How to Rob Two Arabian Banks of $45 Million Dollars

You can’t pull this off with a ski mask and a gun.  A major bank heist that cleared a $45 million haul from two banks on the Arabian peninsula was pulled off by an international cyber-crime crew during two days, one in December 2012 and and the other in February 2013.  The story reads like a crime novel or Hollywood movie.

First, in December, cyber-criminals gained access to the databases of an Indian company that handles the debit card transactions of the RakBank in the United Arab Emirates.  They were able to raise the available balances to a very large number, and remove the daily limits on withdrawals on a handful of debit card accounts.

Then, using magstripe encoding equipment, they manufactured phony debit cards using anything with a magnetic stripe – expired credit cards, hotel rooms keys, blank gift cards.  Then on December 21, the five compromised account numbers were released to casher crews in 20 countries worldwide, who spent two hours withdrawing $5 million in over 4500 ATM transactions.

Having been successful in their first endeavor, they attacked another bank, The Bank of Muscat in Oman, through their American debit card processing company.  This time they compromised 12 accounts, and the casher crews went out on February 19 for ten hours, making over 36,000 ATM withdrawals, and netting $40 million on the second attempt.

This is a stunning example of how major crime organizations are using the Internet and other networks to break in and steal in a big way.  Significant factors in their success were that they did not attack the banks directly, as the security would be very strong at the banks.  Rather they went after third party vendors who were more easily compromised.  The large worldwide distribution of the crews who actually made the ATM transactions distributed the risk of discovery globally.  The crews on the ground do not appear to have known who hired them, they just simply transferred the money as instructed after keeping their split.  The worldwide nature of the crime made it difficult for the banks in question to call and dispatch police in 20 countries, and even to shut down the operation from their own end, not knowing which accounts had been hijacked.  Overall, a well organized operation.

The police have rounded up most of the New York crew due to their penchant for posting pictures of themselves and their take on Facebook (DUH – that always works).  But most of the players are still in the wind, and it is doubtful, at least at this time, as two whether the ringleaders will ever be identified or caught.

You can read more about this story on Sophos, NY Times, and TechDirt.

Undoubtedly, one of the early steps in this exploit would have had to have been the cracking of administrative passwords on the servers of the targeted companies.  This is why I have been urging my clients to go for longer passwords – 10-15 characters.  Even using sophisticated password cracking machines and software, it takes too long (centuries)to machine crack a 12 character password.  I am sure in both cases the passwords were shorter enough (7-8 characters) that they fell in a a few days or even hours.

The moral of the story – crime DOES pay (sometimes), and if your password is short enough, anyone can break it.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.