Why Banks Pay for ATM Cash-Outs

Global international law enforcement collaboration has been credited for the swift indictment of individuals allegedly linked to the $45 million global ATM cash-out and money-laundering scheme that made headlines in May.

See Also: Insider Insights for the PCI DSS 4.0 Transition

But financial fraud experts say banking institutions are not doing enough to ensure payments processors and third-party vendors are adequately protecting cardholder data to thwart cash-out schemes and other fraud. So when schemes occur, the banks are ultimately to blame.

ATM cash-outs involve using stolen card data to make withdrawals that are conducted at multiple ATMs within a short window of time. Because the withdrawals are conducted simultaneously, they're nearly impossible for card-issuers to stop or prevent, experts say. By the time a cash-out is detected, the money is already gone.

With the cooperation of international investigators, federal authorities last month arrested seven individuals allegedly responsible for the most-recent global cash-out attack. The $45 million scheme involved two separate cash-outs, and the compromised cards used in the attacks were later traced back to two Indian payments processors - EnStage and ElectraCard Services, according to some media reports. The processors service transactions for prepaid debit cards issued by two Middle Eastern banks - Bank of Muscat in Oman and the National Bank of Ras Al Khaimah, d.b.a., RAKBANK.

Due Diligence

"[Banks] need to do the due diligence to check third parties," says Joe Rogalski, a security advisor and former fraud and compliance officer for First Niagara Bank, a $36 billion institution in New York state. "Vendor management is critical. At First Niagara, we had a vendor risk management program that included all of our vendors," especially processors, he says.

"Anyone who was getting a large chunk of my cardholders' data was getting reviewed on a consistent basis," Rogalski says. "My audits were more thorough than PCI because we wanted to ensure security. In the end, this is the bank's responsibility. Whether that means going onsite to review the vendors, as I did at First Niagara, is up to the bank, though."

The Federal Financial Institutions Examination Council has repeatedly reminded banks that they are responsible for regularly reviewing and managing the risk profiles of the vendors with which they do business, Rogalski notes.

Banks Responsible for Processors

Card brands, such as Visa, provide checklists for issuing banks to follow when assessing the data security compliance of the processors with which they work. But there are no steadfast rules, security experts and card issuers say.

Regardless of the type of card involved, the banking institution that issued compromised cards generally is responsible for the losses. Although the agreements these issuing banks have with their processors should dictate how losses that result from breaches are handled, banks typically absorb most of the losses, in spite of these contracts, when processors are breached, Rogalski says.

"If the processor is breached, they should be responsible," he says. "But depending on how the contracts are written, it could go either way. The issue is, if the losses are too high, it could put the processor out of business, so most of these contracts include caps for losses, and banks have to cover whatever goes over the cap. There also is insurance out there to cover some losses. But, in this case, insurance would not cover a lot of it."

Because of increases in these types of breaches, many U.S. card issuers have created account-data-compromise recovery programs, says a card-fraud expert at one U.S. issuer, who asked not to be named. But these recovery programs vary greatly from institution to institution, the executive adds, and usually only offer recovery awards if the breached entity was not in compliance with the Payment Card Industry Data Security Standard at the time of the attack.

However, relying on PCI compliance as a benchmark has damaged the process, the executive adds, because numerous PCI-compliant entities have been breached.

Rogalski says this is why the onus is on card issuers to go above and beyond PCI. "There's a big difference between being compliant and being safe," he says.

Recourse for Banks?

But Shirley Inscoe, a financial fraud expert and analyst for consultancy Aite, says banking institutions affected by breached processors may have some legal recourse for recovery.

"Initially, the banks that own the cards will have to write off the losses," she says. "However, in cases such as this [the $45 million cyberheist], the processor may offer to cover the losses or the banks may band together to take legal action against the processor. Since most of the monies were laundered overseas, it is questionable how much of the money will be recoverable."

And the circumstances unique to each breach incident likely will dictate what legal route, if any, an affected institution will pursue, she says.

"There are a lot of variables in every case," Inscoe says. "I'm sure the banks will look into the possibility of recovering any funds possible and weigh the potential recovery against the cost of legal action."

$45 Million Heist

In the wake of last month's $45 million cyberheist, one of the processors implicated, ElectraCard, claimed in a statement that a forensics investigation revealed "the PIN and magnetic-stripe data seem to have been compromised outside the ECS processing environment."

The other processor, Enstage, has not yet issued a statement about the cyberheist. As recently as June 12, Enstage responded to BankInfoSecurity's request for a statement, saying it had nothing to report at this time.

The PCI-compliance rating of ElectraCard and Enstage at the time of the alleged breaches has not been disclosed. ElectraCard, in its statement, notes that it is working to re-certify its compliance, "as part of the standard process."