800 hunted in ATM scam - 12 charged with larceny

[ramesh]

800 hunted in ATM scam - 12 charged with larceny
published: Thursday | January 8, 2004

By Nagra Plunkett, Staff Reporter

WESTERN BUREAU:

THE POLICE are now hunting 800 bank customers islandwide, and the Fraud Squad has already levelled charges against 12 persons alleged to have fleeced the Trinidadian-owned RBTT Bank of an estimated $23 million.

Criminal charges were laid Wednesday against Bjorn McHardy, 20, Trevor Chin, 25, Andre Brown, 22, Anthony Chen, Gregory Scarlett, 23, Frank Chambers, 30, Maurice Ottey, 28, Christian Fray, 20, Nicholas Rasinski, 22, Anthonile Tenant, 19, all of St. James addresses, and Omar Messam and Omar Hennis, 21, both of Kingston addresses. The 12 have all been charged with simple larceny.

A 1995 Honda Civic and $1 million in cash were reportedly recovered from Messam, who was picked up by the police in Spanish Town, St. Catherine. Messam had reportedly bought the car with monies he got from the ATM.

Chin was also charged with conspiracy to defraud and receiving stolen property, as according to the police, most of the money stolen in Montego Bay was found in his possession.

The accused men were each offered station bail in the sum of $150,000 and are booked to appear in the Half-Way Tree Resident Magistrate's Court on Friday.

DEEPER INVESTIGATIONS

The Fraud Squad began its investigations in Montego Bay after it was reported to them that the RBTT's branch, in the western city, had been robbed of nearly $4 million by account holders in St. James.

Investigations later revealed that the theft, which occurred between December 25 and December 26 last year, amounted to more than $20 million and extended across the island.

The police believe persons used their RBTT debit cards to withdraw monies that were not in their personal accounts.

Investigating officer, Detective Inspector Fitz Bailey, told The Gleaner that $3 million of the money stolen in St. James has been recovered, which puts the total recovered to about $4 million.

[Nastrodamus]

I think NCB is the only commercial bank that was not affect....Scotia keeping quiet to maintain confidence with their customers.

From my sources... Scotia has been feeling the sting of these people for a while and wanted to catch them. However with the Scotia senario, the amount of cash that could be taken by each card was limited and Scotia was freeze that account each time (lets say a day later), pending further investigation.

With the RBTT senario, on Christmas day, all hell broke loose. Some how, a person could use any 4 digit number as a PIN to enter the account. Withdrawal glory for the Criminals.

I am thinking Active Directory (or some thing like it) went down... so there was no way to authenticate the user accounts network. My theory, unless ABM techonogy is totally different. It would be some thing like that.

Man I need to do my CISCO cert. (Man tech_guru muss bex wid mi....)

Man the Tech Support Group must be having a headache....

[Gillion]

No engineer can predict every conceivable flaw in her work.

The fact is it takes lots of debugging and testing to make something like an ATM Jamaican proof.

Early ATM's were easy pickings especially for people who knew anything about computers. Now its a lot more secure.

What most people fail to realise is that ATM's take your picture when you stick a card in it and when you withdraw. So thats why getting caught will be easy.

I beleive ATM security to be pretty effective. Unless the card is stolen and you know the pin and unless you hide from the camera... you can get away scott free.

The next step is to lock the door of the ATM cubicle and call the cops if the machines suspect your card of being fraudulent ;D
Shatter proof glass and doors... man... automated imprisonment.

.. endofmyparanoid2cents ..
--Gillion

[BlackCryptoKnight]

According to police reports, during the period December 23 to 26, 2003, certain RBTT debit cardholders were able to access unauthorised cash through the Multilink network via ATMs owned by other financial institutions. The unauthorised access resulted from a glitch in the RBTT's system.

"The system was changed on December 23, and this was done and co-ordinated by our people and the U.S.-based software provider. The change was not done 100 per cent as it should have been, and the problem affected mainly ATM machines owned by other banks where the messages sent via the communication system to the ATM machines used by other banks were not received," Mr. Sinanan explained.

"As soon as the problem was identified on December 26, it was addressed and corrected and the system has been fully operational since that time. We have implemented additional control measures to prevent any similar recurrence in the future."

