ABU DHABI, UAE The international ATM heist that lifted $45 million from two Middle Eastern banks could have been prevented had better security controls been in place at the card processors, the ATMs and the banks involved, according to analysts.
The security lapses could lead to legal liability for many of the companies duped in the process.
The banks involved, National Bank of Ras Al-Khaimah in the United Arab Emirates, known as RAKBANK, and Bank of Muscat in Oman, should have been monitoring accounts whose limits were lifted in the scam. Chip-and-pin technology could have prevented fake prepaid cards from being accepted at thousands of ATMs. And better security at the prepaid card processors could have caught the scam, experts said.
In the caper, eight people in New York allegedly used prepaid cards encoded with information stolen by hackers to drain $45 million from ATMs.
The suspects are said to be part of an enterprise that stretches across 26 countries. At its core is a group of cyber thieves who broke into the computer networks of companies that process MasterCard debit card transactions. The two processors are said to be EnStage, in Cupertino, Calif., and ElectraCard Services, which is based in Pune, India.
The crime is being called the biggest heist of its kind, ever. In New York City alone, the cell allegedly withdrew $2.4 million from ATMs over the course of 13 hours.
Despite the brazenness of the cyber thieves and the cashers charged with carrying out the looting at street level, the incursion might have been thwarted or at least have been more difficult to pull off if the overseas standard for chip and PIN cards known as Europay, MasterCard and Visa, or EMV were universal.
Chip-embedded cards are, by their nature, more secure than mag-stripe cards, mostly because the information in the chips is encrypted.
That technology, coupled with a PIN that is used to authenticate a transaction between the ATM and the issuing bank’s payment processing system, makes the entire transaction chain more difficult to crack.
Most banks in the U.S. have yet to incorporate the security feature, which has been adopted by a preponderance of card issuers throughout the world. The issue of EMV adoption was the subject of much discussion of recent conferences hosted by PSCU and CSCU [see Credit Union Journal’s archives for details].
