The identities of the card processing companies targeted in a massive cyber offensive have surfaced.
EnStage, a processor based in Cupertino, Calif., and ElectraCard Services, which is based in Pune, India, processed prepaid payments for two Middle Eastern banks struck in the attack, which drained $45 million from ATMs in dozens of countries, Reuters reported on Saturday, citing unnamed sources familiar with the situation.
The U.S. Government has charged eight people in New York with allegedly using MasterCard prepaid cards encoded with information stolen from the processors to make thousands of withdrawals.
The suspects allegedly belonged to an international operation that hacked into the processors’ networks, according to prosecutors, who declined in an indictment unsealed Thursday to identify the processors.
EnStage handled payments for National Bank of Ras Al-Khaimah in the United Arab Emirates, known as RAKBANK. The bank lost roughly $5 million after attackers allegedly used the cards in December for 4,500 ATM transactions in 20 countries around the world.
ElectraCard is said to have processed payments for Bank of Muscat in Oman, which in February had about $40 million stolen from ATMs in 24 countries, according prosecutors.
Both EnStage and ElectraCard reportedly process transactions for banks in the Middle East, India and elsewhere.
MasterCard bought a 12.5% stake in ElectraCard in 2010, according to news reports. MasterCard’s systems "were not involved or compromised" during the attacks, Jim Issokson, a spokesman for MasterCard, said Thursday in an email.
An ElectraCard spokesman did not respond immediately to a request for comment, though the company acknowledged it was affected by a December 2012 incident in comments to Reuters. The incident did not affect its internal systems, it said.
A spokesperson for EnStage also did not respond immediately to a request for comment, though it confirmed its involvement in comments to the Indian daily publication Business Standard.
Govind Setlur, EnStage’s chief executive, told the Times of India on Saturday that the company has "retained independent security experts to analyze the intrusion and to recommend enhancements to its information security infrastructure.”
“EnStage has implemented both these enhancements as well as additional monitoring capabilities," he added.
RAKBANK took to Twitter Friday to say that none of its systems were involved in the attack. The bank also said that none of its customers lost money in the fraud.
Bank of Muscat said Sunday it is "exploring all avenues" to recover the money it lost, according to Reuters.
The attackers are accused of breaching the processors' networks, where they removed transaction limits from prepaid card accounts and then encoded numbers swiped from the banks onto magnetic-stripe cards, according to prosecutors. The people arrested Thursday allegedly used the cloned prepaid cards at ATMs.
"This is a much more serious fraud than earlier cases of credit card skimming since the hacker had access to the processing company's database and application server,” an unnamed security specialist told the Times of India. “They have also managed to get hold of ATM PINs, which are generally never stored at the servers post-authentication.”
Legal liability for the breach could touch companies throughout the chain of transactions. "It [implies] data security failures at not just the card processor but also the banks in the way their relationships were set up with the processors, and the banks themselves for not having some controls on the way limits were pulled off the cards," Mercedes Tunstall, a lawyer with Ballard Spahr in Washington, D.C. who specializes in Internet fraud, said in an interview.
The banks also might look to MasterCard for reimbursement, while MasterCard could seek to be compensated by the ATM operators, Tunstall noted.