back to article FBI cuffs 14 over $1m 'Gone in 60 Seconds' casino scam

US cops have arrested 14 people over an elaborate scam where $1m was stolen from casino kiosks in a scam the FBI has described as ‘Gone in 60 Seconds’ bank fraud. The suspects allegedly stole $1m by exploiting a gap in Citibank’s electronic transaction security protocols in casino "cash advance" kiosks - which required …

COMMENTS

This topic is closed for new posts.
  1. Matt Bryant Silver badge
    Facepalm

    So smart and yet so stupid.

    "....The stolen funds were often used to gamble, leading many casinos to supply the alleged conspirators with free rooms due to their extensive gambling activity, the FBI said......" So, someone in the gang was smart enough to figure out the loophole, but stupid enough to include a load of gamblaholics in the crew? They were just asking for jail-time. A smarter person would have chosen mules from outside the area, brought them in to do the deed and then got them out of the city before they went on a spending spree. A foolish man and his money are soon parted, but a foolish crim and his liberty are sooner.

    1. SamuelB

      Re: So smart and yet so stupid.

      Maybe.... maybe not. The gambling of the money may well have been an attempt to launder it, especially if they gambling it particularly smartly (covering 98% of outcomes on a roulette table for example). I used to work in the gambling industry and you'd be amazed how many people try to push a lot of banknotes through betting firms to clean it up.

      1. GettinSadda

        Re: So smart and yet so stupid.

        Why not just buy chips then sell them back?

        1. SamuelB

          Re: So smart and yet so stupid.

          It's been done - same with Fixed Odds Betting Terminals in betting shops. Feed the machine with £5k of banknotes then print a withdrawal receipt, take it to the counter and collect some nice new banknotes. Betting shop managers have actually got very good at spotting this, and the bookmakers themselves have a legal duty to look for it and report it under the Gambling Act 2006.

      2. TeeCee Gold badge

        Re: So smart and yet so stupid.

        Almost definately.

        ATMs are often loaded with new, sequentially numbered, bills. In such cases the number range of the bills dispensed would be known and any subsequent attempt to use large numbers of them would be spotted immediately.

        Withdrawing them in a casino and immediately chasing them for chips is quite a cunning method of ensuring that there's no chance of the ranges being alerted before the ill gotten gains are someone else's problem.

    2. JS808

      Re: So smart and yet so stupid.

      I'm pretty sure they did that to launder the money.

      But uh...ripping off casinos and then using casinos to launder the money strikes me as fucking dumb. Plenty of ways to launder money that don't involve casinos.

  2. Destroy All Monsters Silver badge
    WTF?

    " conspiracy to illegally structure financial transactions to avoid reporting requirements"

    What the hell is that? Would I be going to club fed if I withdrew USD 9000 twice in a row (even though I know nothing about any "reporting requirements" and haven't signed anything about any "reporting requirements" that I can remember)? Even though several three-letter agencies-cum-gestapo-outfits have the records anyway? What kind of downtrodden people accepts this sh*t without storming Venerable Places Of High Discourse with sharpened showels and lead pipes?

    1. Thesheep

      Re: " conspiracy to illegally structure financial transactions to avoid reporting requirements"

      It depends on if they think you did it deliberately. That would be the structuring part. The banks have a requirement to report transactions totalling over $10 000, even if you do them separately, but if you're smart enough to do it in a non-obvious way so that they don't notice then your dumb enough to go to jail.

    2. Eddy Ito

      Re: " conspiracy to illegally structure financial transactions to avoid reporting requirements"

      It gets worse because it's one of those fuzzy rules. You could deposit $5000.01 one day and withdraw $5000 on the next day and it could easily hinge on whether the bank felt the transactions were suspicious. I ran into this little problem when buying a car as I moved $6k from one bank to another, got a bank check from the second bank 3 days later for $7.5k and got a quick lesson in gubbermint reporting BS from the teller.

      On the upside, if you can call it that, I hear we're not alone as Italy seems to have banned cash transactions over €5000.

  3. Spacedman
    Thumb Up

    Race conditions?

    Is this just a race condition? The machine spits out the cash without getting an exclusive lock on the account? Oh exploitable.

    1. TeeCee Gold badge

      Re: Race conditions?

      No, it's just that the whole process is asynchronous.

      The machine itself can authorise up to X, so if it cannot get a connection to the bank, it'll still dispense up to that (I used to exploit that one in my student days, find one that cannot give a balance and hit it). Above X, it has to check the balance online. Once the cash is dispensed, a message goes back to update the balance, a process that takes a while (a long while in the case of an offline auth).

      Thus given a balance of 1000 quid and twenty people with cloned cards going "3.....2......1......GO" at seperate machines, you can get 20,000 quid. All the machines check the balance online and OK it, the problem only comes to light when the subsequent balance updates take the account 19,000 into the red.

      You have to remember that the mechanisms behind these things were designed for the days of dialup connections and packet switched networks, so realtime interaction and locking wasn't on the cards.

      1. Robert Carnegie Silver badge

        Re: Race conditions?

        With a credit card, aleast in the UK, a facility exists to reserve a sum of money without actually charging it. (I'm not sure what this is actually called.) For instance, a hotel might do this instead of actually charging a deposit against future room charges, or damage. It counts towards you card expenditure limit, though, so it can get in the way of using your card for other things. And sometimes you have a problem with it.

        Implementing a similar feature with these cash machines - you want to draw say $200, so the machine checks your balance, reserves $200, then proceeds to give you money, and finally advises the bank that the transaction has been completed.

        1. Daniel B.

          Re: Race conditions?

          The concept you're talking about exists everywhere (AFAIK), and it's called "pre-authorization". It's specifically used in CCs for the reason you've mentioned: open vouchers at hotels, and car rentals will do it as well.

