Coming Soon, to an ATM Near You

“They got me this morning”, dateline Saturday March 26, 2011, as noted by the holder of one of the last untouched ATM cards in Antigua, Guatemala. Welcome to the club of recently robbed, we the passive victims of long-distance fraud by the ‘˜Boys from Bogota.’

Colombia is known for many superb exports: their coffee, emeralds and graduates of the Seven Bells School, otherwise known as a finishing school for pickpockets. The schools’ existence may be only legendary, but the superior training of Colombian pickpockets has long set a world standard. The ‘˜graduation ceremony’ is said to consist of removing valuables from a fully dressed manikin or live subject, where the principal areas such as pockets are sewn with a bell attached — ding ding..you fail. The latest generation of Colombian cybercrooks may have set a new standard also.

The world of international banking has been the focus of the 21st century’s version of electronic pickpockets for many years but not until the year 2008 had there been such a rich haul. In Estonia a 26 year old computer whiz named Sergei was able to remotely break into a bank in Atlanta, Georgia and extract 9.4 million dollars the same day. In August of 2010 the annual event known as Def-Con, otherwise known as the ‘˜Black Hat’ hackers convention, took place in Las Vegas, NV. The highlight of the show was the event showing how Barnaby Jack of New Zealand was able to remotely hack into virtually any ATM, using his software programs, named ‘˜Dillinger’ and ‘˜Jackpot’. He also discussed physical attacks using a master key purchasable on the Web for $10.78 and a USB stick to overwrite the machines’ commands. The heart of the problem appears to be that many, if not all ATM’s are now running Windows XP, which unfortunately has more than a few holes or weak points. With his programs he was able to demonstrate complete remote control over many brands of ATM’s, including the ability to capture data, spew cash and transfer funds to other end-users.

Gautemala is a long way from Las Vegas or Estonia but ever since September of 2010, the international tourist destination known as Antigua has been the focus if not the locus of remote unauthorized withdrawals via ATM’s of several hundred debit, credit and savings accounts. The sums have been significant to some and a nuisance to others: if the action was caught quickly, within 60 days, the bank would usually offer to reimburse the victim. The exact amounts of money withdrawn is estimated to be over a million dollars in Antigua alone, with many international tourists who passed through perhaps unaware of their situation unless much later.

First reported in September of 2010, December and January saw a spike of activity, in spite of guide book warnings (Moon Travel) and a US Embassy alert in January but the events have continued, even into March of 2011.

There is a coincidental link between a specific bank in Antigua which has been the source of the most complaints and Bogota, Colombia, which is where the majority of the withdrawn funds were sourced to. The Bank of Bogota, majority owned (75%) by one of the richest men in the country, if not the world, made an offer to purchase the bank known as BAC-Credomatic (Banco America Central) in June of 2010. The transaction, valued at over $1.9 billion USD, was completed in December 2010. Given the size of the acquisition and the financial strength of the Grupo Aval, it doesn’t make sense that the organization has any involvement in the purloined moneys. Is it a current or past employee with knowledge of the system? There have been other ATM attacks in and around Guatemala, sometimes with BAC branches and sometimes with the ubiquitous 5B ATM machines. Those are rented ATM’s and have been the source of many complaints, but none so plentiful as the BAC network.

To their credit, the bank’s security department has been producing seminars and demonstrations of their efforts in stemming the tide of transferred monies. The embassies, the Policia Nacional Civil and other government agencies have attended more than one Power Point show, where the technology of years past is proudly displayed, with all the crime-fighting efforts highlighted in blue and red captions. The newspaper Prensa Libre has in weeks past run several articles on the phenomenon, and ran photos of a few desperate and technology-challenged perpetrators. After attending one of BAC/INGUAT’s seminars, you’ll be presented with a certification of completion for attending the event: this is about as useful as an award for basket-weaving. The bank’s personnel don’t understand the concept: this is not about skimming, cameras and MP-3 players installed in the machines. Retrofitting metal shields over the keypads, as BAC did last month, is not the answer. The solution and problem is internal, with the Windows XP program that has security flaws and demonstrable holes, which are obviously being used by the next generation of pickpockets. It took a year after the overnight haul of 9.4 million dollars to track down and indict the Estonian hacker and another year to extradite him and a few cronies to the US, where the Justice Department is proudly announcing this event on their web site..and one of the only reasons that he and his gang of merry pranksters were caught is that the cyber-theft occurred in or on US territory, which brought in the FBI and their resources. These latest attacks and the many months of unauthorized cash transfers to Bogota, Venezuela and other countries will likely go unpunished, if not also unsolved. The access points, such as BAC-Credomatic and the 5B vendors acknowledge no responsibility and post no warnings. The issuing banks of the tampered debit and credit cards are taking the financial hammer on the head. How big is it? Who knows? The tourism industry in Guatemala is already at ebb, given the narco news, daily body counts and political shenanigans of the ruling political party. This wave of 21st century electronic thievery does not serve the country well: are we just another Estonia or Bogota? Apparently so, given the level of responses so far. Is BAC just another acronym for Bag All Cash? Does 5B mean ‘˜ Bogota, Banks, Breached, Broke, and Bingo? Are the bells ringing?