Friday, April 9, 2010

Bank of America Employee Charged With Planting Malware on ATMs Read More

A Bank of America worker installed malicious software on his employer’s ATMs that allowed him to make thousands of dollars in fraudulent withdrawals, all without leaving a transaction record, according to federal prosecutors.

Rodney Reed Caverly, 37, was a member of the bank’s IT staff when he installed the malware. The Charlotte, North Carolina, man made fraudulent withdrawals over a seven-month period ending in October 2009, according to prosecutors, who’ve charged him with one count of computer fraud.
The Wired piece continues with more detail
The charges were filed the same day that credit card company Visa warned the banking industry that Eastern European ATM malware recently showed up in America for the first time.

That code, initially spotted last year on some 20 ATMs in Russia and Ukraine, was designed primarily to capture PINs and bank card magstripe data, but also allowed thieves to instruct the machine to eject whatever cash was still in it. At the time, security firm Trustwave warned that the malware was likely headed for ATMs in the United States.

At least 16 versions of the East European malware have been found so far and were designed to attack ATMs made by Diebold and NCR, according to the April 1 Visa alert.

There is no information tying the malware found in Russia with the malware allegedly used by Caverly. Bank of America did not immediately respond to a call for comment about the case, but told the Associated Press that the bank discovered the thefts internally. Caverly’s attorney did not return a call.

Nick Percoco, vice president and head of Trustwave’s SpiderLabs Incident Response Team, said the malware does sound like it could be the malware found in East Europe or a version of it.

“[Caverly] could have obtained a copy of that and modified it for his own use,” he told Threat Level. “But the ability to dispense cash without recording activity — that was definitely a feature of the East European malware.”
On a related note, police in Alexandria, Virginia, a mere twenty minutes from campus, reported the discovery of an ATM skimming device. According the Alexandria Police Department, on Sunday February 28, 2010 an ATM skimming device was discovered at the Wachovia Bank at 3624 King Street. The Police noted, "an ATM technician working on the machine found the skimming device. The engineer took photos of the device and went inside the bank to notify the bank’s security office. When he returned a few minutes later, the device had been removed. Several customers have come forward to report fraudulent charges on their bank cards with current losses estimated at over $60,000."

Brian Krebs from has extensively covered how criminals have used hardware and software tools to steal ATM card information and pin codes. Check out his reporting here and here.


Deven said...

Okay, so this really freaked me out. How often do I use an ATM? Not super frequently since I don't buy very much and often use my card, but I am usually more concerned that someone is watching me punch in my pin or of general robbery than a thief stealing my card information in a discrete way. The physical robbery or observation of a pin number seems less damaging than the secretive skimmer device recently found in Arlington.

Krebs' blog explains how criminals, in addition to recording data off of the magnetic strip on the card, will plant another device like a hidden camera or a PIN pad overlay to record the PIN. These two pieces of information allow thieves to clone that ATM card and use it to withdraw cash, unbeknownst to the user.

Besides not knowing my information could be compromised so easily and without my knowledge, it shocked me to read about how widely commercially available skimmers are online. The Diebold ATM skimmer identical to the one found attached to the Alexandria ATM is only $1,500! I couldn't believe that low fee and was even more shocked by Krebs' next piece of information: that the thief can have stolen data sent to him from a safe distance via cell phone for a skimmer just a smidge more expensive: $2,000 or $2,500. Considering one could easily quadruple that price tag's cost if he found the ATM card of someone keeping high savings in their accounts, I am a bit flabbergasted.

I really want to learn what these scanners look like so I can be more conscious of my withdrawals, but even Krebs had trouble telling the difference. What are we supposed to do?

Eric H said...

The malware on the ATM is particularly scary because there is absolutely no way for a user to identify the risk. I have heard of devices, especially in Europe that prevent your card from being ejected from the ATM, but this would obviously alert you to a problem. In the case of a skimmer, I can at least pretend that I might notice the device. I really dislike the thought of not being able to do anything to protect myself.

I also wonder how easy it is to detect malware like this. This Bank of America employee was obviously confident that he would not be caught. In the case of the Russian malware, I seriously doubt that this code was only implemented twenty times if it allowed the user to steal all the cash from an ATM.

Also, is there any recourse for ATM fraud victims? I know that most credit cards have some sort of protection against liability, but I don’t think that this exists for debit cards. In this case, I certainly hope that Bank of America will cover the victims.

Dan said...

Just when I thought that ATM cards have become safer to use on a regular basis, us Americans have once again been proved wrong that our technological world is a safe place. Of course malware that has been used in Eastern Europe, where economy has been struggling for the last few decades, would try to commit itself into our good ol’ USA. Every time we make steps to stay ahead of the game, there are always a few that are too far ahead of us and we cannot keep up.
What I don’t understand here, was how this employee thought that he could possibly get away with this? Did he forget about the fact that more modern ATMs all have video cameras that show that used each machine at a given time? This creates a dilemma that any Bank of America customer needs to be aware of. If this one employee was capable of introducing malware into ATM machines, are there other employees with these capabilities also. As a BOA customer myself, I plan on being much more cautious whenever I take out money these days.

Samuel said...

This article is pretty ridiculous because of the fact that as a Bank of America account holder you have no ability to protect your account in this situation. In other cases we have studied, the individual has fallen prey to phishing attacks or has fallen victim to over confidence of the Internets security. But in this case, a staff member of the bank has threatened the security of all account holders combating our ability to protect ourselves.
The reality is with the advancement of technology and the sophistication of malware people will continue to act in self interest and greed. The charting Cyber Crime article illustrates the vast amount of victims that have been effected and the staggering loss of funds. The Cyber Crime article also shows the account holders who had funds stolen ranging from Weastern Beaver County School District to the Evergreen's Children's Association. The advancement of technology and the internet has given criminals the ability and the anonymity to rob communities and individuals from their computers at home. I may be wrong but, Back in the day, when bank robbers robbed banks they were robbing the banks not individuals. The bank robbers knew that because they were exposing themselves the the robbery came with great risk and that they could not live normal lives after the attempt. However now, criminals, can rob a school district or a small business and go about their normal day, without breaking a sweat.