• United States




$45 million in cash stolen? That’s chump change

May 14, 20134 mins
CybercrimeData and Information SecurityHacking

Last week's ATM theft of $45 million in cash made the headlines -- but the real security problem is so much bigger

The world was abuzz last week because midlevel hackers stole $45 million in 10 hours. While that figure is nothing to laugh at, it pales in comparison to the bigger issue of how easy it is to commit online fraud — and how insanely large the numbers are.

For example, one of the latest scams is for criminals to file online tax returns claiming large tax refunds on behalf of innocent victims. Gangs of low-level cyber criminals collect victims’ Social Security numbers and other identity information. Then they file online tax claims requesting big refunds and receive payment in the form of hard-to-track debit cards (much like how the $45 million was delivered).

[ 5 hot security defenses that don’t deliver | Mobily seeks U.S. hacker’s help to build mobile spying system | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

The IRS admits it paid about $1.4 billion in fraudulent IRS returns in one year alone. Innocent taxpayers usually don’t notice they’ve been robbed until they file their legitimate return and get turned down for filing duplicates. After each side figures out that a fraudulent return is involved, it can take from six months to a year for legitimate taxpayers to get their refunds. As of 2012 (the latest stats I could find), the IRS had 650,000 outstanding fraud investigations. If you put these facts together, legitimate taxpayers are out another $1.4 billion of their refunds. That’s $2.8 billion in total fraud each year due to “hackers” who typically do nothing more than know how to type.

The problem is so rampant in south Florida, where I live, that cops are trained to look for IRS debit cards when they stop suspected gang members and drug dealers. It turns out that IRS debit cards represent a bigger business with lower risk then selling drugs.

But IRS fraud is a small part of the story. Five years ago when I was consulting for the nation’s banking regulators, I asked how big Internet banking fraud was. At first I couldn’t get an answer, but later on a senior auditor told me that fraud amounted to 6 percent of revenue at some banks, though only half of that was Internet-related versus traditional fraud.

That’s a mind-blowing statistic. Banking is measured in the trillions of dollars. Recently a single large bank made $24 billion in one quarter alone. If you take 3 percent (half of 6 percent from total banking fraud) that suggests hundreds of millions of dollars are being stolen each day.

I’ve talked to a few other notable industry experts to get a feel for how much money is being stolen across the Internet. I asked if it’s likely to be $100 million a day; both parties agreed that the real figures are in that range.

What is $45 million stolen in a day? Apparently only half a day’s work!

A single hacked password resulted in the U.S. stock market losing over 1 percent of its value in a few seconds. Again, we’re talking billions of dollars –$136 billion to be exact in seconds. Most of the dropped value was restored, but it doesn’t take an expert to realize the same thing can happen again, when it may not be as easy to recognize and untangle.

Industry experts estimate that nearly one-fourth of all adults in the United States have their digital identity stolen each year. APTs (advanced persistent threats) have compromised most large companies in the world. They’ve gotten away with patent information, corporate secrets, military plans, encryption keys, access to the nation’s critical infrastructure, and whatever you want to imagine. It’s only slightly hyperbolic to say they have the world’s intellectual property.

I still come across friends and acquaintances who were robbed of tens of thousands of dollars through fake Internet sales transactions. People I know have had their life savings wiped out forever. There is no entity that can untangle the transaction. It’s gone. Poof! In fading electronic bits and bytes.

When I tell people the real numbers and problems related to Internet crime, they are always shocked. Then I tell them it’s been this way for almost a decade — and the problem appears to be getting worse.

So when you hear about the latest big hack attack that snatches tens or even hundreds of millions of dollars, just remind people that the real figures of Internet crime are much worse. And nothing we are doing now is going to stop the next big one.

This story, “$45 million in cash stolen? That’s chump change,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author