From the p.o.v of the seller of mining hardware, he's just selling hardware in exchange for money, and he has no KYC/AML requirement, he's not a bank, he's just a regular business.
And any other company involved in building the mining operation are the same way.
Right but the point of laundering is that you have cash you want to legitimize, so it must "re-enter" as cash. But hardware mining sales are all online, not cash, hence my original comment!
I've learned to be skeptical when I see law enforcement praising the l337 skillz of their targets.
> “This guy is in another league, he’s like Rafa Nadal
> playing tennis,” Yuste says. “There are few people in
> the world capable of doing what he did.”
It sounds really cool (and budget-justifying) to be chasing some mastermind, and a journalist is likely to pump up that aspect of the story too. Because they know we're reading it to be entertained, for there to be suspense, to enjoy the frisson of a "victimless" crime requiring ingenuity, like Ocean's 11.
Then you find out later it's just a python script probing for default passwords, or someone who learned some of nmap's command-line switches.
Yeah; I also have the general impression (admittedly without much data to support it) that IT security at banks and other gargantuan, long-lived institutions is pretty crappy? I would think it's easy to get in, and hard to not get caught.
Anecdotally, I have a friend who briefly worked at a company which exclusively makes software for financial institutions. Their product was a web app that only worked in a version of Internet Explorer so old, it didn't support Ajax. Asynchronous requests were made by changing the src attribute of a 1px <iframe>.
It is and it is (sorta). I worked in the bank industry for many years and I could have stolen money a hundred different ways without getting caught.
The problem is that in the end the money has to go somewhere or be spent (why else steal it?). Also to live a legal life (house,car,boat) you have to have a source of income/spending that does not set off red flags. If you are a high paid bank employee why even bother? Many (most?) financial type crimes have no statue of limitations so to get away you literally have to get away with it for the rest of your life. The other side is even if you get away you will spend the rest of your life wondering if today is the day you get caught. To be honest I think that is why so many white collar crimes are so brazen looking. I think they would rather go to jail for a few years be done with it and live the rest of their lives with the money they have "lost".
Unless you live in a country like Russia where stealing money from the US is basically legal. Then go for it.
Many (most?) financial type crimes have no statue of limitations so to get away you literally have to get away with it for the rest of your life
At least in the US, this is inaccurate. Most financial/fraud crimes have a statute of limitations of 3-5 years, both at the state and federal level. Some federal crimes specifically against financial institutions have a SOL of 10 years. Generally the only crimes that have no statute of limitations are punishable by life/death (such as first degree murder). See https://www.justice.gov/usam/criminal-resource-manual-650-le...
SOL is a timer from time of crime to time of indictment, and indictment doesn't necessarily require knowing the precise identity of the defendant or capturing the defendant.
In GA, fleeing stops the clock, and in WA, "John Doe" can be indicted, subject to some restrictions.
If the prosecutor can claim conspiracy and they almost always can. they can reset the clock essentially forever on the limitation statute. As I stated in my post you are essentally commited to variations on money laundering for the rest of your life unless you can make a "Retirement Level" lump sum of money usable for legal purposes.
> Unless you live in a country like Russia where stealing money from the US is basically legal. Then go for it.
I've also heard that about China. Just be sure not to target fellow nationals. I recall reading that Zeus botnet software did not include any Russian templates, for example.
But wasn't there a time when Russia cooperated more with the USA and EU? During the 00s, maybe?
> IT security at banks ... is pretty crappy? I would think it's easy to get in, and hard to not get caught.
Yes it is not state of the art. They need a compliance regime in order to be secure, and they meet that and that only. But I think you're missing an aspect, things like passwords that change daily and require collusion, advanced social engineering, physical access, etc.
Further, being easy to get caught is the definition of good security. It's super easy to physically enter a bank and take all available cash at gunpoint. Nearly impossible to get away with it. That's good security. Extend that to the digital realm.
Cost of dealing with a dead teller is probably higher than the amount of cash that will satisfy most traditional robbers. If that robber-satisfying amount can be recovered with a certain degree of reliability, the security model is effective in deterring attacks, minimizing attack damage, and ensuring physical safety of team members.