According to Mr. Sinanan, an incident of this nature happened before with 'the market in Trinidad'.

http://www.jamaica-gleaner.com/glean...ews/news2.html

This is very interesting...

1. The "glitch" appeared to be due to a system upgrade which was not completed properly or on time.
2. A similar situation has apparently occured with RBTT in Trinidad.

With the RBTT senario, on Christmas day, all hell broke loose. Some how, a person could use any 4 digit number as a PIN to enter the account. Withdrawal glory for the Criminals.

Now if this scenario was so, there would have had to be breakdowns in different places:

1. The PIN authentication mechanism had to have failed.
2. Their internal banking system messed up and allowed unlimited cash withdrawals.

I would hate to be a member of the RBTT IT department who was involved in that upgrade. I suspect there are gonna be a few vacancies there soon. :-\

This scenario brings to the fore a few important issues:

- Risk assessment and management in IT projects
That upgrade would involve certain risks which should have been identified early and managed.
- Quality assurance in projects
The work should have been completed properly and on time. Measures should be in place to test and verify sucessful
completion.
- The financial impact of security incidents.
Dem lose a whole bag-a-cash :-X plus customer confidence has been seriously damaged. Their image isn't looking too good right now. :-\

Let this be a lesson to businesses in Jamaica - financial institutions especially... take IT security seriously.

[seanbee20]

From what I heard it wasn't the PIN authorization that failed, what I heard was that RBTT's system was sending back response codes indicating success for every transaction even if the customer did not have sufficient funds in their account - I am not saying that this is the reason, but I am just telling you guys what I heard.

[CKnight]

My fellow TechJamaicans, it is with deep sorrow in my heart that I say to you I may not be making any more posts for a long time.

I am reluctant to state why, I will only say that with my new found millions I will hire the best damn lawyers around.

[seanbee20]

You can hire me, I am not a lawyer, but I could put your millions to use ;D

[tech_guru]

[quote author=CKnight link=board=1;threadid=2746;start=0#msg26311 date=1073922328]
My fellow TechJamaicans, it is with deep sorrow in my heart that I say to you I may not be making any more posts for a long time.

I am reluctant to state why, I will only say that with my new found millions I will hire the best damn lawyers around.
[/quote]

Hope you were smart enough not to use your own debit card to give the money back..... ;D ;D

[Nastrodamus]

[quote author=The programmer formerly known as seanbee link=board=1;threadid=2746;start=0#msg26274 date=1073786257]
From what I heard it wasn't the PIN authorization that failed, what I heard was that RBTT's system was sending back response codes indicating success for every transaction even if the customer did not have sufficient funds in their account - I am not saying that this is the reason, but I am just telling you guys what I heard.
[/quote]

Sean...what authenticates this? Kinda trying to hypothesise the root of the issue.

If the program indicates a successful transaction even if funds was unavailable, then the program failed to properly access the database. The database should not allow negative sums in the fields after a transaction. hhhhmmm...

Even so shouldn't then RBTT be able to track every account that did this in the event that the database was working....since now all accounts would have a negative amount? This should be the case if all users were authenticated.

But then if the Database was down, how come it work working new years eve and boxing day but not on christmas?

I was told that the pin thing was the one not working...but then, it wouldn't really allow withdrawal of unlimited cash, as again the database would not allow it.... Unless again the database was down....hhhhmmm this is getting fishy


Apparently there was a communications fault between the multi-link software and RBTT database servers... could this be the case ....


Fellow programs help me out.....

[seanbee20]

No, the program would have accessed the databased correctly, it is just that the response code being sent back was in-correct.

How it works is like this, a man goes to an ATM, tries to draw say 10,000 from his account, a request is sent from the ATM to the multilink terminal (if it is a multilink transaction), the terminal then accesses the persons' balance, if enough funds is in the account a response code indicating success is sent back (I am leaving out the actual code sent back for security reasons) to the ATM, the ATM analyses the response code sees that it is a success code so it dispenses funds.

In the case of RBTT (this is purely speculation from what I heard - do not quote me on this) - the ATM sent the request, RBTT's terminal assumingly checks the database, sees that the person does not have enough funds in the account therefore it does not update the person's balance - therefore the account would never be negative), the problem lies in the response code sent back to the ATM is always the code indicating success, therefore the ATM sees the success code and decides to dispense the funds.

Hope this clarifies my SPECULATION