In the aftermath of the recent $45 million cyber/ATM heist affecting Middle Eastern banks RakBank and Bank of Muscat, several observers opined that chip and pin (EMV) technology would have prevented the fraud from occurring. But a fresh look at this notion, from people familiar with the details of the case, suggests this is not true.
In the incident, hackers broke into prepaid card databases at card processors ElectraCard Services and EnStage and altered the personal identification numbers and balances on card accounts. On-the-ground members of the crime syndicate then used fake magnetic stripe cards to withdraw millions of dollars from ATMs all over the world.
"If every single one of those cards had been chip, it would have done nothing," says Chris McLaughlin, executive vice president and director of retail banking at $6.8 billion-asset First Bank in Clayton, Mo.
For one thing, there are almost no chip-and-PIN ready ATMs in the U.S. that can accept such cards. (NCR just announced it has installed one of the first EMV-compliant ATMs at a People's United Bank branch in New York.) MasterCard and Visa have set timetables for ATM compliance, by shifting liability for transaction fraud to the operators of noncompliant machines MasterCard's liability shift takes place in October 2016, Visa's a year later.
But even if there were a multitude of chip-and-PIN-ready ATMs in this country today, that still wouldn't have made a difference because the hackers broke the basic authentication process, McLaughlin says. "We could have had chip-and-PIN everywhere and you would have ended up with the same results," he says.
ATMs authorize transactions by validating the balance amount and PIN number with the mainframe processing the transactions. By altering account data used by the mainframe, the hackers controlled the authorization parameters and basically instructed the ATMs to ignore both balances and PIN numbers. McLaughlin even suspects the hackers were in the card processors' mainframes while the transactions took place. "They were manipulating the transactions to get them authorized," he says. "Anything to do with a chip will be disabled."
A universal chip-and-PIN mandate could make this type of fraud more costly to carry out.
"It's more expensive to get a card with a chip on it, it almost doubles the cost of the card," McLaughlin acknowledges. However, if the mainframe running the card transactions has been compromised to ignore authentication procedures, it doesn't really matter what kind of card is used at the ATM.
"If you have bad guy in the house [at the prepaid card issuer] who's overriding authorizations, saying ignore all my security protocols, there's not much that will shut it down," McLaughlin says.
MasterCard and Visa have analytics programs that look for unusual traffic patterns, which would have appeared in this case -- a relatively small number of accounts was being hit hundreds of times — and trigger fraud alarms. But such alerts need to reach the card issuer in time to prevent the attack, which in this case took place within a few hours.
A better answer to preventing fraud incidents like this would be to head off the crime at the pass — preventing hackers from accessing that transaction database in the first place. This means preventing spearphishing, detecting and destroying malware and eliminating insider fraud - a multi-headed problem that requires a layered security approach.
Security that locks down a network, allowing only a whitelisted set of applications to run on it, can help block malware better than antivirus software, says Jarad Carleton, principal consultant at Frost & Sullivan. One example is Bit9's security platform. "If you're a victim of spearphishing and you download malware, in an environment where Bit9 is being used, that malware will not be run," Carleton says.
He also suspects an inside connection at one of the banks was involved. "It feels like somebody knows how certain processes work, and that that helped them facilitate the fraud," he says.
There's no surefire way to prevent that. "Security is a matter of raising the hurdle to a level that makes the target harder to attack so they go to software targets," Carleton says. "Nothing will be 100% foolproof against a determined adversary."
A key lesson learned from this type of breach, McLaughlin says, is to be careful with whom you partner. In prepaid card arrangements, "You're giving a third party control over an unlimited checkbook," he says. "If the liability rests with you the bank, you'd better be 200% positive the systems they have on their end are equal to or better than the systems you would have."