Eight people have been charged in a bank heist that netted $45 million, by hacking into a database of prepaid debit cards and draining ATMs around the world.
According to a press release issued by the US Department of Justice, the criminals were allegedly part of a New York-based cell of an international cyber crime organisation that used "sophisticated intrusion techniques" to access several financial institutions' systems. Once inside, they were able to steal prepaid debit card data, and remove withdrawal limits.
The data was then used by the organisation's associates to make fraudulent ATM withdrawals on an enormous scale in several countries around the world.
Costin Raiu, senior security researcher at Kaspersky Lab, says: "This is no doubt one of the biggest and quickest thefts we have seen. So far, it seems no customers were affected, because the hackers targeted prepaid cards from certain banks, so the banks are the only victims."
Nevertheless, he says it's a serious incident and raises a lot of questions about the security of the current payment systems.
Uri Rivner, VP of business development and cyber strategy at BioCatch, adds that although this is one of the largest cyber heist operations in history, it is certainly not the first using the same method.
"In 2009, a very similar heist took place when three East European hackers went into a US-based processor network, took control of several prepaid debit cards used for paying salaries, raised the withdrawal limits, and teamed up with an international cash-out crew that sent runners to 2 100 ATMs in eight countries, including Japan, Italy, Canada and US, withdrawing a whopping $9 million in just 12 hours."
Speaking of this recent incident, the federal prosecutors said seven of the eight defendants have been arrested on the charges in the indictment, and the eighth, Alberto Yusi Lajud-Pe~na, was reported to have been murdered on 27 April, in the Dominican Republic.
"New technologies and the rapid growth of the Internet have eliminated the traditional borders of financial crimes and provided new opportunities for the criminal element to threaten the world's financial systems. However, as demonstrated by the charges and arrests announced today, the Secret Service and its law enforcement partners have adapted to these technological advancements and utilised cutting-edge investigative techniques to thwart this cyber criminal activity," commented Secret Service special agent in charge, Steven Hughes.
How it's done
The department says the method of attack used by the criminals is known to the cyber underground as "unlimited operations".
It describes these operations as being planned over the course of several months, and aimed at accessing computer networks of credit card processors that process prepaid debit card transactions.
The targeted prepaid debit cards are usually loaded with limited funds, and are used by many businesses as an alternative to salary cheques, and by charities to distribute disaster relief.
Once the criminals have breached these accounts' security protocols, they increase the balances substantially, effectively removing any withdrawal limits. In this way, the criminals can withdraw unlimited amounts, until the operation is discovered and shut down.
The criminal organisation then distributes these cards to its partners, which in this case, were distributed across 26 countries, the department adds. The partners operate teams of "cashers" who then encode the cards with the compromised card data. As soon as the organisation distributes the PINs, the cashers go around withdrawing cash from ATMs.
At the same time, the organisation maintains access to the computer networks of the compromised credit card processors to keep an eye on the withdrawals. Once the operation has been shut down, the proceeds are laundered.
Prevention better than cure
"I'd like to draw the attention to the fact that in US, the insecure magnetic stripe is still used when performing payments with cards; this has been mostly abandoned everywhere in Europe and replaced by the more secure chips," adds Raiu.
The cyber criminals specialised in carding focus on replicating real cards on "blank" cards by reprogramming the magnetic stripe, he explains. "A lot of these attacks would go away by getting rid of the stripe and updating the US payment systems to use the chips. Even then, it's true that the attacks won't go away, but they will definitely decrease or become a lot harder. I believe it makes sense for the banks to invest in upgrading the cards in the US and worldwide."
He adds that such attacks prove once again that our current payment systems are weak and insecure. "We need a more secure solution, which is both easy to use and solid, one that can't be attacked by cyber criminals so easily."
Once it starts, it's difficult to stop such an operation, adds Rivner. The cash-out process is quick, spans many countries and individual ATMs belonging to multiple networks, and in just a few hours a huge amount of money can be cleaned.
He says two things can be done: "The first is to put more controls inside the networks of prepaid card processors. There are many companies processing prepaid cards and anyone with sufficient access can create fake accounts or take over existing ones, load them with money, and remove the withdrawal limits. A tighter monitoring at the processor's end can immediately alert against such actions and foil the scam."
Secondly, he advises employing state-of-the-art video processing in order to identify individual cash-out runners as soon as possible and start closing in on their operation. In this way, it's possible to recover some of the cash before it's sent back to the masterminds behind the attack; or at least make arrests that will allow impounding the money and returning it to the rightful owners. Other investigation methods include monitoring the forums where criminal groups such as this one communicate, and attempt to infiltrate the operation.
Rivner says law enforcement authorities investigating the case should be congratulated. "Such success stories, which used to be extremely rare five years ago and are now becoming much more prevalent, send a clear message to cyber criminals: you're not invisible, you're not anonymous, and if you make even the slightest mistake, you're in for a long time in jail."
Should prosecution be successful, the US Department of Justice says the defendants face a possible 10 years' imprisonment on each of the charges and seven-and-a-half years on the charge of conspiracy to commit access device fraud, restitution, and up to $250 000 in fines.
Any property associated with the offenses, and all proceeds of the conspiracy to commit access device fraud, are subject to forfeiture.
Share