Over 100 people have been arrested in a bank fraud scheme at Santander Bank. The core of the arrests were made in New Jersey, however there were incidents in Staten Island and Connecticut.

The ATM Hack

A glitch was “discovered” that was specific to Santander Bank’s ATMs where a customer could click on a series of steps allowing repeated ATM withdrawals of $200 from prepaid debit cards, even though the funds did not exist.

According to the NY Post and an another article from the Independent:

“This is the beginning, you put your pin in and everything,” the man can be heard stating in the video, before instructing viewers to then click the withdraw and checking buttons on the ATM.

“You click $200. After you click $200, you go back. Click other, customize withdrawal. You click choose your own mix,” the man continues to explain. “Press the $20 option one time. Once you see that 11 you know you lit.”

The Arrest of Dozens, perhaps over 100

Dozens of people are under arrest in relation to this fraud. Curiously, the arrests are of people that came out of New York City and hit ATMs in New Jersey, Staten Island, and Connecticut.

Why I think there is much more to this fraud story

In my years of security studies, I have become more suspicious of covert, sub-surface work of criminals and intelligence agencies.

The story seems easy enough: a “glitch” was discovered by some unnamed person in a video and lines began to form outside ATMs with people withdrawing hundreds of dollars at a time. An astute police officer sees the lines and acts quickly to break the case and helps Santander Bank stop the thefts before rising above $250,000. End of story.

Not really. To begin with, why would a criminal, who discovered such a fantastic goldmine of a glitch, be so quick to give that hack away? He could have withdrawn the money by himself for days, potentially even months before the fraud was discovered. Adding people, most likely sloppy people to the mix, people who will line up conspicuously outside dozens of ATMs to withdraw money sloppy is not a criminal’s move. Criminals are greedy. They won’t share their secrets that easily when their own money is on the line.

What I Think

There are many more areas to investigate in this crime:

  1. Where did this glitch come from? Was it a mistake in the code by a developer? Maybe. It is also possible a developer made this “mistake” intentionally so that it could be used later. Perhaps for him/herself, perhaps for a criminal organization. Find the software developer, and take a look at their finances and credit history.
  2. The video- was it a smokescreen for an organized effort or just some hacker who felt like sharing?
  3. Were the people involved independent, or mules for a larger, more coordinated effort? This has been the case in a number of credit card frauds- why not this one?

The Implications

In conclusion, I think this fraud has a much deeper level to it which should be looked into. It raises a number of questions concerning the software development quality assurance (QA) process at Santander. If I were on their cyber team, I would already be conducting code audits to determine when that glitch was added. Even more so, it shows the depth of what an “insider threat” may look like in any organization. It is important to always operate your business as if this threat exists. It is also important not to alienate your staff with high amounts of suspicion and painful processes. Process automation and good QA all play a role. So does pattern analysis. The bank should have something that recognizes unusual behavior at ATMs. Line of people at a bank making the same transaction is definitely a pattern. I was surprised when I heard the first person that noticed this was a local police officer.



Leave a Reply