Security Could Have Prevented $45 Million Bank Heist

The international ATM heist that lifted $45 million two Middle Eastern banks could have been prevented had better security controls been in place at the card processors, the ATMs and the banks involved, observers say. The security lapses could lead to legal liability for many of the companies duped in the process.

The banks involved, National Bank of Ras Al-Khaimah in the United Arab Emirates, known as RAKBANK, and Bank of Muscat in Oman, should have been monitoring accounts whose limits were lifted in the scam. Chip-and-pin technology could have prevented fake prepaid cards from being accepted at thousands of ATMs. And better security at the prepaid card processors could have caught the scam, experts say.

In the caper, eight people in New York allegedly used prepaid cards encoded with information stolen by hackers to drain $45 million from ATMs.

The suspects are said to be part of an enterprise that stretches across 26 countries. At its core is a group of cyber thieves who broke into the computer networks of companies that process MasterCard debit card transactions. The two processors are said to be EnStage, in Cupertino, Calif., and ElectraCard Services, which is based in Pune, India.

The crime is being called the biggest heist of its kind, ever. In New York City alone, the cell allegedly withdrew $2.4 million from ATMs over the course of 13 hours.

Despite the brazenness of the cyber thieves and the cashers charged with carrying out the looting at street level, the incursion might have been thwarted or at least have been more difficult to pull off if the overseas standard for chip and PIN cards — known as Europay, MasterCard and Visa, or EMV — were universal.

Chip-embedded cards are by their nature more secure than mag-stripe cards mostly because the information in the chips is encrypted.

That technology coupled with a PIN number that is used to authenticate a transaction between the ATM and the issuing bank's payment processing system makes the entire transaction chain more difficult to crack.

Most banks in the U.S. have yet to incorporate the security feature, which has been adopted by a preponderance of card issuers throughout the world.

"What the fraudsters did was exploit the fact that magnetic stripe cards are still used," says Gil Luria, a Wedbush analyst.

He adds that even when banks issue EMV cards exclusively they will still need to accept magnetic stripe cards for a while until every single consumer is converted.

"Even when the U.S. shifts to EMV in [the coming years], magnetic stripe will still continue to work for a while until everyone has an EMV card," says Luria.

The cyber scheme underscores the need for a deadline for all ATM owners to upgrade their machines.

Last year, MasterCard made its case for EMV to companies that own or operate ATM networks.

The company said all American ATMs must accept EMV by 2016 or be liable for the fraud transacted on non-compliant cards.

And in April, the payment network issued an open letter that said it planned to set up a system that would screen foreign transactions. MasterCard's deadline to accept transactions initiated through internationally-issued Maestro chip and PIN cards passed in the same month.

Visa has previously told American Banker it would work actively to promote EMV adoption.

"If these were chip cards, [the criminals] would have had to manufacture and clone the chip to match the accounts," says Avivah Litan, an analyst with Gartner Research. "That would have been very, very difficult and they wouldn't have done it, it may have been close to impossible, especially on this scale."

There could have also been better security on the ATMs.

Some manufacturers are piloting biometric security schemes that would have made this crime exponentially more difficult to pull off. The technology captures a person's voice, face or fingerprint, in addition to a PIN number, to authenticate a transaction.

However, that would still require the participation of the issuing bank. "This was not an attack on ATMs, this was a compromise of the credit card processors and from that compromise, fraudulent cards," says Diebold spokesperson Kelly Piero. "The ATM was simply a vehicle for obtaining that cash."

"Most of the [security] technology we have is designed to prevent the theft of card data from the device," NCR spokesperson Jeff Dudash says. He adds that if someone has broken into servers at a bank and gathered account and PIN numbers, there isn't "anything as far as I know that could be on a device on the other end to stop that from happening."

Indeed, the hack that made the alleged theft possible suggests a series of failures in the hand-off between the processors and banks, experts say.

Hackers allegedly entered processors' networks and manipulated data, and possibly found their way into the banks. From there, the thieves erased limits from cards, then encoded numbers swiped from the banks onto magnetic-stripe cards, which the people arrested Thursday allegedly used at ATMs.

Legal liability for the breach may run in several directions. "It [implies] data security failures at not just the card processor but also the banks in the way their relationships were set up with the processors, and the banks themselves for not having some controls on the way limits were pulled off the cards," says Mercedes Tunstall, a lawyer with Ballard Spahr in Washington, D.C. who specializes in Internet fraud.

The banks, which may be out millions, could look to MasterCard, whose debit network was the target of the attacks, for reimbursement. "MasterCard could then turn around and say the ATM operators have not adopted EMV, this is why they should be updating their technology," Tunstall notes.

Though American ATMs may be more vulnerable to theft than machines that require EMV, U.S. banks may be less vulnerable to the cyber scams like the one that allegedly hit RAKBANK and Bank of Muscat.

The reason: U.S. laws that aim to deter money laundering tend to increase the likelihood of detecting suspicious activity, including removing authorized account limits and attempts to launder money. "It would have been very difficult to do this with a U.S. bank," Tunstall adds.

Litan notes that the processors involved could have set up transaction rules that would have guarded against the theft. In this case, the crooks created privileged accounts on prepaid cards with higher than usual ATM withdrawal limits.

"So, at a minimum, they should have been monitoring privileged accounts," Litan says. "They should have been monitoring any math lifts to limits like that."

But that's what's sort of unbelievable about this crime. "A few simple controls could have stopped this disaster and you wonder, where are the regulators?" says Litan.

She adds that she doesn't see any checks and balances in the system.

"Who is monitoring the prepaid card processors?" says Litan, incredulously. "From what I can tell people need some incentive to secure their systems, it shouldn't be that way but it's true usually. Compliance forces security spending."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER