Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Businesses Crime Technology

Tens of Suspects Arrested For Cashing-out Santander ATMs Using Software Glitch (zdnet.com) 59

An anonymous reader writes: The FBI and local police have made tens of arrests across the tri-state area this week as part of a crackdown against multiple criminal gangs who exploited a glitch in the software of Santander ATMs to cash-out more money than was stored on cards. According to reports in local media, the bulk of the arrests took place in Hamilton (20 suspects), across towns in Morris County (19), and Sayreville (11). Smaller groups of suspects were also detained in Bloomfield, Robbinsville, and Holmdel, while reports of suspicious cash-outs were also recorded in Woodbridge, towns across the Middlesex County, Booton, Randolph, Montville, South Windsor, Hoboken, Newark, and even in New York City itself, in Brooklyn. Based on information ZDNet received from a Santander spokesperson, sources in the threat intelligence community, and details released by police departments in the affected towns, criminal gangs appear to have found a bug in the software of Santander ATMs.
This discussion has been archived. No new comments can be posted.

Tens of Suspects Arrested For Cashing-out Santander ATMs Using Software Glitch

Comments Filter:
  • by Anonymous Coward on Friday August 21, 2020 @10:36AM (#60426713)

    if you withdraw money, then cancel the transaction but not the ATM session, and withdraw again, you could pull out 2x the amount of money while only doing a balance check once. you could repeat the process until you hit the daily card limit or $1000 for non santandar bank cards. obviously carding gangs were running through a deck of cards and some people were caught with over $12000 (!!) on them

  • by ngufra ( 3892071 ) on Friday August 21, 2020 @10:42AM (#60426739)
    This story reminds me of a security conference at microsoft i went to many years ago. The presenter was explaining that there was an ATM where after it spills the notes, if you don't take them, after a timeout, it brings them back and re credits your account but only counts them _before_ dispensing; so if you ask for $100, take all but one note, it will bring the last note back in an credit you back for the full $100 but you keep the $80. If you do this, should you be arrest or should the blame be on the company that makes the ATM?
    • by Anonymous Coward on Friday August 21, 2020 @10:49AM (#60426765)

      Obviously the answer is both.

      If a criminal breaches security, the criminal is arrested for trespassing, and the security provider is, at best, dumped by the client, or at worst, sued by the client or their insurance company.

      • presumably this error would be corrected when the bank balances it's books and inspects the transactions.
        The only bummer is meantime you have a higher postive balanced reported then you actually have and are likely to overdraft.

        • by bws111 ( 1216812 )

          But this doesn't seem to involve bank balances. It involves 'stored value' cards

          • by rtb61 ( 674572 )

            It is computer fraud. You are hacking the system to expressly attack the computer and make it spit out more money than it should. So a computer crime. Clearly an insider job, that fault might have even have been built in on purpose. So many people involved, clearly all planned out and the more people, the easier it is for the authorities, specifically the NSA to listen on in and the FBI to arrange for the largest groups to be specifically targeted. Those others, they will get latter.

            The wire tap information

      • "If a criminal breaches security, the criminal is arrested for trespassing, "

        Forgetting a 5er in the ATM is trespassing? How do you figure?

        • You're right. Taking money by fraud is theft, not trespassing. Typical state law:

          CHAPTER 31. THEFT

          Sec. 31.01. DEFINITIONS. In this chapter:
          (1) "Deception" means:

          (A) creating or confirming by words or conduct a false impression of law or fact that is likely to affect the judgment of another in the transaction, and that the actor does not believe to be true; [ tricking the ATM operator regarding the fact of whether the money was received ] ...
          Consent is not effective if:

          (A) induced by deception ...

          THEF

          • by sjames ( 1099 )

            That's a tricky one. If you knowingly and deliberately pull that trick, it's theft. If you just aren't paying attention and do that, it's not. That is, if you take out $100 and take only 4 of the 5 $20 the machine spits out without noticing, it's just a mis-understanding. Especially if you don't even know that the machine can take the money back and cancel the transaction.

            Of course if you do that multiple times and especially at multiple ATMs, you'll look fairly guilty.

