$45 Million Heist: Lessons for BanksMassive ATM Cash-Outs Pose Increasing Risks
The greatest lesson banking institutions can learn from the global cyberheist bust federal authorities announced this week: Old attacks always return.
See Also: A Toolkit for CISOs
This $45 million ATM cash-out scheme, which hit institutions around the world in two well-coordinated and short-lived strikes, closely resembles attacks the industry has battled in the past - namely the 2008 RBS WorldPay heist and ATM cash-out, which resulted in the theft of $9 million, says financial fraud expert Avivah Litan, an analyst with consultancy Gartner Inc.
"These attacks keep repeating themselves," Litan says. "There are tens of thousands or more financial institutions to attack in this manner across the globe, and there is plenty of fodder for the criminals."
Like the RBS WorldPay heist, this most recent international fraud incident hinged on the breach of payments processors for the theft of card numbers later used to create fake, or so-called "white," debit cards. Those fake cards were later used to withdraw funds from multiple ATMs within a brief period of time.
This cyberheist operation involved hacking into payment card processors' networks, increasing prepaid debit-card limits and speedily withdrawing $45 million from ATMs worldwide, federal authorities say. In the 2008 heist, cyberthieves hacked Atlanta-based processor RBS WorldPay's network to steal card details on debit accounts used for payroll. From there, the group used the stolen card numbers to create white cards that were used to withdraw $9 million from ATMs in 280 cities over the course of a 12-hour period.
Litan says banking institutions can take steps to mitigate their cash-out risks through transaction monitoring and more stringent restrictions on account-limit changes. But the risks posed by payments processors and other third parties are really the areas that need to be addressed first, she says.
"The issue is that many financial-services companies and their processors have not put in all the requisite controls," Litan says. "It's usually not a technology issue - it's more an organizational and process issue. Security is simply not at the top of the agenda until after there has been a breach."
The good news here, however, is that the alleged fraudsters involved in this latest attack were brought to justice quickly, she adds. "This is a very significant bust," Litan says. "I don't recall such a large bust from a scheme of this sort."
ATM cash-out attacks are not easy to pull off, says ATM delivery channel expert Nicole Sturgill, a research director within the Retail Banking & Cards practice at CEB TowerGroup. But when they are successful, they're highly lucrative and often difficult to stop.
ATM cash-out schemes involve a coordinated effort to make withdrawals from multiple ATMs within hours. Fraudsters collect card numbers and PINs over time - either through skimming attacks, network hacks or purchases in underground carding forums - and hold the information until they reach a relatively massive number, Sturgill says.
"The problem is that these types of schemes are happening so quickly that no one has time to respond to any sort of reporting of the issue before large sums of money are already gone," she explains.
Early this year, Visa issued a warning about global cash-out attacks. In a Jan. 10 advisory, the card brand noted that international law enforcement agencies had determined global ATM cash-out schemes could be on an upswing, based on a recent case involving a limited number of stolen payment cards used to conduct thousands of withdrawals at ATMs in numerous countries over the course of a single weekend.
The Heist and Cash-Out
The U.S. Department of Justice, in its announcement about this latest bust, says eight defendants and their co-conspirators conducted two massive fraud operations to pull the scheme off.
In the first operation, which hit on Dec. 22, the defendants allegedly targeted an unnamed payments processor that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates.
Once they penetrated the processor's network, the fraudsters compromised the RAKBANK prepaid card accounts, manipulated the balances and withdrawal limits, and then launched a coordinated, worldwide ATM withdrawal campaign using altered prepaid debit cards, authorities say.
In total, more than 4,500 ATM withdrawals were conducted in approximately 20 countries around the world using the compromised RAKBANK debit-card data, resulting in approximately $5 million in losses to the processor and RAKBANK. In Greater New York City, the defendants and co-conspirators conducted approximately 750 fraudulent transactions, totaling nearly $400,000 in just two hours and 25 minutes, prosecutors say.
In the second operation, which occurred Feb. 19-20, the attackers breached the network of a processor that services transactions conducted on MasterCard-branded prepaid debit cards issued by the Bank of Muscat in Oman.
Over the course of approximately 10 hours, so-called casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs, according to the Justice Department. In the New York City area, the alleged fraudsters were able to conduct nearly 3,000 ATM withdrawals totaling nearly $2.4 million in about 10 hours, federal authorities say.
If convicted, each defendant faces a maximum sentence of 10 years in prison on each money laundering charge and 7 1/2 years on charges related to conspiracy to commit access-device fraud and up to $250,000 in fines and restitution.