$45 Million Heist – Card Data Stolen – Banks to be Alert

45 Million USD was withdrawn using cloned pre-paid cards in 2 seperate but reportedly connected operations. Hackers first got into the systems of the card processors and extracted magnetic strip card data and PIN numbers. Cards were then cloned using the stolen data and dispatched to “cashers” around the world. Hackers also raised or removed balances and withdrawal limits associated with these cards. So, the “cashers” had in their possession essentially ‘unlimited cards’ which they could use to withdraw any amount of cash. At the designated time, “cashers” all over the world struck ATM machines and began to relentlessly withdraw cash from ATMs. The New York cell of “Cashers” alone was responsible for 2.8 Million USD. Incidentally, Mastercard pre-paid card data was stolen in both operations. It is reported in the media that, at some stage, Mastercard alerted the US Secret Service.

U.S. Department of Justice
U.S. Department of Justice

 

Operation 1
When: December 21 2012
How much: 5 Million USD
Target Bank: RAKBANK, UAE
Card Processor Hacked: Electra Card Systems, Pune, India. Mastercard has a 12.5% stake in Electra Card Systems.
Accounts Compromised: 5
Attack Time Window: 3 hours
No of ATM transactions: Around 4500
Cashers in: 20 countries

 

Operation 2
When: February 19/20 2013
How much: 40 Million USD
Target Bank: Bank Muscat, Oman
Card Processor Hacked: Enstage, Incorporated in California, US & Operations in Bangalore, India.
Accounts Compromised: 12
Attack Time Window: 10 hours
No of ATM transactions: Around 36000
Cashers in: 24 countries

 

It has been reported that CCTV footage shows the backpack of one of the NY “cashers” getting bulkier as he goes about his work. Eventually, the “cashers” in US splurged on portable luxury goods like watches. The US Secret Service has indicted 8 suspects belonging to the NY cell on April 25. Both the incidents have come to the attention of the media only after this indictment.

 

So, who will foot the bill?
Thankfully, not the customer. The card processing companies whose systems were hacked may be liable to a certain extent – the extent will probably depend on the contract entered into by the card processor and the bank. Banks may approach their insurers and/or the card processor’s insurers.

 

Are there any arrests in any other countries?
There have been no reports in the media of such arrests though the US Secret Service and the Department of Homeland Security are said to be working with authorities from 11 countries.

 

Is any investigation happenning in India?
Cert-In is said to be investigating both the incidents.

 

Why is the US Secret Service involved?
They are responsible for criminal investigations that affect financial infrastructure in the US.

 

Were PIN numbers stored in an insecure manner?
Probably. The fact that they were able to extract the PIN numbers and gave it to the “cashers” indicates that PIN numbers were stored in an insecure manner. There are 2 aspects to this issue
1. The hackers should not have been able to get to the card data including PIN numbers.
2. Even if they got to the card data, the PIN numbers should have been stored encrypted. Decrypting should not have been possible. The PIN numbers should have been stored using one-way encryption techniques – clearly that was not the case.
PINs are supposed to be stored in HSMs – Hardware Security Modules – which is supposed to be safe. Were the PINs not stored in HSMs or were the HSMs themselves compromised. These are big ticket questions which currently have no answers.

 

What should Banks do to protect themselves?
Banks should commission security audits of third party card processors who handle processing of their cards. This is especially true in the case of Banks who use the services of either Electra Card Services or Enstage.

 

Such reviews should be information centric and should aim to ensure that card holder data is secure.

 
Unanswered Questions –

    Did the hacks compromise any other personally identifiable information?
    Were balances of other accounts tampered with?
    How did PIN compromise happen?