ATM Cash-Out Strikes Red Cross AccountsWhy Prepaid Cards Are Prime Targets for Fraud
Federal authorities have announced the successful prosecution of yet another member of an international cybercrime ring that's been tied to a global ATM cash-out scheme. This time, the scheme was linked to the exploitation of prepaid cards provided by the American Red Cross to disaster relief victims after the network hack of a payments processor used by the charity, investigators say.
See Also: A CISO’s Guide to Defender Alignment
And while prosecutors say this latest prosecution is evidence that international law enforcement collaboration is having a positive impact on thwarting cybercrime and cash-out schemes, some observers say processors will continue to be targeted by attackers.
On July 11, Qendrim Dobruna, pleaded guilty to bank fraud charges related to a scheme that resulted in the fraudulent withdrawal of $14 million over the course of two days back in 2011. Dobruna is scheduled to be sentenced Oct. 24. He faces a maximum sentence of 30 years in prison, a fine of up to $1 million and forfeiture of the proceeds of his crimes.
The Red Cross Scheme
In February 2011, Dobruna and his co-conspirators targeted an unnamed publicly traded credit and debit card processing company based in the United States, federal authorities say. This company processed transactions for prepaid debit cards issued by the American Red Cross for disaster relief victims.
After the hackers penetrated the payment processor's computer network and compromised the Red Cross prepaid card accounts, they allegedly manipulated the account balances and withdrawal limits. From there, cashers or runners located throughout the world conducted some 15,000 ATM transactions in approximately 18 countries.
The defendant, also known by the aliases "cl0sEd" and "cL0z," participated in the cyber-attack from overseas by obtaining account information from co-conspirators who hacked the payment card processor's database and sold the compromised account information to other co-conspirators over the Internet, authorities allege.
Prosecutors did not name the breached processor, and the Red Cross declined to comment.
In September 2013, federal banking regulators issued an advisory urging banking institutions to pay more attention to vendor management in light of recent breaches, such as one that compromised core banking and payments processor Fidelity National Information Services, better known as FIS, during the first quarter of 2011 (see FDIC: Improve Vendor Management). FIS acknowledged the network breach in its first quarter 2011 earnings statement issued in May 3, 2011.
Cash-Out Schemes on Rise
While the scheme is just one of many so-called "unlimited operation" ATM-cash-out campaigns federal authorities have been focused on over the last year, prosecutors say the guilty plea entered last week by Dobruna proves international law enforcement cooperation is working to take down cybercriminals.
"The defendant and his associates hacked into the global financial system and helped themselves to funds using prepaid debit cards meant for the needy and vulnerable," says New York U.S. Attorney Loretta E. Lynch. "We will continue to work with our private-sector partners to solve these 21st century heists and bring the perpetrators, no matter where in the world they may hide, to justice."
Dobruna was arrested in March 2012 in Stuttgart, Germany, and was extradited by German federal criminal police to the United States.
In announcing the guilty plea, Lynch singled out the efforts of the U.S. Secret Service in investigating what the U.S. Attorney's Office refers as a "complex network intrusion." The Department of Justice's Office of International Affairs and INTERPOL also were involved in the investigation, Lynch noted.
But despite the success of cross-border investigation and extradition efforts, Andrew Komarov, CEO of cyber-intelligence firm IntelCrawler, says these types of cyberheists and cash-out schemes will continue.
"What can be confirmed is that the bad actors are still hunting for processing networks to intercept communications, extract financial data and create specific malicious code, as was done in the now famous past cases against RBS WorldPay and Heartland Payments," Komarov says.
In 2008, a breach of Heartland Payment Systems resulted in the compromise of 130 million U.S. credit and debit cards. While the compromised cards were not used as part of a coordinated ATM cash-out scheme, the attack was the first card processor breach to attract international attention.
The RBS WorldPay heist of 2008 was the first international ATM cash-out scheme to be identified by authorities. In November 2008, RBS WorldPay, the U.S. payments processing arm of the Royal Bank of Scotland, was hacked and 1.5 million accounts, including prepaid accounts, were compromised. Runners scattered across 280 cities throughout the world withdrew $9 million from 2,100 ATMs over the course of a 12-hour period.
Since RBS WorldPay, attackers have perfected their cash-out schemes by focusing on the compromise of prepaid cards, which provide them with unlimited funds access, federal authorities and card fraud experts, such as Ontrack Advisory's Tom Wills, have noted.
"We have seen new schemes emerge," Wills said during an earlier interview with Information Security Media Group. "The hackers break into the card management platform. They steal card numbers and then the balances are inflated. They remove spending limits on these cards ... and then they get ahold of the PINs on those cards."
Tom Wills on umlimited-operation attacks.
Banking institutions need to pay more attention to vendor management if they want to thwart unlimited cash-out schemes, Wills said.
"Banks may be operating their prepaid programs in-house - more common in the biggest institutions - or they may be outsourcing them to a processor," he said. "If outsourced, the security of the bank's prepaid card program is only as good as that of their processor. And if internationally branded ATM cards are used to cash out, then they are also depending on the security of the ATM network and the local ATM acquirer. This is typical of the ecosystem environment in which modern payment systems operate, where no one party is in control of the system. That lack of control definitely extends to security."
So-called "unlimited operations" begin with the hack of a network used to process prepaid card transactions. Once inside the processor's network, hackers eliminate the withdrawal limits set for the prepaid accounts - hence the criminals' ability to make "unlimited" cash withdrawals - and change the security protocols set to alert the bank, processor or prepaid cardholder of suspicious activity.
The compromised card data is then distributed to cells or money mules who use the data to encode fake magnetic-stripe cards that allow them to withdraw unlimited amounts of cash at ATMs until the operation is detected and shut down.
The sophistication of these attack techniques was highlighted in May 2013, when the $45 million ATM cash-out and prepaid fraud scheme involving the hack of an unnamed payments processor and breach of prepaid accounts managed by two Middle Eastern banks came to light (see Detangling the $45 Million Cyberheist).
"These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible," the Justice Department says.
In January 2013, Visa issued a warning about international ATM cash-out schemes. In the advisory, Visa said card issuers had been asked to increase their monitoring of ATM traffic and report any suspicious activity, especially ATM withdrawals involving prepaid cards (see Visa Issues ATM Cash-Out Warning).
Later, in May 2013, the Justice Department issued a warning about international cyberheists and ATM cash-out schemes that involve unlimited operations (see DOJ Statement on Global Cyberheist).