Banking Blog

Finance Blogs » Banking Blog » Thieves grab $1M in 60 seconds

Thieves grab $1M in 60 seconds

By Claes Bell ·
Tuesday, November 6, 2012
Posted: 4 pm ET

Electronic attacks on the nation's largest banks seem to be increasing lately. In the past few months, we've seen a rash of massive cyberattacks take down several megabank websites.

And late last month, a gang of criminals in California allegedly exploited a weakness in Citibank's electronic transaction security protocols to steal more than $1 million by withdrawing much more than the balance of 14 checking accounts set up for the purpose. The total time that elapsed between the beginning of the attack and the end? 60 seconds.

From the U.S. Attorney's Office:

According to court documents, the alleged scheme worked as follows: Defendant Ara Keshishyan recruited conspirators who were willing to open multiple Citibank checking accounts. He then supplied his co-defendants with "seed" money, which was deposited into the recently opened accounts. After the money was deposited into the checking accounts, Keshishyan and his conspirators would travel to nearly a dozen casinos … When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw (all within 60 seconds) several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered.

The indictment alleges that, after the cash was collected from the casino "cages," Keshishyan would typically give conspirators their "cut" and keep the remainder of the stolen funds, which were often used to gamble. The casinos frequently "comped" the conspirators with free rooms due to their extensive gambling activity. As part of the alleged scheme, the defendants also were careful to keep both their deposits and withdrawals under $10,000 to avoid federal transaction reporting requirements and conceal their fraud.

Like the hacking attacks on the websites of big banks we've been seeing lately, this incident emphasizes one of the big disadvantages of being a megabank. They're a huge target for criminals around the world.

As a result, they have to spend millions of dollars hardening your networks against attacks mounted by some of the most talented and well-funded hackers in the world -- a threat their smaller competitors may not have to worry about quite as much.

If you're wondering what that has to do with you, Citigroup alone spent $5.133 billion on technology and communication expenses in 2011, according to financial statements, a good chunk of which I'd bet gets spent on information security. Those costs are then passed on, to the extent possible, to customers in the form of higher fees.

What do you think? Do big banks have a bigger target on their backs than their smaller counterparts?

Follow me on Twitter: @ClaesBell.

Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.
November 14, 2012 at 9:46 am

If the senior management is reflective of the lower rungs, like customer service, collections, loss mitigation, etc. -- good luck. It's been a revolving door in the past few years at Citibank.

Their losses? Banks always pass it on to the consumer. Don't be so happy that somebody got away with the theft. It could be you next time....

November 14, 2012 at 9:43 am

For years I've been asking their division, CitMortgage, to PLEASE remove my ENTIRE SOCIAL SECURITY NUMBER from their system! They refuse and/or say "they can't." The law should be changed to where they CANNOT have a person's entire social security number in the system, especially if somebody asks for it to be removed. It's not real comforting knowing that ALL their employees, in ALL dept's -- especially when I call customer service and get India, Indonesia, the Phillipines, etc. -- knowing that they have all the info they need to COMMIT FRAUD!!!

I hope anyone reading this post who has an account with Citibank in the form of a checking account, credit card, mortgage, etc. will call and WRITE to their CEO demanding that the social security number be removed, all but the last four numbers for identitification. Better yet, call your US elected officials and ask them to draft legislation that would require financial institutions to only allow the last four numbers of a social security number for identitification purposes with "lower level dept's" like customer service. As an identity theft victim years ago, I do everything I can to protect my information. Citibank, Citimortgage is all talk on customer service. Please let your voice be heard!

Saint John
November 11, 2012 at 1:02 am

Why should we care?
They make that times 10 in 60 sec. with their 29% intrest.
Hope it's im the billions next time!
Good on them, and keep at it!
Do pass it on to the needy!

November 10, 2012 at 9:03 pm

Sorry i can't fall for this inside job,get real Citibank
your hacker scheme has more holes in it than swish cheese
you are just trying to get more free money from the Gov't
call bail out money.

November 10, 2012 at 2:50 pm

Life in the big city guys your security has holes in it. You should fix them these were locals and big banks play in global markets. Continued cyber attacks, well welcome to global hackers now.

I am glad I closed my credit card account years ago with Citibank. I got irritated during the first bailout when suddenly my borrowing percentage rate was raised for no reason of my own. I feel no sympathy and hope they make it right for the consumer affected by their inadequacies.

November 10, 2012 at 2:23 pm

To Sheridan...the banks did not keep the "bailout" money. They had to pay it back with interest tacked on. You should ask the federal government what they did with the interest they gained as well as the money that was paid back on those "bailout" funds.

November 10, 2012 at 11:44 am

This is an enormous irony. In reality the million dollars was not stolen. It is a tiny fraction of the bailout money that we, the American tax payers gave to the Wall Street bankers, the biggest crooks in recorded history. Where is the the billions we gave these super crook? Has it trickled back to us? Ha, ha! It is in places like the Cayman Islands, Switzerland and the Bahamas. And they are gearing up for another bailout. Here in Sonoma County, California the biggest super crook of all used his billions to buy a 326 farm, Get his name plastered on our university's new concert hall and invested in our local paper. All with the tax payers' money. And the citizens love him. He is a philanthropist. Good grief.