Cash-Out Schemes: Lessons LearnedEx-DoJ Prosecutor on Steps Organizations Should Take
Cash-out schemes will continue to impact organizations. What lessons can be learned from recent incidents, and what questions must be answered? Former federal prosecutor Kim Peretti shares insight.
See Also: Taking Advantage of EMV 3DS
While cash-out scams are old news, there continue to be new variations with each incident, says Peretti, a Washington, D.C.-based attorney who helped prosecute convicted fraudster Albert Gonzalez in the TJX and Heartland fraud cases.
In May, fraudsters were able to withdraw $45 million from ATMs worldwide after hacking into payment card processors' networks, showing that criminals are growing more organized in their execution of these schemes, Peretti says.
"Another aspect is how quickly these organized criminal groups can mobilize people on every continent, in cities across the globe, and give them marching orders in a very coordinated, short time period to hit ATMs at the same time and withdraw money," she says in an interview with Information Security Media Group [transcript below].
As cash-out schemes continue, organizations need to work together, involving law enforcement and the financial services sector to ensure the ability to get advanced warning about these incidents, Peretti says.
Organizations should also be asking: "Are there any loopholes we've seen from these particular attacks that we can ensure to get information out to the sector so that this can't happen again?" she says.
"Often the criminals do use the same methods, tactics and techniques," Peretti says. "If there's anything we can learn from this to be able to prevent a similar attack in the future, [it's] that we've got to keep picking away at it."
In an interview about the fraud scheme and investigation, Peretti discusses:
- Her insights on this international investigation;
- Lessons learned from global cash-out schemes;
- Security tips for targeted organizations.
Peretti is a partner in the Alston & Bird, LLP law firm's white collar crime group and co-chair of its security incident management and response team. She is also a former director of PricewaterhouseCoopers' cyberforensic service practice and a former senior litigator for the Department of Justice's computer crime and intellectual property section. While at the Department of Justice, Peretti led several benchmark cybercrime investigations and prosecutions.
Insights on International Investigation
TOM FIELD: Here you are on the outside looking in as a former prosecutor. Based on what you see about this case, what are your immediate reactions to the investigation, the indictments that were announced just earlier this week?
KIM PERETTI: My immediate reaction is that it's not a new scheme. It could be a variation of an older scheme that we have seen happen approaching 15-20 times since 2008. In my experience with some of the more sophisticated cyber-hacking groups, specifically out of Eastern Europe, this is one of the more sophisticated schemes, one of the more dangerous schemes, because it involves the ability to get in the system, in the financial systems, and manipulate information, manipulate the transaction limits, the withdrawal limits, and essentially create money where money didn't exist before. That's one aspect that's very significant.
Another aspect is how quickly these organized criminal groups can mobilize people on every continent, in cities across the globe, and give them marching orders in a very coordinated, short time period to hit ATMs at the same time and withdraw money.
Lessons Learned from Cash-Out Schemes
FIELD: From your experience, what has to go wrong with payments processors and banks for these schemes to go right?
PERETTI: I don't have an answer for that. I've been in many discussions over time with these particular schemes of how it can happen. There are variations on it. I don't think anyone has figured out exactly how to prevent it. [Maybe it's] having certain flags and controls on particular cards to ensure that, in real-time, there's notification if a lot of transactions happen. I think financial institutions do have a lot of those fraud detection controls in place. But like I said, I don't think there's a silver bullet of how to prevent this, and it certainly has been a topic of discussion among law enforcement and others for some time.
FIELD: I want to ask you about law enforcement. You've got experience in international law enforcement, prosecuting cases similar to these. What can you tell us about the sophistication of these cashing crews and what investigators have to do to get to them?
PERETTI: First of all, I want to commend the U.S. Attorney's Office in Brooklyn, the Eastern District of New York, and the Secret Service for pulling this off. These are very, very complex and difficult international investigations. In this particular one, the U.S. Attorney's Office has said they worked with law enforcement authorities in 16 foreign countries on different continents, and I can't emphasize enough how time-consuming that is and how difficult it can be. There's translation; there are different laws; there are different processes in place. This is really remarkable law enforcement investigatory work on this scale. It requires coordination. It requires difficult understanding of information. It's really to be commended how they worked with so many different countries.
Increasing Speed of Schemes
FIELD: You prosecuted the Albert Gonzalez case, and a point you made to me before we started this discussion was that was a scheme that unfolded over time. What we're seeing now is something that has happened very quickly. What's the difference?
PERETTI: We saw sort of a difference in the Gonzalez group and related conspiracies and this particular group or group of individuals; [they're] very different MOs. Gonzalez ... and his crews were interested in staying in systems over time, getting large volumes of credit and debit card information and reselling that information. In some ways, I think they aspired to be more like this other group that we see that's able to get into systems and select a few number of prepaid cards, get the PINs to those cards, and distribute them to global cashing crews, because those are so much more profitable than having to go through the cycle of reselling all the numbers. If you can get the PINs, you go to ATMs and withdraw money very quickly. They were very different and had very different purposes to their conspiracies. In some ways, I consider the one that we're seeing now, this particular one, to be more advanced.
FIELD: Let me ask you as a former prosecutor: What are the questions that you want answered now?
PERETTI: With each one of these that happens, [we're] working together, bringing law enforcement and the financial services sector together, to see if there's any continuing ability to get advanced warning about this. Are there any loopholes we've seen from these particular attacks that we can ensure to get information out to the sector so that this can't happen again? Often the criminals do use the same methods, tactics and techniques. If there's anything we can learn from this to be able to prevent a similar attack in the future, [it's] that we've got to keep picking away at it.
FIELD: We've seen other cash-out schemes even as recently as this year. How does what we're seeing unfold right now match up with cybercrime trends that you're paying attention to in your role with Alston & Bird?
PERETTI: One is the ante is higher. They've been able to get more money out of systems. If I look back into 2008 and 2009, it was $2 million in 30 minutes; it was $9 million in 24 hours. To get to the tens of millions of dollars is certainly an upward trend and their capacity to bring on that many more people or hit that many more ATMs in a shorter time period is in line with the natural evolution we're seeing of increasing sophistication in this area.
Security Tips for Organizations
FIELD: A final question for you: Given the increasing sophistication you're seeing in cybercrimes, what advice do you offer to financial institutions now? What can they do to better protect themselves and make themselves aware of the schemes that potentially are targeting them?
PERETTI: Even though we're seeing these schemes, I would say that the financial services sector continues to be very advanced in this area of bringing in threat intelligence of how these attacks are occurring and incorporating that into their security models. In some ways, that's industry-leading practices. Continue with bringing in threat intelligence and threat modeling as a protective measure, understanding the threat, working together as an industry and sharing information, all of which we've seen happen so far to date. [That] just needs to increase, to continue and enhance that.
FIELD: Do cases like these make you miss your days at the Department of Justice?
PERETTI: ... My first reaction, when I had seen the CBS report, was of pure excitement, and [I] reached out to former colleagues and investigators. Any time they can arrest some of the individuals involved is a victory for us. I was very happy about these particular arrests.