There are only around 5,000 bank robberies in the US each year. If they each walked away with 100,000$* which is unlikely that's only 0.5 billion which is peanuts vs the 44 billion retail loses from shoplifters and other issues.
PS: 100k in 20's is ~11 pounds. Some people might leave the bank with more than that, but not that much as most branches don't much have cash and simply simply moving it becomes difficult.
Yet Fort Knox gets on just fine having zero robberies. I'm not saying every bank should be FK, but I do think we're unwise to at least admit that security is a spectrum and the most secure places do not get robbed or bugged.
I don't think that Fort Knox is open to the public. Which makes it a much harder problem than to stick up a bank (which is a hellishly stupid form of crime to begin with).
That's interesting, but Hackernews doesn't exactly handle top-security data.
I've always been surprised/charmed by how old-school this site is. In some ways it's nice - it's blazingly lightweight - but it seems ironic that a tech incubator wouldn't have updated their website in ~12 years.
>I would think it's easy to get in, and hard to not get caught.
Imagine you're an new employee at a big old company with a lot of legacy tech that's had mediocre maintenance and documentation over the years as is typical. You are going to leave footprints everywhere just learning to do your job. Imagine how many footprints you leave when you're an outsider who has to learn it all from scratch without documentation or assistance from other employees with historical knowledge. Now try getting anything done in that system without leaving tracks or triggering alerts when you hit some API that even the employees don't knows exists. The reason nobody ever gets caught is because insurance doesn't usually require a conviction before paying out and the effort required to determine who broke in is much higher than figuring out the exact sequence of events because you'd have to do the same investigation on every compromised system they used along the way.
At some point, if the attacks got too frequent or severe, insurance rates would climb to the point where attacks would be better defended or retaliated against.
> I have a friend who briefly worked at a company which exclusively makes software for financial institutions.
Sounds like Jack Henry. My bank uses them for their client web portal. Up until last year, they had an 8 character max limit on your password, and you couldn't use any special characters or spaces.
But at least they make you verify your "personal photo" every time you log in. Which is more than useless since I assume they are trying to protect you from phishing and any decent phishing attempt would just skip that step and no one would notice. Or, if they wanted, they could just port your username to the real site and pass the photo along to you through the phishing site UI.
The door code for one of the US's top banks' offices used to be 0000. I wonder if they finally changed it? EA QAs their games better than a lot of financial institutions as well
> Integrated Lights-Out, or iLO, is a proprietary embedded server management technology by Hewlett-Packard which provides out-of-band management facilities. The physical connection is an Ethernet port that can be found on most Proliant servers and microservers[1] of the 300 and above series.
Easy to get in, but hard not to get caught has always been the case. Anyone with a lack of morals can go execute tellers and pull money out of cash drawers. But they’ll be in jail by the end of the day.
It's valid concern, but I'm not so sure in this case. Spear phishing is a skilled art, and requires relatively significant knowledge of the target and their domain. Sure the rest is a essentially a stackoverflow post away, but it requires real determination to research this kind of attack and real skill to carry it out and see it through to millions in cash popping from ATMs in foreign countries. Just the people management alone is impressive
And finally, I don't think stackoverflow cover ATM maintenance procedures yet. These guys weren't kiddies
I'm not saying they are script kiddies. I make no claim about their skills. I have no idea what it takes to pull of a conspiracy like this.
I'm just saying I don't believe sensationalizing journalists or law enforcement. Pretty much every time when I've known anything about the case, there have been wild exaggerations.
That particular quote concerned Katana's ability to move money between banks, not his "hacking" prowess. In fact, the article even refers to their methods as "class spear-phishing", implying there wasn't anything special behind their methods.
This is a problem with pretty much all media stories. There's money to made making things seem dramatic and spectacular and out of the ordinary...when most things just aren't.
Generally, defendants don't need to defend against bombastic statements in the media. In fact, such statements can help the defendant, as they can prejudice and disqualify jurors, leading to mistrial.
The fact they supposedly recovered 15k Bitcoins tells me he wasn't sophisticated enough to secure his private key sufficiently. If he had memorized a BIP39 mnemonic for his private key we wouldn't be reading about $162 million dollars worth getting seized. Brain wallets are pretty tough to crack.