    • by Immerman ( 2627577 ) on Friday August 21, 2020 @10:54AM (#60426791)

      I came here expecting for this comment. "It's not theft if you exploit a technical glitch"

      Allow me to offer a counterexample - you leave a window open at your house, and someone sneaks in and stealsall your stuff. Should they not be arrested since it was your failure to secure the premises that let them do it?

      Heck - lets say your house is locked tight, but they pick the door lock (which is trivially easy unless the lock is outlandishly expensive). Should the lock manufacturer be held responsible rather than the thief?

      Taking something that doesn't belong to you is theft - it doesn't matter if you snatch someone's purse off their shoulder, circumvent security, or exploit a software flaw.

      Now I would fully expect the bank to hold the ATM manufacturers feet to the fire - but that's something completely separate from the fact that the people taking the money are thieves.

      • by Anonymous Coward
        Snatching a purse off of someone's shoulder isn't theft. Theft is stealing when nobody is there. Burglary is theft that required you to enter where you were not authorized (like breaking in or sneaking in a window). Robbery is theft in person. Taking someone's purse off of their shoulder is robbery plain and simple. Not theft.
        • Allow me to quote you:
          > Robbery is theft in person
          >Burglary is theft that required you to enter where you were not authorized
          You are correct in both of those

          And now the dictionary definition
          >Theft. A criminal act in which property belonging to another is taken without that person's consent.
          https://legal-dictionary.thefr... [thefreedictionary.com]

          Theft is the general term for all such acts. Robbery, burglary, etc. are more precise terms for specifc kinds of theft, but they are all still theft.

    • by bws111 ( 1216812 )

      Of course you should be arrested, the money isn't yours and you know it. You can be arrested if you FIND money and keep it without attempting to find the rightful owner.

      • You can be arrested if you FIND money and keep it without attempting to find the rightful owner.

        That seems unlikely, depending on the circumstances. If you find a wallet with some form of identification that includes a name or address, and you keep the money before returning it, sure, that would be theft. If you find just a $20 bill on the ground somewhere, though, you have no way of knowing who it belongs to, and if someone answers an announcement that you make, they have no way to prove that it's theirs.

    • by Darinbob ( 1142669 ) on Friday August 21, 2020 @11:30AM (#60426941)

      It is still against the law to con a stupid person out of his money.

      (If you don't believe me, please send me $5000 in unmarked bills as a test.)

    • don't change them with hacking as that is an bad precedent to set. As the last thing that we need is for any bug that let's you get stuff for free / discount can be seen as hacking even when it's done with just the open to any user UI.

    • The blame should go to both.
      1. There are too many people who are trying to game the system. Normally they try to justify it as It isn't illegal if... (what ever safeguards are not there or are broken) If it isn't yours don't take it. It isn't yours unless both parties agree that you may have it. A computer is not qualified to make that agreement.

      2. The maker of the systems to these transactions should take the property it holds very seriously and if it found out that it will give out wrong amounts. Th

    • If you do this, should you be arrest or should the blame be on the company that makes the ATM?

      If you do it knowingly/premeditatedly then it's a crime. Theft is theft, even if there's a machine in the middle.

    • by markxz ( 669696 )

      I would expect the refund to take place once the machine has been serviced and the uncollected cash vault emptied and counted.

      There would still be an issue if multiple people did this and the bank was unable to determine who took some of the money and who did not.

  • Shitty summary (Score:5, Interesting)

    by Balthisar ( 649688 ) on Friday August 21, 2020 @10:44AM (#60426743) Homepage

    Is it too much to ask the editors to post a meaningful summary, instead of crap like "tri-state area", and maybe append state names to cities?

    While I realize that New Yorker's might think that they're the center of the world, there are a whole lot of tri-state areas in the United States. Given that we're speaking English and most other English speaking countries don't consist of "states," I'll venture that we can assume this is the United States from existing context.

    • And they also mentioned the FBI. While they do assist international counterparts from time to time they are mostly a domestic law enforcement agency. But yeah which tri-state area? Lazy editors not editing and also lazy Zdnet, a site that caters to readers all over the world, for not giving more context as well.

      • by Tuidjy ( 321055 )

        OK, so the FBI reference makes it an US location.

