60-Second Cash Kiosk Hackers Steal $1 Million: FBI
Feds announce they've busted 14 members of a gang that used rapid withdrawals at cash-advance kiosks at casinos in California and Nevada to trick Citibank.
According to the FBI, the related indictment, unsealed Friday, said the gang "stole the money by exploiting a gap--which required multiple withdrawals all within 60 seconds--in Citibank's electronic transaction security protocols." The gang predominantly targeted casinos and resorts in Las Vegas and southern California.
More Security Insights
- The 451 Group Impact Report: Skybox Enters Vulnerability Management Space
- Securing Big Data: Securosis Recommendations for Hadoop and NoSQL Environments
The FBI last week arrested 13 of the accused gang members in the Los Angeles area. But one of the alleged gang members, Levon Karamyan, 58, remains at large.
According to court documents, accused ringleader Ara Keshishyan, 29, recruited other members of the gang to open multiple Citibank checking accounts, which he filled with seed money. "When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw -- all within 60 seconds -- several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered."
[ Read FBI Expands Cybercrime Division. ]
The gang reportedly also kept each individual withdrawal below $10,000, which is the threshold at which casinos must report the transaction to federal authorities. "After the cash was collected from the casino 'cages,' Keshishyan would typically give conspirators their 'cut' -- and keep the remainder of the stolen funds -- which were often used to gamble," according to the FBI. "The casinos frequently 'comped' the conspirators with free rooms due to their extensive gambling activity."
The facilities targeted were the Agua Caliente, Chukchansi, Morongo, Pechanga, San Manuel and Spa Resort casinos in California; Harrah's in Laughlin, Nev.; as well as Bicycle, Tropicana, Wynn, and Whiskey Pete's casinos in Las Vegas.
The cash-advance-kiosk attacks are notable for highlighting how motivated attackers might benefit from even the tiniest information security misstep. "While advancements in technology have created a world of accessibility to users and a convenience for consumers, they have also left room for criminals to exploit even the smallest of loopholes," said FBI special agent Daphne Hearn in a statement. The flaw exploited by attackers has reportedly now been fixed.
The fraud was spotted by Citibank. "Through our own security measures and the diligence of our people we identified the fraudulent account activity and immediately notified the authorities. No customer accounts were affected by the fraudulent activity," said Citibank spokeswoman Catherine Pulley, speaking by phone. "We will continue to work with the FBI on their investigation."
All accused members of the gang have been charged with conspiracy to commit bank fraud and conspiracy to illegally structure financial transactions to avoid reporting requirements, which carries a maximum jail sentence of five years, as well as a $250,000 fine. The alleged ringleader, Keshishyan, also has been charged with 14 counts of bank fraud, each of which carries a prison sentence of up to 30 years, as well as a $1 million fine. All of the accused could see any ill-gotten gains forfeited, if the charges against them are proven.
The defendants, who have been arraigned, are next due back in court Nov. 30.
Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)