>> Someone had sent emails to the bank’s employees with Microsoft Word attachments, purporting to be from suppliers such as ATM manufacturers. It was a classic spear-phishing gambit.
Microsoft Windows + Outlook Email + Attached word document = the Drake equation for internet security. No matter how secure each of these things are individually, when added together infection becomes inevitable.
Why does outlook have to pass such documents to Word? Why does Word have to open and run macros so willingly? Why does Windows allow word to talk to the internet so easily? I just don't understand the use case these links are meant to address. Are there really so people out there installing software via links inside word documents? That this has to be a seamless user experience? There are so many opportunities to limit such such infections. Why do we still tolerate this?
This is the real question. The thieves are just a symptom of the real infection: terrible, insecure client software. I'm not sure what the solution is but I am pretty sure it involves Microsoft having skin in the game somehow.
Microsoft Office was years ahead of the Open Web / JavaScript in providing all the convenience and security of remote code execution at the request of arbitrary untrusted third-party systems.
We want Outlook to open our attachments without having to explicitly choosing the program.
We want Word to have those advanced macro features.
We want Word to have hyperlinks to things on the internet.
We want to be able to install things downloaded from the internet.
In isolation, each of those things are desirable to some segment of the userbase. It just so happens that the chain basically allows you to install a program from an email attachment.
The article doesn't really go into the thieves' backgrounds at all strangely enough. How did Katana end up in the bank heist business? How did he acquire the skills to turn making fake bank transactions into an "art"? I always wonder about the kind of person who ends up in these criminal dealings and where they come from.
He probably worked for a bank. Lots of smart people learn the "loopholes" of their trades.
My mom worked at a car dealership and realized that you could steal a car from them and it would be upwards of a year before they figured it out, since that's when they did inventory. Back then, the keys were all kept in an marginally secured cases.
People are always shocked at the stupid mistakes that big criminal masterminds make.
Like the Silk Road guy, "how could he possibly ask on stack overflow using his real name".
And so on.
There are ten thousands different mistakes that you can make, you need to guard against all of them. And against whatever unknown tech exists.
In this story, that dropped bank card turns out to not be that significant. The real breakthrough was identifying another mule through the video surveillance videos, following him to the airport and putting surveillance on the lockers used to store the cash.
He was also emptying ATMs apparently with witnesses behind him. This is like a bad movie. One of those witnesses might as well be an off-duty cop who could just pull out his gun right there.
>Like the Silk Road guy, "how could he possibly ask on stack overflow using his real name".
I always had the impression that Ross suffered from the fatal flaw that he didn't think what he was doing was wrong. He was an evangelical libertarian, and I think he didn't see "not getting caught" as the #1 priority the way a profit oriented criminal would.
I think the biggest thing is you don't realize how big something will get. You talk about an idea you're working on in IRC or ask a question on stack overflow while you're toying with the idea, then clean up later when it (surprisingly) takes off.
Yeah, maybe the author of that article was having a bit of leeway with the story or the facts being presented to us are questionable. Either way, it doesn't give me a lot of trust or confidence in the truth of that article.
I think it's parallel construction iff they submit a false line of evidence to a judge.
It's not illegal to tell tall tales to the press. Maybe they want to protect an informant. Or, maybe they just want to protect some technical dragnet they've set up, for the time being.
It sounded like it was one of the "mules" who dropped the card. Probably just some random guys hired cheaply so those in charge didn't have to go out in person; they probably weren't necessarily smart or careful.
Nowadays everything runs on SAAS, why are banks and other institutions letting key people use MS windows and outlook in the first place. Don't you reduce your risk by like 90% by using Linux clients instead?
Maybe not stealing but extortion. “Give us all your data or you can’t use the service all your friends use to keep in touch”.
It’s even worse when the service we’re talking about goes beyond social networking and becomes a must-have like a cell phone (referring to major US carriers secretly selling location data to a marketing company).
I suspect this is actually a Bitcoin mining farm:
In goes dirty money, to buy mining hardware in bulk.
Out comes fresh, never-transacted-with Bitcoin block rewards.
It is fairly hard for authorities to trace the wash: in Bitcoin land, block rewards are the least-tainted kind of coins.