In
two separate cyber heists two Middle Eastern banks lost 45 million US dollars. The
first cyber-heist which netted 5 m$, took place on December 2012 where cybercriminals targeted pre-paid
MasterCard debit cards issued by the National Bank of Ras Al-Khaimah in the
United Arab Emirates. While the second intrusion, on Feb19-20 targeted the Bank
of Muscat in Oman and netted a jackpot $40 million in 36,000 transactions
within a span of 10 hours.
Prepaid
debit cards are those cards on which money is preloaded by individuals. In
India such cards are commonly used to carry foreign exchange or for corporate
rewards. They are
identical in appearance and function to credit and debit cards as they are
issued under the Visa or MasterCard platform. But unlike other cards, the
amount transacted under a pre-paid card is debited from the preloaded balance
and requires to be replenished once the amount has been spent
Anatomy of the Attack
Such heist works by altering the credit balances on cloned prepaid debit cards and
then withdrawing the amount from ATM’s in several countries. It relies upon
both highly sophisticated hackers and on organized criminal cells whose role was
to withdraw the cash as quickly as possible. Heists are set-up and controlled by
a small set of masterminds who use street criminals called “cashers” from around
the world to make the withdrawals from ATM’s, once provided with the cloned
prepaid cards. Cashers keep a portion of the fee (approx 20%) and remitted the
rest to the masterminds. The masterminds kept track of the amount withdrawn from
the hacked cards to ensure that they are not cheated of their share.
In
the recent attacks hackers broke into an Indian card processing firm and accessed
the prepaid card database to obtain prepaid card information and access codes
(PIN) which they used to clone prepaid cards. They were able to alter the
account balances and withdrawal limits within the database to load higher
amounts and replenish cards. This database was hosted by the card processing
company and not within the banks.
In
the next phase, they distributed the hacked prepaid card information to trusted
associates around the world who encoded magnetic stripe cards (such as hotel
swipe cards) with the data. Once, the cards were prepared, in a globally coordinated
action, the heist organizers distributed the access codes (PIN) of the hacked
accounts to casher cells who immediately began withdrawing cash from ATM’s
across the globe.
The
banks were blind to these transactions because these are not tracked in real-time
and the losses would only have been found when the accounts were reconciled.
Analysis
An analysis of the heist provides us with several valuable insights:
Firstly,
it demonstrates the global nature and complexity of cybercrime. The heist involved
several intermediaries such as the heist organizers, hackers, and casher rings
across the globe. It involved over a hundred people, was executed in a short
time window and involved a sophisticated money laundering operation to remit the
money back to the heist organizers. All this is ample testimony to the technological
sophistication, coordinated logistics, and financial planning used by
cybercriminals.
Secondly, it points out the inability of the financial industry to come
together and share information which can help prevent recurrences of similar
heists. In this case, the cyber heist on the first bank was repeated a second
time.
Thirdly, it is obvious that there were inadequate security controls to
protect the bank from this type of frauds. Failures would have been at
multiple levels from inadequate risk assessment to ineffective security
controls. In my experience, such failures are mostly due to a lack of
appreciation of the business risk and on transferring this context to
outsourcers. It may so happen that in this case the outsourcing firm strictly followed
all the security processes as laid out by the bank, but still got hacked
because there was no partnership in understanding the business context.
Fourthly, it is a rude awakening to the scale of cybercrime today. At 40
million dollars this heist is comparable to the largest bank robberies the
world has seen.
And
lastly, we still continue to use magnetic stripe cards which facilitated the
easy distribution of prepaid card data for the programming of blank cards used
in the heist, while safer options like chip and pin cards are available.