Hilary Swift/The New York Times/Redux

In the video, three grown men stand in the back of a mostly empty bodega around an ATM, a fat stack of dollar bills on a shelf beside them. The location is nondescript; the store appears stocked with everyday goods like pasta, cooking oil, and plastic cutlery. But the thousands and thousands of dollars in $20 bills, which one man picks up and fans out for the camera, is anything but normal for the setting. Debit cards do not usually allow account holders to withdraw more than about $1,000 in cash a day. Using a Visa DashPay card, which is briefly visible in the video, the men were pulling every dollar out of the machine.

It was the weekend of July 11, and similar scenes were taking place in bodegas and delis across New York City. In the span of about 48 hours, some $17 million was taken from ATMs in a heist that led to a frenzied black market and social-media pandemonium. The mechanism was the prepaid DashPay debit cards issued to teens enrolled in a city-sponsored job program. It turns out the cards featured a lucrative technological glitch: They could withdraw unlimited amounts of cash.

Dating back to the 1960s, the city-sponsored job program, called the Summer Youth Employment Program, has connected low-income youth ages 14 to 24 to paid work and early career opportunitiesfor six weeks in July and August. To pay the teens, the program issues prepaid debit cards, which allow younger kids who do not yet have a bank account to access their earnings. On July 11, the program’s first payday, kids took their debit cards, issued by a payments company called Dash Solutions, to ATMs around the city and withdrew cash, up to a limit of $200 or so. When they went back for more money, the teens noticed that the balance on the screen did not decrease, according to program directors. So they took out more cash — and then even more. Then they started spreading the word on Instagram and TikTok.

Card scams that take advantage of an overlooked glitch in a company’s payments system are not uncommon. Last year, in what became known as the Chase “infinite money glitch,” account holders stole hundreds of thousands of dollars over a few weeks in August after instructions for check-kiting went viral on TikTok. These customers deposited fake checks into their Chase accounts, then withdrew the money before Chase could confirm the checks were bogus. Pretty much everyone got caught.

Like the Chase infinite money glitch, the DashPay debacle expanded rapidly once it hit social media. Soon, adults were offering the SYEP teens up to $1,000 for their prepaid cards with seemingly unlimited balances. By Saturday, independent ATM operators in the city faced a flood of suspicious activity reports.

Youssef Mubarez is the chief operating officer of a company called ATM World, which owns more than 1,000 ATMs in the city, over 75 percent of which are located in bodegas. He got a call from his brother-in-law, who runs a separate ATM business, alerting him that a large amount of cash was coming out of his machines through just one card. “When you see one card taking out $7,000, you’re freaking out,” Mubarez said on the phone.

Mubarez and his brother-in-law reached out to the payment processor — the intermediary that facilitates ATM transactions between account holders and the banks — who said there was nothing they could do because the withdrawals were approved transactions. It was a Saturday, when banks are closed, so the brothers-in-law couldn’t stop the bleeding right away. “We had 50, 60, 70 machines hit overnight,” Mubarez said. With tens of thousands of dollars in the machines, it seemed like a potential extinction event. He said that ATM World alone was “jackpotted” — the industry term for ATM theft — for $700,000 that weekend.

Eventually, the brothers-in-law went on social media and found the video of men fanning out thousands of dollars withdrawn using a DashPay card, likely from one of their companies’ ATMs in the Bronx. With the banks offline, they teamed up with their competitors to get the processor to stop issuing money through the DashPay cards. Heidi Chan, the CFO of Access One ATM, said Mubarez is the one who informed her of the problem. “People had a lot of anxiety that weekend,” Chan said. Together, they realized the cards all had the same bank identification number, the first four to six digits, which identify the financial institution that issued the cards. “We were able to identify any transactions that were linked to this hack,” she says. By Sunday, the SYEP infinite money glitch was over.

The SYEP kids were able to see their account balances on their phones, like one can with a banking app. And when they returned to their programs on Monday, many were shocked to see huge negative balances on those accounts, the numbers displayed in the stressful red text that indicates debt. One video that went viral showed a 17-year-old on the verge of tears after learning that his account had a $15,000 negative balance because he sold his SYEP card to someone he met on social media for $500. “He took everything for himself,” the teen says in the video. With his $500, he had purchased a better mic for recording videos.

The kids who overdrew their accounts are now facing uncertain consequences. A staffer at one of the larger SYEP affiliates in Brooklyn said “their paychecks are basically frozen” because their accounts have been flagged for suspicious activity. “I’ve been telling them straight up, ‘I don’t know if you were involved — I don’t want to know — but if you’re not getting your money, that’s probably why,’” she said. Of the 3,000 kids in her program, about 50 have negative account balances related to the scam. “The ones who got scammed were the 16-year-olds because they don’t know any better,” she said. “They really just thought it was free money.” Two SYEP-affiliate staffers I spoke to said they have advised program participants not to wear their SYEP shirts in public so they don’t get robbed by anyone who may have heard about the scam and assumes they have money. It’s a real concern because even after the glitch was corrected, the DashPay legend ran wild on social media; influencers who weren’t in the program began posting about it to ride the wave of attention, recreating scenes of kids fiending for DashPay cards. A 15-year-old rapper from Brownsville, Baby Gee, recorded a song for the scammers after seeing the video of the 17-year-old with the $15,000 debt. (Lyrics include “Made a pack off a glitch, no joke” and “So much green, you could call me Luigi.”)

In a statement to New York, the city claimed that the NYPD’s financial crimes unit was investigating the theft. The city added that no taxpayer funds were lost in the scam. The financial crime unit did not respond to requests for comment, but its work appears straightforward: The ATM providers have the identifying card numbers for all the suspicious transactions, with accounts that are linked to the kids’ names and Social Security numbers. In past scams like the Chase infinite money glitch, the bank had to sue perpetrators to get its money back. Chan, of Access One ATM, thinks the issuer, Dash Solutions, will inevitably “go after the cardholders because the cardholders got the cash.” That means the teens could be left holding the bag, although it’s possible the city will have to eat the balance of the mistake rather than saddle teenagers with five-figure debts. How the glitch occurred is not yet clear; Dash Solutions did not respond to requests for comment.

“We are deeply disturbed by scammers preying on our participants just as they started their work assignments to support themselves and their families,” a spokesperson for the agency that oversees SYEP said in a statement. They added that the program is, in part, designed to teach “financial literacy” to its 100,000 or so participants. This summer, they got quite the crash course.

From Intelligencer - Daily News, Politics, Business, and Tech via this RSS feed