Sunday, May 12, 2013

45m$ ATM Heist shows the true potential of Cybercrime

In two separate cyber heists two Middle Eastern banks lost 45 million US dollars. The first cyber-heist which netted 5 m$, took place on December 2012  where cybercriminals targeted pre-paid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah in the United Arab Emirates. While the second intrusion, on Feb19-20 targeted the Bank of Muscat in Oman and netted a jackpot $40 million in 36,000 transactions within a span of 10 hours.

Prepaid debit cards are those cards on which money is preloaded by individuals. In India such cards are commonly used to carry foreign exchange or for corporate rewards. They are identical in appearance and function to credit and debit cards as they are issued under the Visa or MasterCard platform. But unlike other cards, the amount transacted under a pre-paid card is debited from the preloaded balance and requires to be replenished once the amount has been spent

Anatomy of the Attack

Such heist works by altering the credit balances on cloned prepaid debit cards and then withdrawing the amount from ATM’s in several countries. It relies upon both highly sophisticated hackers and on organized criminal cells whose role was to withdraw the cash as quickly as possible. Heists are set-up and controlled by a small set of masterminds who use street criminals called “cashers” from around the world to make the withdrawals from ATM’s, once provided with the cloned prepaid cards. Cashers keep a portion of the fee (approx 20%) and remitted the rest to the masterminds. The masterminds kept track of the amount withdrawn from the hacked cards to ensure that they are not cheated of their share.

In the recent attacks hackers broke into an Indian card processing firm and accessed the prepaid card database to obtain prepaid card information and access codes (PIN) which they used to clone prepaid cards. They were able to alter the account balances and withdrawal limits within the database to load higher amounts and replenish cards. This database was hosted by the card processing company and not within the banks.  

In the next phase, they distributed the hacked prepaid card information to trusted associates around the world who encoded magnetic stripe cards (such as hotel swipe cards) with the data. Once, the cards were prepared, in a globally coordinated action, the heist organizers distributed the access codes (PIN) of the hacked accounts to casher cells who immediately began withdrawing cash from ATM’s across the globe.

The banks were blind to these transactions because these are not tracked in real-time and the losses would only have been found when the accounts were reconciled.


An analysis of the heist provides us with several valuable insights:

Firstly, it demonstrates the global nature and complexity of cybercrime. The heist involved several intermediaries such as the heist organizers, hackers, and casher rings across the globe. It involved over a hundred people, was executed in a short time window and involved a sophisticated money laundering operation to remit the money back to the heist organizers. All this is ample testimony to the technological sophistication, coordinated logistics, and financial planning used by cybercriminals.

Secondly, it points out the inability of the financial industry to come together and share information which can help prevent recurrences of similar heists. In this case, the cyber heist on the first bank was repeated a second time.

Thirdly, it is obvious that there were  inadequate security controls to protect the bank from this type of frauds. Failures would have been at multiple levels from inadequate risk assessment to ineffective security controls. In my experience, such failures are mostly due to a lack of appreciation of the business risk and on transferring this context to outsourcers. It may so happen that in this case the outsourcing firm strictly followed all the security processes as laid out by the bank, but still got hacked because there was no partnership in understanding the business context.

Fourthly, it is a rude awakening to the scale of cybercrime today. At 40 million dollars this heist is comparable to the largest bank robberies the world has seen.

And lastly, we still continue to use magnetic stripe cards which facilitated the easy distribution of prepaid card data for the programming of blank cards used in the heist, while safer options like chip and pin cards are available.

No comments:

Post a Comment