ATM hacking spree nets thieves $12.7 million in two hours

They used bank cards cloned from hacked customer data to withdraw money from around 1,400 machines across Japan.


Normally when your data is part of a haul from some security breach your most immediate worry is about how it can be used to steal your identity online. Well, sometimes that information is instrumental in physical heists. On May 15th, a team of hackers coordinated to withdraw $12.7 million from about 1,400 convenience store ATMs across Japan in under two hours.

Authorities think that around 100 people might have coordinated to pull off the theft in Tokyo and 16 prefectures. Based on transaction data from 14,000 convenience store ATMs, they believe hackers stole the data and turned it into 1,600 cloned credit cards. Then used each one to withdraw the daily maximum of 100,000 yen. Japanese authorities are working with their South African counterparts and INTERPOL to track down the culprits.

It's not yet clear how the original thieves got the card data from the South African bank customers, though it could have easily been from ATM skimmers, camouflaged external readers that scan data strips as cards are inserted. Then that data can be sold on the black market and reprinted on counterfeit cards. Researchers have been trying to make forge-proof cards, but using smartphone apps to talk directly with ATMs might be a better option, since it bypasses potential skimmers entirely.