The international ATM heist that lifted $45 million two Middle Eastern banks could have been prevented had better security controls been in place at the card processors, the ATMs and the banks involved, observers say. The security lapses could lead to legal liability for many of the companies duped in the process.
The banks involved, National Bank of Ras Al-Khaimah in the United Arab Emirates, known as RAKBANK, and Bank of Muscat in Oman, should have been monitoring accounts whose limits were lifted in the scam. Chip-and-pin technology could have prevented fake prepaid cards from being accepted at thousands of ATMs. And better security at the prepaid card processors could have caught the scam, experts say.
In the caper, eight people in New York allegedly used prepaid cards encoded with information stolen by hackers to drain $45 million from ATMs.
The suspects are said to be part of an enterprise that stretches across 26 countries. At its core is a group of cyber thieves who broke into the computer networks of companies that process MasterCard debit card transactions. The two processors are said to be EnStage, in Cupertino, Calif., and ElectraCard Services, which is based in Pune, India.
The crime is being called the biggest heist of its kind, ever. In New York City alone, the cell allegedly withdrew $2.4 million from ATMs over the course of 13 hours.
Despite the brazenness of the cyber thieves and the cashers charged with carrying out the looting at street level, the incursion might have been thwarted or at least have been more difficult to pull off if the overseas standard for chip and PIN cards — known as Europay, MasterCard and Visa, or EMV — were universal.
Chip-embedded cards are by their nature more secure than mag-stripe cards mostly because the information in the chips is encrypted.
That technology coupled with a PIN number that is used to authenticate a transaction between the ATM and the issuing bank's payment processing system makes the entire transaction chain more difficult to crack.
Most banks in the U.S. have yet to incorporate the security feature, which has been adopted by a preponderance of card issuers throughout the world.
"What the fraudsters did was exploit the fact that magnetic stripe cards are still used," says Gil Luria, a Wedbush analyst.
He adds that even when banks issue EMV cards exclusively they will still need to accept magnetic stripe cards for a while until every single consumer is converted.
"Even when the U.S. shifts to EMV in [the coming years], magnetic stripe will still continue to work for a while until everyone has an EMV card," says Luria.
The cyber scheme underscores the need for a deadline for all ATM owners to upgrade their machines.
Last year, MasterCard made its case for EMV to companies that own or operate ATM networks.
The company said all American ATMs must accept EMV by 2016 or be liable for the fraud transacted on non-compliant cards.
And in April, the payment network issued an open letter that said it planned to set up a system that would screen foreign transactions. MasterCard's deadline to accept transactions initiated through internationally-issued Maestro chip and PIN cards passed in the same month.
