Opinion

Los bandidos and the great ATM robbery

It is amazing that in this day and age, with the latest in IT security measures employed by banks, a simple operation of planting a computer virus has helped some high-tech robbers – whom I shall appropriately call "bandidos" – to more than RM3 million in cash, and within a matter of days at that.

Just a little background: since last Saturday, for four consecutive days, 17 ATMs from three banks have been hit in a few states by men said to be South American.

These bandidos managed to open the top cover of the ATMs, insert a CD which contains a computer virus called Backdoor.Padpin (ulssm.exe) and, ole, they had control of the machine.

The bandidos had no access to the cash dispensers as it is in a secure compartment by itself within the ATMs. There are added security measures to make sure it is not removable nor can it be opened.

So, that means getting access was not enough. They still had a lot of work to do. Using the existing ATM keypad, with special codes, they then had to make multiple withdrawals.

I can only speculate, based on the fact that customer accounts were not compromised, the withdrawals were likely made in a scenario where the ATM was switched to a testing mode usually carried out by the vendor and bank's IT and operations teams during installation, to make sure cash is dispensed properly.

So, the virus planted must have allowed them a diagnostic or "maintenance" control of the ATMs, and they duly "tested" it to their heart's content with no one alerted to the multiple withdrawals and no guard nearby to monitor such activity.

Not much more details have been provided by the police force's cybercrime division, so that's all we can go with for now.

The cops are saying that the ATMs hit were "older machines" and they were said to be susceptible to such a threat.

But no matter how old it could be, there is just no reason that there could not be enough counter measures taken to avoid something as simple as preventing its top cover from being opened, for a start.

The banks have a lot to answer for. Though customer accounts are not affected by this rather sophisticated bank robbery, it still does give cause for concern over how tight the bank's security is system-wise, be it at the ATM or in the back-end IT environment which supports millions of accounts.

Could it be an inside job too, with the help of bank staff or the IT vendors who supplied the machines? The police are looking into that possibility.

The background of the bandidos could be that of people working in the banking or IT sector previously, thus they would know what it takes to carry out such an operation.

How many more ATMs will be hit is left to be seen, but RM3 million for a few days' "work" should keep these bandidos living pretty comfortably for a few years to come, without even having to leave the country.

Moving on, but still on the topic of ATMs, remember when ATMs used to run out of cash by the first day over a 3-day weekend or longer holiday period, especially during festive seasons?

Back then, only selected bank staff were assigned to reload the ATMs with cash, and it was sometimes done outside working hours, and with a guard or two standing by. But if the relevant staff is on leave or on holiday, and if an ATM was out of cash, it was likely that the ATM would remain empty until the next working day.

Then, the banks outsourced such operations to established security companies to reload their ATMs during the off-hours. My personal experience, since such a switch was made, has made me realise how easy it could be for some security personnel to pilfer small amounts, over many occasions.

A few years ago, I made an ATM withdrawal at a local bank on a Saturday morning. I wanted to take out RM360, but unfortunately, only three RM50 notes came out, and the last one was partially folded at the edge, and the remaining notes seemed to be making some noise but could not eject through the cash slot evidently.

The transaction went through and it stated the full amount on the slip and my account was debited accordingly. I held up the three RM50 notes to the CCTV above, and saw that the machine shut down too immediately after my transaction.

I made a full report to the bank on the Monday, and the reply came back a week later that all the records show that money was dispensed in full, so no further action can be taken.

That's when I realised that the security company staff handling the reloading of the ATM the day of my withdrawal need not have declared any excess cash in the machine, and just took it for themselves. Worse, there was absolutely no way for me to prove that.

Later, I learnt from a friend who used to work as an accountant for one of these security companies that a few thousand ringgit is unaccounted for every month in the cash reloading process but the banks are powerless to act, as investigations prove futile always. So, these banks just write off such losses.

How big is this problem is up for speculation, but I am pretty sure the banks and the security companies might not want to share such embarrassing information to protect their reputation.

Finally, here's a light-hearted story of an incident another friend shared on how a bank with an ATM machine in a university suffered some inadvertent losses.

The cash dispensers for RM50 and RM10 notes had been switched after the cash was reloaded into the machine. Thus, a student withdrawing RM20, expecting two RM10 notes, was surprised that he got two RM50 notes instead.

Soon word spread, and though there were two ATMs, there was a long queue for only one machine. Everyone played fair to enjoy this windfall, making one withdrawal of RM40 at a time, whereby four RM50 notes would be dispensed, for a "profit" of RM160.

One bright spark came along and felt confident he could make more money by requesting for RM60, and got exactly that amount as the machine simply dispensed one note of each denomination. He lost his chance to make some cash due to his greed. It made for a good laugh among his friends, a great story and an even better lesson for all.

A lesson these bandidos would be smart to take heed, as it is their greed which will eventually lead to them getting caught. – October 2, 2014.

* This is the personal opinion of the writer or publication and does not necessarily represent the views of The Malaysian Insider.

Comments

Please refrain from nicknames or comments of a racist, sexist, personal, vulgar or derogatory nature, or you may risk being blocked from commenting in our website. We encourage commenters to use their real names as their username. As comments are moderated, they may not appear immediately or even on the same day you posted them. We also reserve the right to delete off-topic comments