One security loophole thieves have learned to exploit is the lack of real-time transactions in ATM-speak.
Known as the "Gone in 60 Seconds" scam, thieves deposit money and then make coordinated cash-advance withdrawals in various places — but all in less than 60 seconds so the machines essentially regard all of the withdrawals as one transaction.
In October, some 14 people were charged following an FBI-led investigation into the theft of more than $1 million from Citibank using the 60-second scam. The simultaneous transactions at casinos in California and Nevada tricked the system into thinking that they were one transaction. Even on some joint accounts where both partners have cards for the same account, users can often bypass withdrawal limits if the transactions are done at the same time.
"This type of attack might be preventable if ATM networks were able to monitor transactions in real time for unusually large numbers of transactions involving individual cards or cards from the same issuing institution. Unfortunately, that type of infrastructure doesn't exist today, but perhaps it's time to consider creating and implementing it now, especially after this latest attack," said Tom Cross, director of security research at the Lancope, a company specializing in flow analysis for security and network performance based in Alpharetta, Georgia.
Police Maj. Gen. Pisit Paoin, chief of Thailand's Technology Crime Suppression Division, said in a telephone interview Saturday that Thai police have arrested more than 20 suspects involved in the $45 million cyber heist including those from Bulgaria, Bangladesh and eastern Europe.
He said that in the latest arrest in early April, a group of Bangladeshi and Malaysian suspects were using about 50 cards to withdraw cash from machines in Bangkok for a month and took out about 10 million baht ($336,000).
Thanyarat Doksone from Bangkok, Alison Mutler from Bucharest and Martha Mendoza from San Francisco contributed to this report.