In just a few hours, POOF. $40 million. Gone. 

In what may be the largest heist of its kind, thieves across two dozen countries made off with $40 million dollars from thousands of atms around the world on February 19. 

In a similar scheme in December, they made off with $5 million.

Here’s how it worked: 

1. Hackers stole prepaid card numbers.

2. They hacked into card processing centers and raised the withdrawal limits on those cards.

3. They made fake cards.

4. They sent legions of thieves out to withdraw money from thousands of ATMS. 

NOT A NEW CRIME

“We’ve seen a pattern in these kinds of attacks in the past few years,” says Tom Cross, director of computer security research at Lancope. “There’ve been a few heists like this one.”

He says what’s surprising about this instance isn’t any technical novelty, but rather “the coordination of the cash out network where large amounts of cash was withdrawn by ATMs by multiple people almost simultaneously.”

A WEAKNESS IN HOW PEOPLE GET ACCESS TO CASH

That card processing centers continue to be subject to – in this case – spectacularly successful hacking is itself a major issue. “It shows a significant weakness in how people get access to cash,” says Ken Pickering, development manager of security intelligence at Boston-based CORE Security. There’s something wrong with “the infrastructure of how transactions are authorized,” he says.

Cross, with Lancope, says there’s another weak link in the chain mail around the world’s cash.

 Many ATMs, he says, don’t talk to each other. “A large financial institution may operate large numbers of ATMs, and can analyze transactions across their network” to detect signs of fraud. But many ATMs are run by small businesses and individuals who are not connected up to a financial institution, so one machine may not know that a card was just used five times at five other machines. “That coordination doesn’t exist today.” 

Pickering adds another weak point to the list: those magnetic strips on credit and debit cards. “Anyone who has access to the swipe or digital readout of the swipe can replicate the card,” says Pickering. In much of the rest of the world, cards use harder to fake embedded chips. 

Replacing those strips would involve changing not only all the cards in the U.S., but also all the readers. 

“I don’t think until fraud hits a certain level would people be willing to incur the cost of that,” he says. He notes that in 2008, credit and debit card fraud was over a billion dollars. “I think we’re getting pretty close.”

Several alleged footmen, responsible for withdrawing cash from ATMs in New York City, have been apprehended. But so far, the masterminds of the scheme remain at large.