How Barclays ATM heist was executed

Police say cyber gangs used medical endoscopes for theft technology known as ATM jackpotting

In Summary

• The high-tech crime tactic has been used to steal more than one million dollars in the US.

• Police are searching for a Toyota Probox that carried suspects.

The Barclays ATM at the Barclays plaza The bank have added a video component intended to interact with customers
The Barclays ATM at the Barclays plaza The bank have added a video component intended to interact with customers
Image: JACK OWUOR

Flying Squad officers last evening were searching for a Toyota Probox caught on camera with three men believed to be the cybercriminals who stole more than Sh11 million from four ATMs in Nairobi.

The details emerged as police uncovered the sophisticated technology the criminals used to empty the ATM machines.

This loss and the possibility of others could turn into a nightmare for the banking industry in Kenya.

Already, banks are grappling with online hacking that is estimated to have cost the Kenyan economy more than Sh20 billion in 2017 alone.

The high-tech crime known in cybercrime lingo as ATM jackpotting has been used to steal more than Sh100 million in the US over the last one year.

The Barclays heist was the first major case of ATM jackpotting in Kenya since the crime hit the US last year, the police say.

The Star has established that officers have obtained CCTV footage from the city where a young man was caught boarding a Probox, believed to be a taxi in South B with a rucksack.

The malware installers have been clever, using endoscopes (narrow, tube-like medical devices with cameras on the ends typically used to see inside the human body) to look inside each ATM. Once they find a place to attach a computer cable, they sync their laptops to the machine’s computer
Brian Krebs, an American investigative journalist

Police suspect the man, estimated to be aged between 25 and 30, were part of a cyber gang that emptied three ATMs belonging to Barclays bank of the millions of shillings during the Easter holidays.

In ATM jackpotting, thieves instal malicious software and/or hardware at ATMs that force the machines to spit out huge volumes of cash on demand.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine.

From there they can use malware or specialised electronics — often a combination of both — to control the operations of the ATM.

Brian Krebs, an American investigative journalist, explains in an online article how criminals have been stealing millions of shillings from banks in the US through ATM jackpotting.

Yesterday, the Star established that police had obtained CCTV footage from areas adjacent to the ATMs from which three young men are said to have emptied the cash dispensing machines.

The footage has similarities with descriptions of ATM Jack potters in the US.

In one incident, a young man, estimated to be aged between 25 and 30, is seen dressed in a grey cap and a green T-shirt. He is seen carrying a rucksack that police believe was used to carry the money emptied from a cash machine at The Mater Hospital.

The footage was harvested from a  building near the hospital where the man is also seen boarding a Probox which police suspect is a taxi.

In the second footage, the same man is spotted together with two other men also dressed in caps to hide their faces around Kenyatta National Hospital where a second ATM was emptied.

The man in the same green T-shirt and grey cap is seen entering the same Probox.

Police suspect they were leaving the KNH ATM.

Police believe the theft of Sh11.2 million from four Barclays Bank ATMs was an inside job.

They said it probably involved bank employees and workers of a security firm associated with the bank.

The men who seem to have information about the bank’s ATM security codes struck two machines in the city and made off with the money.

An ATM at Kenyatta National Hospital was emptied of Sh4.3 million, while another at The Mater Hospital was drained of Sh1 million. 

The KNH theft happened at 11pm on Friday but was reported to the police on Saturday. 

A G4S official identified in police documents as Wilson Mzedi reported the theft to Capitol Hill police station in Kilimani.

He told police that the company got a report from the hospital that the ATM was not working.

A maintenance officer was sent to the site and established that the ATM had been tampered with and Sh4.3 million missing. 

Nickson Oluoch, also an employee of G4S, reported to Makadara police station the loss of Sh1 million from the ATM at The Mater Hospital.

A staffer in the maintenance department who reviewed the machine established that it had had been tampered with and cash was stolen.

However, the cash spat out by the machine in ATM jackpotting is not tied to the balance of any one bank account, meaning customers will not have their accounts debited.

Thieves who are successful and remain undetected can walk away with all of the machine’s cash.

Criminals have been able to find vulnerabilities in financial institutions that operate ATMs, primarily ATMs that are stand-alone," the Secret Service said in a release shared with CNN. "The targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs
CNN

Stand-alone ATMs in retail and service outlets are more likely targets, away from a bank’s tighter monitoring and security.

This was also the case in the Barclays theft where the gang targeted ATMs at Kenyatta National Hospital, The Mater Hospital, Mutindwa and Kenya Cinema.

Of the four ATM machines, only the one at the Kenya Cinema is situated in the busy CBD, with the others being remotely located in the city.

Last January CNN reported in an online article that the Secret Service had warned banks in America about the new hacking scheme.

The news agency reported that to execute the cyber attack, a thief needs physical access to an ATM and will use malware, physical hacking tools, or both, to take control of the machine and force it to dispense cash quickly.

If it works, cash pours out of the ATM like the hacker won a jackpot.

The Secret Service said criminals associated with jackpotting can be individuals or organised crime groups.