A massive cyber offensive in which millions of dollars were stolen from two Middle Eastern banks through ATMs in dozens of countries could have been prevented had better security controls been in place at the card processors, the ATMs and the banks involved, observers say. The security lapses could lead to legal liability for many of the companies duped in the process.
The Department of Justice unsealed charges Thursday against eight people in New York who allegedly used prepaid cards encoded with information stolen by hackers to drain $45 million from ATMs.
The suspects are said to be part of an enterprise that stretches across 26 countries. At its core is a group of cyber thieves who broke into the computer networks of companies that process MasterCard debit card transactions for the National Bank of Ras Al-Khaimah in the United Arab Emirates, known as RAKBANK, and Bank of Muscat in Oman.
The crime is being called the biggest heist of its kind, ever. In New York City alone, the cell allegedly withdrew $2.4 million from ATMs over the course of 13 hours.
Authorities on Friday reiterated that their investigation was continuing and hinted at a much larger conspiracy. RAKBANK's processor is based in India and Bank of Muscat's processor is based in the U.S., but the names of the processors have not been disclosed publicly.
A spokesman for the U.S. Attorney's office in Brooklyn declined to identify the processors or to say whether other arrests are imminent, citing the ongoing nature of the investigation. The investigation suggests that the processors' networks remain vulnerable to the cyberattack scheme while authorities in 17 countries continue to pursue leads.
"The processors may be saying, 'If you put us out there we are going to be hacked and we haven't been able to fix the problem, we will be overwhelmed and dead in the water immediately," says Mercedes Tunstall, a lawyer with Ballard Spahr in Washington, D.C. who specializes in Internet fraud.
Despite the brazenness of the cyber thieves and the cashers charged with carrying out the looting at street level, the incursion might have been thwarted or at least have been more difficult to pull off if the overseas standard for chip and PIN cards -- known as Europay, MasterCard and Visa, or EMV -- were universal.
Chip-embedded cards are by their nature more secure than mag stripe cards mostly because the information in the chips is encrypted.
That technology coupled with a PIN that is used to authenticate a transaction between the ATM and the issuing bank's payment processing system makes the entire transaction chain more difficult to crack.
Most banks in the U.S. have yet to incorporate the security feature, which has been adopted by a preponderance of card issuers throughout the world.
"What the fraudsters did was exploit the fact that magnetic stripe cards are still used," says Gil Luria, a Wedbush analyst.
He adds that even when banks issue EMV cards exclusively they will still need to accept magnetic stripe cards for a while until every single consumer is converted.
"Even when the U.S. shifts to EMV in [the coming years], magnetic stripe will still continue to work for a while until everyone has an EMV card," says Luria.
The cyber scheme underscores the need for a deadline for all ATM owners to upgrade their machines.
Last year, MasterCard made its case for EMV to companies that own or operate ATM networks.
The company said all American ATMs must accept EMV by 2016 or be liable for the fraud transacted on non-compliant cards.
And in April, the payment network issued an open letter that said it planned to set up a system that would screen foreign transactions. MasterCard's deadline to accept transactions initiated through internationally-issued Maestro chip and PIN cards passed in the same month.
The four major card networks have similar timetables for EMV card adoption at the point of sale, with most merchants expected to accept EMV-chip cards by October, 2015.
"If these were chip cards, [the criminals] would have had to manufacture and clone the chip to match the accounts," says Avivah Litan, an analyst with Gartner Research. "That would have been very, very difficult and they wouldn't have done it, it may have been close to impossible, especially on this scale."
There could have also been better security on the ATMs.
Some manufacturers are piloting biometric security schemes that would have made this crime exponentially more difficult to pull off. The technology captures a person's voice, face or fingerprint, in addition to a PIN, to authenticate a transaction.
However, that would still require the participation of the issuing bank. "This was not an attack on ATMs, this was a compromise of the credit card processors and from that compromise, fraudulent cards," says Diebold spokesperson Kelly Piero. "The ATM was simply a vehicle for obtaining that cash."
"Most of the [security] technology we have is designed to prevent the theft of card data from the device," NCR spokesperson Jeff Dudash says. He adds that if someone has broken into servers at a bank and gathered account numbers and PINs, there isn't "anything as far as I know that could be on a device on the other end to stop that from happening."
Indeed, the hack that made the alleged theft possible suggests a series of failures in the hand-off between the processors and banks, experts say.
Hackers allegedly entered processors' networks and manipulated data, and possibly found their way into the banks. From there, the thieves erased limits from cards, then encoded numbers swiped from the banks onto magnetic-stripe cards, which the people arrested Thursday allegedly used at ATMs.
Legal liability for the breach may run in several directions. "It [implies] data security failures at not just the card processor but also the banks in the way their relationships were set up with the processors, and the banks themselves for not having some controls on the way limits were pulled off the cards," Tunstall says.
The banks, which may be out millions, could look to MasterCard, whose debit network was the target of the attacks, for reimbursement. "MasterCard could then turn around and say the ATM operators have not adopted EMV, this is why they should be updating their technology," Tunstall notes.
Though American ATMs may be more vulnerable to fraudulent withdrawals than machines that require EMV, U.S. banks may be less vulnerable to the cyber scams like the one that allegedly hit RAKBANK and Bank of Muscat.
The reason: U.S. laws that aim to deter money laundering tend to increase the likelihood of detecting suspicious activity, including removing authorized account limits and attempts to launder money. "It would have been very difficult to do this with a U.S. bank," Tunstall adds.
Litan notes that the processors involved could have set up transaction rules that would have guarded against the theft. In this case, the crooks created privileged accounts on prepaid cards with higher than usual ATM withdrawal limits.
"So, at a minimum, they should have been monitoring privileged accounts," Litan says. "They should have been monitoring any math lifts to limits like that."
But that's what's sort of unbelievable about this crime. "A few simple controls could have stopped this disaster and you wonder, where are the regulators?" says Litan.
She adds that she doesn't see any checks and balances in the system.
"Who is monitoring the prepaid card processors?" says Litan, incredulously. "From what I can tell people need some incentive to secure their systems, it shouldn't be that way but it's true usually: compliance forces security spending."