How could global fraudsters steal $45 million from banking institutions without being detected or stopped? It was a process breakdown, not a technology failure, says fraud expert Avivah Litan of Gartner.
This story first broke in early May, when authorities announced charges against eight individuals in a massive cybercrime operation. Litan was one of the first analysts to discuss the case.
We've seen similar cash-outs in the past. The 2008 RBS WorldPay incident comes to mind, in which fraudsters stole $9 million in a matter of minutes.
How can such heists happen, given heightened awareness of cyberfraud?
"It doesn't look like there were very many controls put in place, both around the internal systems used to manage the cards and on the systems used to manage the disbursements against the cards," Litan says in an interview with Information Security Media Group [transcript below]. "Likely, it's not a technology issue. It's an organizational and a process issue."
In an interview, conducted immediately after the cash-out hit the news, Litan discusses:
- The significance of this fraud incident;
- How it likely occurred;
- The security message to banking institutions everywhere.
Litan is an analyst at Gartner and a recognized authority on financial fraud. She has more than 30 years of experience in the IT industry and is a Gartner Research vice president. Her areas of expertise include financial fraud; authentication; access management; identity proofing; identity theft; fraud detection and prevention applications; and other areas of information security and risk. She also covers security issues related to payment systems and PCI compliance.
$45 Million Cash-Out
TOM FIELD: From what you've been able to gather so far, what's the significance of this event that's getting so much attention now?
LITAN: The significance is that this can still happen in 2013, despite the fact that the banks know about these types of heists. Secondly, the amount of money that was stolen in such a coordinated manner really is unprecedented from this type of heist.
FIELD: As someone pointed out to me, you couldn't print money that quickly.
LITAN: That's true. It's much easier to steal digits than it is cash.
Setting the Precedent
FIELD: I started thinking about what the precedent is, and what comes to mind to me is RBS WorldPay. How about to you? Do we have precedents in this type of a heist?
LITAN: Yes, that's exactly the one I thought about. In 2009, they stole about $9 million within a very short period by the same type of tactics against payroll cards, which are essentially prepaid cards, and they did it the same way.
How It Happened
FIELD: That's my next question. How can such a heist like this happen? From what you know, how did it happen?
LITAN: From what I've been told, and what's been in the news, is the criminals broke into two Middle Eastern banks; it may have been their processors. They got into their prepaid systems, lifted the limit on those cards, set the access codes for the plastic cards, just printed ATM cards and went to ATM machines around the world debiting those prepaid cards that had very high values on them.
The lesson learned here is that those systems were not well protected. Some simple controls such as monitoring privileged user access, getting a big alarm bell when someone lifts the limit on the account, could have stopped this, just monitoring the privileged users and looking for limits being lifted. They could have put dual controls around lifting the limits. They could have put controls about withdrawals against those cards. It doesn't look like there were very many controls put in place, both on the internal systems used to manage the cards and on the systems used to manage the disbursements against the cards. Likely, it's not a technology issue. It's an organizational and a process issue.
Message to Financial Institutions
FIELD: Banks are certainly going to be talking about this. Banking customers are going to be talking about this. What's the message to financial institutions from this event?
LITAN: Hopefully the financial institutions around the world are paying attention to this and looking again at their processes, their organization and the technology. Just by putting some basic controls in place and making sure there are people in their organizations that are monitoring the controls, most of this can be avoided with just basic controls, basic technology and good organization.
I think that most of the financial institutions that you and I deal with are up to speed and have learned their lessons. But there's tens of thousands of banks around the world and processors around the world that probably aren't as up to speed because they haven't been subject to as [many] security breaches as we have in the west. There's still a long way to go before the entire global financial system is up-to-date, but hopefully the banks and the processors that are listening to this and are looking at this will just spend a little time reviewing their own processes, making sure this doesn't happen closer to home.