Hackers Steal $1 Million from Citibank

The FBI recently announced that 14 people have been charged with stealing more than $1 million from Citibank ATMs at casinos in California and Nevada.

“The alleged fraudsters were able to exploit a ‘loophole,’ or business logic flaw, in Citibank’s account security protocols — in essence, tricking the system to believe that multiple transactions were actually just one,” writes SC Magazine’s Danielle Walker. “The withdrawals were done in [a] short time frame at different ATMs, taking advantage of a Citibank processing system which treated ‘identical, near-simultaneous withdrawals as duplicates of a single withdrawal from an individual Citi checking account,’ according to court documents filed last Tuesday.”

“According to court documents, the alleged scheme worked as follows: defendant Ara Keshishyan recruited conspirators who were willing to open multiple Citibank checking accounts,” Help Net Security reports. “He then supplied his co-defendants with ‘seed’ money, which was deposited into the recently opened accounts. After the money was deposited into the checking accounts, Keshishyan and his conspirators would travel to nearly a dozen casinos in California, Las Vegas and Laughlin, where they used cash advance kiosks at casinos to withdraw (all within 60 seconds) several times the amount of money deposited into the accounts.”

“The scam worked because withdrawals were authorised at multiple machines before balances were updated, taking throwaway accounts well into the red,” writes The Register’s John Leyden. “The stolen funds were often used to gamble, leading many casinos to supply the alleged conspirators with free rooms due to their extensive gambling activity, the FBI said.”

“The defendants obtained more than $1 million from Citigroup, prosecutors said,” writes Ars Technica’s Dan Goodin. “To conceal the scam, they kept withdrawal below $10,000 to avoid federal transaction reporting requirements.”

“All of the defendants are charged with conspiracy to commit bank fraud and conspiracy to illegally structure financial transactions to avoid reporting requirements, punishable by up to five years in prison, and a $250,000 fine,” writes The Press-Enterprise’s Brian Rokos. “In addition, Keshishyan is charged with 14 counts of bank fraud, each of which is punishable by up to 30 years in prison and a $1 million fine.”

“The cash-advance-kiosk attacks are notable for highlighting how motivated attackers might benefit from even the tiniest information security misstep,” writes InformationWeek’s Mathew J. Schwartz. “‘While advancements in technology have created a world of accessibility to users and a convenience for consumers, they have also left room for criminals to exploit even the smallest of loopholes,’ said FBI special agent Daphne Hearn in a statement. The flaw exploited by attackers has reportedly now been fixed.”