During a recent trip to the United States, I was in a car with a friend when she received a phone call from her bank, which asked if she had used her debit card that day to make purchases at a certain store. She said she hadn’t, indicating someone had hacked into her account. By the time we reached our destination, she had managed to clear up most of the problem. It wasn’t the first time it had happened to her.

The speed of the bank’s response could be a reflection of the level of sophistication of cybercrime in America, but it’s surely a function of the primacy of card usage there. In Japan, credit cards are ubiquitous but not used as often by consumers, who still prefer cash, which indirectly explains why it was so easy for thieves to steal more than ¥2 billion from ATMs during a three-hour period last month.

According to the June 7 issue of Shukan Economist, the May 15 operation hit 1,400 ATMs in 17 prefectures for a total of 21,000 separate cash withdrawals. Hundreds of people known as dashiko (literally, “taking out children”), each using 16 counterfeit cash cards, made an average of 13 withdrawals with each card. The maximum ATM limit is ¥100,000 per withdrawal — the highest in the world, by the way — so each card collected ¥1.3 million for an estimated total of ¥20.8 million per dashiko.

The ATMs targeted were located in convenience stores — mainly 7-Eleven’s Seven Bank machines — and post offices because major commercial bank ATMs do not accept foreign credit cards. The ones employed on May 15 used stolen data from South Africa’s Standard Bank. Also, since each dashiko required a certain amount of time to make so many withdrawals, the theft took place in the wee hours of Sunday morning, when few people are up and about and in the way. ATMs in convenience stores and some post offices are open 24 hours a day.

A law enforcement professional told Shukan Gendai magazine that the police were baffled by the crime at first. Though they have credit card fraud teams, they weren’t prepared for such a large coordinated heist. It took time to put together the scenario outlined above, but there were still aspects of the job they didn’t understand. Gendai says that the police think — though they haven’t said so publicly — a Chinese criminal organization carried out the operation, since it followed similar methods carried out in other countries by Chinese groups in the past: Data from a bank in a foreign country is stolen and sent to China where it is input onto magnetic strips on fake cards.

A security expert pointed out to Gendai that Japan was a natural target since other countries already have in place countermeasures that would now make such a crime difficult. The idea was to withdraw as much money as possible in a short period of time to take advantage of lax security, but the criminals still needed a local in Japan who “understood the situation here.”

The tabloid Yukan Fuji reported that this sort of know-how was probably provided by local organized crime syndicates, who may have found dashiko from the ranks of former juvenile delinquents. The police told Fuji that they believe there is still “much more to the crime” than they initially thought.

What’s disconcerting about the coverage is that it shouldn’t have seemed so surprising, since it wasn’t the first time such a theft was carried out in Japan. Last December, Seven Bank ATMs in seven Kanto area prefectures were hit for a total of ¥100 million using data stolen from a financial institution in El Salvador. And one anonymous yakuza source told Fuji that another “large-scale” ATM operation took place earlier this year, though it doesn’t seem to have been reported in the news.

The media doesn’t want to damage the financial industry’s reputation, so stories stressed that Japanese consumers were not harmed by the thefts, since Standard Bank will cover the withdrawals. The dashiko, after withdrawing the cash, were supposed to deposit it back into the same ATMs, albeit sending it to bank accounts that, by the time the authorities traced them, were gone or empty. Shukan Bunshun magazine has reported that some dashiko actually carried all their withdrawn cash with them (and may have even pocketed some of it), thus adding a slightly comic element to the procedure. Also, because the dashiko had so many transactions to make, likely not all were able to carry out as many as planned, meaning the amount that could have been stolen was higher than what the criminals ended up with.

The message conveyed by Reuters but not by many Japanese media outlets is that Japan is way behind the rest of the world when it comes to cybersecurity, as shown last week by yet another huge data leak, this one at Japan Travel Bureau. Banks in the U.S., China and other countries now use ATMs that only recognize cards with integrated chips, because they are harder to counterfeit than cards with magnetic strips. Most bank ATMs in Japan don’t accept foreign cards — not due to security problems but because of the cost and paperwork, and there is pressure to make them accept foreign cards in order to accommodate the greater influx of tourists expected in the lead-up to the Olympics. Since the May 15 heist, Seven Bank has reduced the one-time withdrawal limit to ¥50,000, but holders of Chinese credit cards can still take out ¥200,000 a pop.

The kind of vigilance manifested in the call my friend received from her U.S. bank, even before she noticed anything amiss, has yet to be widely adopted by Japanese financial institutions, though, according to a recent feature on NHK’s morning information program, “Asaichi,” one credit card company has set up a dedicated security room with 130 employees tracking card usage 24 hours a day.

The problem is that the learning curves of financial institutions and Japanese consumers — who are increasingly turning to the internet for purchases — are behind that of cybercriminals, who are constantly thinking of ways to exploit that ignorance. The May 15 heist should be treated as a wake-up call rather than an exceptionally thrilling adventure in larceny.

In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.