The 45 M$ bank heist – how did they do it?

We live in an age where even crime is cyber and global. Last week’s news shows that in a matter of hours, a sophisticated worldwide operation secured the cash from ATMs in over 20 countries. There were several weak links left exposed in the complex financial transaction security network.

Firstly, the cards used were pre-paid magnetic stripe, thus very easy to create and clone. The magnetic stripe card data was retrieved from the back-end systems. The data then only needed to be transmitted over the Internet around the globe and copied to blank magnetic stripe cards locally (like hotel cards). The cloned cards were then distributed to individuals in each country, thus enabling money to be retrieved from ATMs all over the world with the same account data over and over again.

As the data was from prepaid debit cards, the transaction amount was subtracted from the preloaded balance, this circumvents most real-time network checks and network security mechanisms. Had EMV chip cards using Dynamic Data Authentication (DDA) chip cards been used, it would have been impossible to clone card on limited stored data and to tamper with the card limits. A DDA chip card is validated by the ATM or POS terminal, before any transaction takes place. This is achieved by exchanging signed certificates and random number challenges between card and backend via the terminal.

Had the cards contained a chip, even changing the card limits in the back-end would have had no effect. Without breaking the security features of the chip card, secret keys cannot be cloned onto a new empty smartcard. By asking the chip card to encode random challenges, and validating results and signatures in the back-end, originality can be proven. After validation, transactions are individually signed, using transaction counters and other mechanisms to prevent replaying transactions a second time. Any validation or transaction is preceded by entering the smartcard pin code, which proves the owner of the smartcard is authorized the use.

In DDA cards, the pin is still required and a unique signed electronic datagram is created, describing the details of the transaction. It is impossible to re-use such a datagram a second time, due to the amount, the transaction counter and many other items encoded into the signed datagram. This makes the DDA card much more secure against fraud than the magnetic stripe card.

Secondly, as hack was made into financial processor of pre-paid cards it can be presumed that sufficient security measure may not have been in place. Hackers were able to update card data as well as balance limits to ‘unlimited’ to ensure they could withdraw up to the maximal cash limit of at each ATM.  This means the data may not have been stored following best-practice as well as access not protected as well. One of the required standards is the PIC-DSS standard of the PCI Security Standards Council, which is recognized by international payment associations, such as Visa and MasterCard. Even when certified by a Qualified Security Assessor, the PCI-DSS demands to remediate vulnerabilities and to rescan and self assess the infrastructure on a regular basis. This is costly, but if omitted or postponed, breaches can occur.

A system is as strong as its weakest link. In this case there were two weak links exploited globally; the processor in the backend and the magnetic stripe card. Simple security mechanisms on the back-end, such as not storing pin/login codes, but only salted hashes in databases, no storing of card details in plain, but only encrypted would help support security in the system. At the card level, introduction of DDA cards which protect consumer and bank data are also a front-line step in securing financial transactions.

At NXP, innovation is always now, but our focus is always the future. Our dedicated team of experts is united by a passion to make everyday life more remarkable through technologies that continually redefine life as we know it.


  1. Avatar Richard says:

    “data may not have been stored following best-practice as well as access not protected as well” – that’s being too kind. The backend data was hacked, and worse yet updated by the hackers! The first line of defense should have been at the backend data store. DDA cards are a fine second line of defense that protects somewhat against backend hacks from outside. But if it’s an inside job the DDA card protection can be negated. And DDA cards add to the expense of the overall system, which is ultimately borne by the customer. Given what I’ve seen, both personally and in the news, banks are doing a unacceptably poor job of maintaining the security of important financial information.

  2. Avatar BK says:

    Completely agree that banks can do more. However, this is really a mis-conception that securing the back-end through stronger ‘walls’ is forward looking enough. Attacks are getting more sophisticated and so should the response. The backend is always a single point of failure. Highly secure smart cards remove this kind of vulnerability by delocalizing the point of attack – a distributed approach to security. This diminishes the value that could be gained from the attack. In fact, chip cards would have helped in this situation as the data would not have been able to be replicated onto the card.

Buy now