      2. Anonymous Coward
        Anonymous Coward

        Re: Race conditions?

        The funny thing is that I have seen this before, in the Netherlands - and that was a good 20 years ago (actually, I think it may even have ben before the change to Euro, so it's not exactly a new idea).

        A TV program about banking security asked senior execs if their bank could be hacked. All but one said "impossible", the one exception was one guy who said "there's no such thing as perfect security, but I think we have done our best".

        They were then all shown (on camera) a briefacse full of cash taken from a single account, thus reducing each to a blubbering, protesting heap of lard, again with that one exception who cheerily said "hey, this is new. Let me know how you did this". It happened to be the bank I used (phew)

        Let me give you this timeless quote from alt.sysadmin.recovery:

        I work for an investment bank. I have dealt with code written by stock exchanges. I have seen how the computer systems that store your money are run. If I ever make a fortune, I will store it in gold bullion under my bed. - Matthew Crosby

  4. Anonymous Coward
    Anonymous Coward

    Anyone else thinking one one word? Transactionality? Or an acronym? ACID

    1. Anonymous Coward
      Anonymous Coward

      And typically by acronym I actually mean initialism -_- damn lack of edit function

    2. Phil Endecott

      Transactions

      Yes, this is undoubtedly the *textbook* example of a transaction:

      begin

      if balance < amount abort

      // No-one else changes balance in here!

      balance = balance - amount

      commit

      Presumably, their excuse will be that they're dealing with a legacy system from the 1950s that has to fall back to sending a piece of paper through the post.

      1. Antony Riley

        Re: Transactions

        I suspect the scalability of transactional databases is the problem here, presumably they're queing up 90 seconds of transactions into a bulk transaction and trying to sort the mess out later.

      2. Anonymous Coward
        Anonymous Coward

        Re: Transactions

        The problem is that the time it takes for the ATM to send the message to the back end, the back end to process the full transaction, and send a response to the ATM is longer than the targeted time to complete the transaction the ATM designers have been told to hit. It's not like there is one big server in the middle of the desert somewhere handling all the bank accounts of the world - your ATM may not be talking to the computer that actually tracks your account.

        So the simplistic "lock the account" approach won't work in today's "I HAD TO WAIT A WHOLE MINUTE FOR MY MONEY THIS BANK SUCKS" mindset.

        1. Marcelo Rodrigues
          Happy

          Re: Transactions

          I'm sorry, but it is simply untrue. Take my case, as an example:

          My bank was "Banco Real", at the time. But, basically, any bank in Brazil will do.

          Whenever a do a withdraw (above a given value) the bank sends me an SMS, telling the amount of the transaction. Usually I get the SMS BEFORE the ATM gives me the money.

          The SMS can't have been sent by the ATM - too much trouble to implement this one by one. I don't think there is just one SMS-sending server - but the system is fast enough to track this in real time.

          Trust me, the brazilian bank system is quite agile - something we got from the hyperinflation from the 80's. There was a time where we faced an inflation of over 30% each MONTH. It was madness, I tell you. The one good thing was the bank system we got: heavily automatized and quite fast.

  5. JaitcH
    WTF?

    Who is more guilty? Dumb Citibank or the Perps?

    It is simply mind boggling that, in these days or high speed communications, Citibank is so pig greedy that it waives a basic check?

    Guess it helps when you are running on government money.

  6. lglethal Silver badge
    WTF?

    Um how do you set up a throw away account???

    In all the countries I've ever had banks in (Aus, UK, Sweden and Germany) you have to provide a McTruckload of data to open a bank account! If you dont have at least 3 forms of ID with addresses, etc. then forget it tiger - no bank account for you!

    So how on Earth can you set up a "throwaway" account that you can rip off? Are US laws really that lax?

    1. dssf

      Re: Um how do you set up a throw away account??? Easily...

      The indictment letter will probably include conspiracy with gangs and card cloners, along with contacts inside the DMV. Fake DLs probably are still obtained from DMV employees gone rogue. If not them, then maybe someone has access to a passport employee. If not those, then the bank has lousy ID verification and probably has dirty employees in on such scams.

      Pretty soon, we may all have to submit biometrics to open, maintain, and transfer funds between our own accounts.

    2. Anonymous Coward
      Anonymous Coward

      Re: Um how do you set up a throw away account???

      ID in the US is to a far, far lower standard than it is in most of the rest of the world. Remember most americans don't even have passports, and driving licenses are doled out to 14 year olds at the state level, leaving very very few reliable methods of verifying someone's identity.

  7. Anonymous Coward
    Anonymous Coward

    Bank loses money in Vegas?

    Ok, somehow I don't see this being something I consider to be a bad thing. I've had no love for gambling organizations ever since I've had to stand behind 10 gamblers in line at a convenience store on Saturday with a crying baby to buy him milk. Damn near every one of those people bought 100 tickets or more.

    Citibank placed machines in those casinos knowing damn well their purpose was to support the gambling industry. Screw them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bank loses money in Vegas?

      Their money they can spend it how they want. if you were stood behind 10 people buying dorito's would you have tortilla hate?

    2. Tank boy
      Childcatcher

      Re: Bank loses money in Vegas?

      Your parenting failures have nothing to do with the criminals exploiting a weakness, then getting caught because of their own stupidity.

    3. Thorne

      Re: Bank loses money in Vegas?

      Reminds me of a quote

      "Give a man a gun and he will rob a bank. Give a man a bank and he will rob the world"

  8. Purlieu

    ATMs are often loaded with new, sequentially numbered, bills

    This is Earth, mate

  9. Chris 228

    They gotta ask...

    The crims when in prison have gotta ask themselves: "Was it worth it" ?

This topic is closed for new posts.

Other stories you might like