score:2)
No kidding. EVERY intersection of more than two US states is an intersection of three, with the single exception of "four corners" (Colorado, Utah, Arizona, and New Mexico).
Did you really post just to say that every intersection of more than 2 states but less than 4 is an intersection of 3 states?
Um.... thanks!
base 10 (Score:3, Funny)
Glad were moving back to base 10. I hate it when people report numbers as dozens or scores. However, let's use the word for it: decades. It's not just for years.
Re: base 10 (Score:1)
Its really not a good idea using 10s when referring to people though. People hate being treated as metrics.
Re: (Score:2)
Especially in Canada. Have you ever heard a Canadian use the metric system to describe height and weight outside of a doctor's office?
Re: (Score:3)
"People hate being treated as metrics."
90% of people agree!
Object lesson (Score:5, Insightful)
If you want to steal from a bank and not end up in prison, sell them junk mortgage backed securities.
Re: (Score:2)
what language was this translated from? (Score:5, Insightful)
Surely it wasn't written in English, at least not by a human.
"Tens" just isn't used, even if it may well be grammatically correct.
Gosh, next we will have "threes of florida men do stupid things", and "sevens of internet bimbos set hair on fire with inane advice", and . . .
hawk, all ones of him
Re: (Score:2)
Re: (Score:2)
in which case, the *decent* measure would be "e's e's of . . . " :)
just SOP (Score:1)
How to make ATMs more secure? (Score:2)
Why not write ATM code starting with a blank slate in a modern, more security-prone and less bug-prone language like Rust, open-source it, offer large bounties for finding bugs, then after some period, deploy it?
The incentives seem right. Banks aren't making any profit from purchasing ATMs and they suffer the losses from exploits. Also, their products aren't differentiated enough for customers to really care. So why not cost-share the software development and funding bounties? Big bounties will find bug
What is the "tri-state area"? (Score:2)
Would be nice if the first explanation of where this occured, involved a location that is known outside of 'merica
I got it was in 'merica, as it was an FBI investigation.