Banking Blog

Finance Blogs » Banking Blog » Thieves grab $1M in 60 seconds

Thieves grab $1M in 60 seconds

By Claes Bell ·
Tuesday, November 6, 2012
Posted: 4 pm ET

Electronic attacks on the nation's largest banks seem to be increasing lately. In the past few months, we've seen a rash of massive cyberattacks take down several megabank websites.

And late last month, a gang of criminals in California allegedly exploited a weakness in Citibank's electronic transaction security protocols to steal more than $1 million by withdrawing much more than the balance of 14 checking accounts set up for the purpose. The total time that elapsed between the beginning of the attack and the end? 60 seconds.

From the U.S. Attorney's Office:

According to court documents, the alleged scheme worked as follows: Defendant Ara Keshishyan recruited conspirators who were willing to open multiple Citibank checking accounts. He then supplied his co-defendants with "seed" money, which was deposited into the recently opened accounts. After the money was deposited into the checking accounts, Keshishyan and his conspirators would travel to nearly a dozen casinos … When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw (all within 60 seconds) several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered.

The indictment alleges that, after the cash was collected from the casino "cages," Keshishyan would typically give conspirators their "cut" and keep the remainder of the stolen funds, which were often used to gamble. The casinos frequently "comped" the conspirators with free rooms due to their extensive gambling activity. As part of the alleged scheme, the defendants also were careful to keep both their deposits and withdrawals under $10,000 to avoid federal transaction reporting requirements and conceal their fraud.

Like the hacking attacks on the websites of big banks we've been seeing lately, this incident emphasizes one of the big disadvantages of being a megabank. They're a huge target for criminals around the world.

As a result, they have to spend millions of dollars hardening your networks against attacks mounted by some of the most talented and well-funded hackers in the world -- a threat their smaller competitors may not have to worry about quite as much.

If you're wondering what that has to do with you, Citigroup alone spent $5.133 billion on technology and communication expenses in 2011, according to financial statements, a good chunk of which I'd bet gets spent on information security. Those costs are then passed on, to the extent possible, to customers in the form of higher fees.

What do you think? Do big banks have a bigger target on their backs than their smaller counterparts?

Follow me on Twitter: @ClaesBell.

Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.
November 10, 2012 at 10:51 am

Security is a bank problem, which is as it should be, keeping funds safe is their business, after all. Absent negligence and if there is prompt notification, unauthorized withdrawals will be reimbursed by the bank to an innocent account holder.
As far as increased fee costs due to security expenses, obviously some banks are able to provide more security at less expense because fees vary.

November 10, 2012 at 8:50 am

This unfortunate mishap is no surprise given the fact that no matter how many security protocols are put in place, there are many thieves plotting their attacks. The reality of this is, no ones money is safe when it comes to banks big or small. Personally, I would rather be my own bank, than to risk my money being taken.

Ercole Vitalone
November 10, 2012 at 8:34 am

Dear American people let not forget, that the same financial institution was one of them that create the problem in 2008 and their CEO with their cohorts are still taking home huge bonuses. Sold sub-prime loans etc... I do not feel sorry for those banks. Last year the Federal Reserve Bank (private entity) charge the USA 550 Billions dollars in interest alone. How come when it gets stolen is our money and when it is time to take bonuses for poor performance it's their money?

Harold Chanin
November 10, 2012 at 8:25 am

American consumers lose tens of billions of dollars each year to global, identity-enabled fraud, including credit and debit cards. Likewise, American taxpayers lose hundreds of billions of dollars from Social Security, Medicare, Medicaid and Tax Rebates. But nobody in government and industry actually wants these crimes stopped. Government needs theft to support the hundereds of thousands of careers involved in the chase. Industry needs theft as a common part of revenue and profit. So the solution to prevent these crimes remains passively ignored.

November 08, 2012 at 10:59 pm

Even if the bank is big or small, I think that there a potential for theives/hackers. This is why consumers should take extra precautions not to reveal or submit personal info such as there bank account, savings account or even some credit cards that have large credit limits. All are instruments that a thief will take advantage of.
I do not believe that national security can either protect entirely.

November 08, 2012 at 4:00 pm

How come the bad guys are always better at this than the good guys?

November 08, 2012 at 2:42 pm

Funny, with their unlimited resources, that the federal government does nothing about this type of crime.

Dorothy R
November 08, 2012 at 10:24 am

This is not surprised, because we do not know how to keep our mouths shut when we win a big law suit or the lottery. Any form in which monies come and we broadcast more than the mews media does. We must learn a lesson from these incidents, that we should be very careful where we use ATM & stores we shop. Especially restaurants and fast food establishments. Watch the clerk when she is swiping your card how quick the eyes begin to read the numbers on your card. We are outrage when we are the victim of identity theft. We shouldn't be if we knew where we last used our card or an ATM. These peoples are giving out information for someone else to try the same problem. It does not matter how much monies we spend on technology security or any other type of security. We have gas pump where we purchased gas and many times leave the receipts and ATM leave the receipt on top of the machine or toss in the waste basket. Wake up people any one can access your information if you are not watching what you are doing and where you purchased merchandise. Take heed and slow your role in doing business and financial transactions, please, please!!! This is not going to get better, it will get worse, because we think in our "small" minds we are protected. Think outside the box, "what happens when you lose your phone, laptops, tablets, or any small technology equipment we travel with on public transportation & other means of travel. Even in our personal cars being broken into with an alarm, not safe or being protected are we???? We protect our home from "honest people" not the robber.

November 08, 2012 at 9:22 am

You know it seems each time the banks publish hits with this kind of loss it gives fuel for the fire to those want-to-be hackers to try the same thing with other banks .. Why publish it at all ?? You know that's what they want you do so they can gloat on their latest heist !!
Banks should take better measures to protect their customers money .. Passwords need to changed every so often to prevent hits like this .. I'm glad I put my money in places where it counts the most ... And that secret I'm not telling ..

November 08, 2012 at 3:54 am

Bigger banks may be a larger target, but smaller banks typically have very shallow or laughable security. Just for example, many don't enforce decent passwords and don't even lock accounts after a reasonable number of misses. Enough simple things add up to one big problem after another.

Smaller banks are a target rich environment that is probably being mined as I write by enterprising groups. Groups that will never be acknowledged outside bank Directors meetings in Podunk Smallville.

The USA has to get a national security and privacy policy that makes sense.