A sophisticated network of thieves across the globe drained cash machines in 27 countries of $45 million this year.
The recently revealed crime has sent ripples through the security world due to the size of the operation and ease with which it was carried out.
Seven people have been arrested in the U.S. They’ve been accused of operating the New York cell of what prosecutors say was a network of criminals.
Read: Know your cyber criminals
Law enforcement agencies from more than a dozen nations are involved in the investigation, U.S. prosecutors in New York said yesterday.
“Unfortunately these types of cybercrimes involving ATMs, where you’ve got a flash mob going out across the globe, are becoming more and more common,” says Rose Romero, a former federal prosecutor and regional director for the U.S. Securities and Exchange Commission.
“I expect there will be many more” of these types of crimes, she says.
Brooklyn U.S. Attorney Loretta Lynch, who called the theft “a massive 21st-century bank heist,” announced the case Thursday in New York.
Here’s how it happened:
- Hackers got into bank databases and eliminated withdrawal limits on pre-paid debit cards. They also created access codes, while others loaded that data onto any plastic card with a magnetic stripe.
- Hackers can use old hotel key cards or expired credit cards as long as they carry the account data and correct access codes.
- A network of operatives then fanned out to rapidly withdraw money in multiple cities, authorities say. These cells took a cut of the money. They then laundered it through expensive purchases or shipped it wholesale to global ringleaders.
- Lynch didn’t say where these ringleaders are located
It appears no individuals lost money. The thieves instead plundered funds held by the banks that they use to back up pre-paid credit cards, Lynch says.
Read: Your password isn’t safe
Ori Eisen, a cybercrime expert, says the $45 million heist was on the high-end of what can be done by cybercriminals who exploit banking systems connected to the Internet.
A source told Advisor.ca, “It was a pretty elaborate scheme…and the first step was malware. More specifically, keylogging malware was used to gain the credentials to access the bank and credit card processor databases.”
He says keyloggers are often responsible for data theft. He warns it’s crucial that companies understand how keyloggers work, how they are being planted on systems and how to prevent them.
Eisen concludes, “Given the scale of the global credit card networks, it is almost impossible to detect every kind of attack,” he says. “This attack is not the last one, and if the modus operandi proves to be successful, crooks will exploit it time and again.”
In this case, there were two separate attacks; one in December that reaped $5 million worldwide, and one in February that snared about $40 million in 10 hours with about 36,000 transactions.
The scheme involved attacks on two banks, Rakbank in the United Arab Emirates, and the Bank of Muscat in Oman, prosecutors say. It doesn’t help that Middle Eastern banks and payment processors are behind on security and screening technologies, though this could happen in any country.
Read: Hackers swipe millions from Eurozone banks
Some of the fault lies with the ubiquitous magnetic strips on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favour of ones with built-in chips that are nearly impossible to copy.
But because U.S. banks and merchants have stuck to cards with magnetic strips, they are still accepted around the world.
Lynch wouldn’t say who masterminded the attacks globally, who the hackers are or where they were located, citing an ongoing investigation.
The New York suspects were U.S. citizens originally from the Dominican Republic who lived in the New York City suburb of Yonkers. They were mostly in their 20s.
Lynch says they all knew one another and were recruited together. They were charged with conspiracy and money laundering. If convicted, they each face 10 years in prison.
The accused ringleader in the U.S. cell, Alberto Yusi Lajud-Pena, was reportedly killed in the Dominican Republic late last month, prosecutors say. More investigations continue and other arrests have been made in other countries, but prosecutors don’t have details.
The first federal study of ATM fraud was 30 years ago, when the use of computers in the financial community was growing rapidly. At the time, the Bureau of Justice Statistics found nationwide ATM bank loss from fraud ranged from $70-to-$100 million a year.
By 2008, that had risen to about $1 billion a year, says Ken Pickering, who works in security intelligence at CORE Security, a white-hat hacking firm that offers security to businesses.
He said he expects news of the latest ring to inspire other criminals. “Once you see a large attack like this, that they made off with $45 million, that’s going to wake up the cybercrime community,” he says.
Also read:
Banks enlist cyberspy agency to prevent attacks
Cyber bullies target major U.S. banks