        I live on the West Coast, but I graduated in Cambridge, so I know that 'tri-state area' is used in Boston, New York, and Philadelphia, and in each city, they mean a different area.

        So the article is still a dumb copy-paste.

        • I live on the West Coast, but I graduated in Cambridge, so I know that 'tri-state area' is used in Boston, New York, and Philadelphia, and in each city, they mean a different area.

          What "tri-state area" is there that includes Boston? The closest I've ever heard is Maine, New Hampshire, and Vermont, and that wasn't very commonly used.

    • by PCM2 ( 4486 )

      Call me stupid, but I had to skim to halfway through the article to confirm that Santander is a bank. Never heard of them.

      • All I know about them is that they had a sponsorship with Ferrari. Never knew what they did, assumed they were foreign.

    • Agreed. Until they got to Hoboken, I was just going, "That's nice. Where the hell are these places?" New York City is fairly well-known, but it's a bit much to ask your readers to get to the end of the list before knowing what you're talking about.

    • Most Americans have a pizza view of the world. The USA is in the middle and you fall off the edge just barely beyond the borders.
    • Is it too much to ask the editors to post a meaningful summary, instead of crap like "tri-state area", and maybe append state names to cities?
      Around here, "Tri-state" is the desolate area where the spiky southern endpoint of Nevada comes down between California and Arizona. Central Siberia has a higher population. But since Santander is a Spanish bank whose only presence in the US is in Boston metro, because of the large Portuguese population there, that must be where the article refers to.

      If you read European news sources, roughly every other horror story about bank accounts being hacked and money diverted involves Santander. They must get their software and security procedures from Bank of America.

    • ... there are a whole lot of tri-state areas in the United States.

      No kidding. EVERY intersection of more than two US states is an intersection of three, with the single exception of "four corners" (Colorado, Utah, Arizona, and New Mexico).

      • by Corbets ( 169101 )

        ... there are a whole lot of tri-state areas in the United States.

        No kidding. EVERY intersection of more than two US states is an intersection of three, with the single exception of "four corners" (Colorado, Utah, Arizona, and New Mexico).

        Did you really post just to say that every intersection of more than 2 states but less than 4 is an intersection of 3 states?

        Um.... thanks!

  • base 10 (Score:3, Funny)

    by mschaffer ( 97223 ) on Friday August 21, 2020 @10:46AM (#60426753)

    Glad were moving back to base 10. I hate it when people report numbers as dozens or scores. However, let's use the word for it: decades. It's not just for years.

    • Its really not a good idea using 10s when referring to people though. People hate being treated as metrics.

      • Especially in Canada. Have you ever heard a Canadian use the metric system to describe height and weight outside of a doctor's office?

      • by Jhon ( 241832 )

        "People hate being treated as metrics."

        90% of people agree!

  • Object lesson (Score:5, Insightful)

    by PPH ( 736903 ) on Friday August 21, 2020 @11:24AM (#60426925)

    If you want to steal from a bank and not end up in prison, sell them junk mortgage backed securities.

  • by hawk ( 1151 ) <hawk@eyry.org> on Friday August 21, 2020 @12:10PM (#60427107) Journal

    Surely it wasn't written in English, at least not by a human.

    "Tens" just isn't used, even if it may well be grammatically correct.

    Gosh, next we will have "threes of florida men do stupid things", and "sevens of internet bimbos set hair on fire with inane advice", and . . .

    hawk, all ones of him

    • I thought that was pretty odd too. I wouldz have expected the author to use 'dozens' instead of 'tens'. Maybe he was raised on common core mathematics and feels the need to explicitly declare his base unit.
  • FBI does the same thing whenever my bank overcharges me. What's the big deal...?
  • Why not write ATM code starting with a blank slate in a modern, more security-prone and less bug-prone language like Rust, open-source it, offer large bounties for finding bugs, then after some period, deploy it?

    The incentives seem right. Banks aren't making any profit from purchasing ATMs and they suffer the losses from exploits. Also, their products aren't differentiated enough for customers to really care. So why not cost-share the software development and funding bounties? Big bounties will find bug

  • Would be nice if the first explanation of where this occured, involved a location that is known outside of 'merica

    I got it was in 'merica, as it was an FBI investigation.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...