Another security breakdown

The news that two banks in the Gulf were robbed of $45m in a global ATM scam should serve as yet another wake-up call to the industry

Tags: ATMBanking and financeCyber crime
  • E-Mail
Another security breakdown (ITP Images)
By  Mark Sutton Published  June 5, 2013

The news that two banks in the Gulf were robbed of $45m in a global ATM scam should serve as yet another wake-up call to the industry, but it is hard to see it as anything other than an indictment of the poor processes and lax security displayed by too many organisations in the region.

In short, hackers appear to have compromised the systems of two credit card processing companies, to remove limits on a small set of pre-paid credit cards. The credit card numbers were then circulated to gangs in 27 countries, where they then cloned the cards, and at a pre-determined date and time, spread out across the cities they were based in and made as many withdrawals as possible. The attackers only struck twice, once against RAKBANK in December, netting around $5m, and then again against Bank Muscat in February for some $39m.

The attack against Bank Muscat had been disclosed in February, by the bank itself in a statement to the Muscat Securities Market — its losses are estimated to account for 10% of predicted 2013 earnings.

While the theft was undoubtedly audacious and well organised, and without knowing the exact mechanics of how pre-paid cards are administered compared to regular credit or debit cards, these attacks are not so much shocking, as they exasperating. How did such a large-scale attack succeed, and why did the banks in question not detect what was happening?

Multiple, large amount withdrawals were made during a short time frame — 2,904 withdrawals were made in New York, on a single Bank Muscat account, in just ten hours (netting the thieves around $2.4m, incidentally). That is roughly 48 withdrawals per minute. The locations were spread out enough to have made it physically impossible for one person to be using the card, let alone for the volume of transactions to look anything like legitimate.

The security sector has been pushing the message that IT security systems need to detect not just outright illegal behaviour in transaction processing, but also unusual or slightly suspect behaviour. If one incident by itself is not unusual enough to trigger an alarm, logging multiple events should be. These systems are already in place. We’ve all had the phone call from the bank after making an ATM withdrawal or large card purchase while in a foreign country — ‘are you in such and such a country? Did you just use your card at such and such ATM?’ The calls are partly reassuring that the bank is paying attention, partly creepy in how fast they are to call — sometime the phone has rung before you’ve even put the money in your wallet.

The system may involve inefficient human intervention in the form of someone having to pick up the phone and make the call, and the cost of having agents on hand 24-7 to do so, but the bank is almost immediately aware of any potentially fraudulent transactions. Other systems send an SMS to the card holder to notify them of transactions. It puts the onus on the card holder, but it is another safety net.

The failure to detect and block these attacks would suggest that either the attackers were intimately familiar with the systems in place — a 24 hour lag in communication between bank and processing company would have given them time enough to act; or else the banks lacked a system to detect this unusual behaviour and start a human investigation, or they failed to act on an alarm in a timely fashion.

If it is the latter, then these banks are seriously remiss. Even if the mechanics of pre-paid card processing, or the co-ordinated efforts of the attacks meant that there were no alarms, why had no one — apparently — ever realised this was a potential vulnerability or thought that putting alarms in place, or closing up a lag in communications would be a good idea?

Bank Muscat has made a statement to shareholders that it will make every effort to recover the money. Given the New York gang had apparently already blown a large proportion on fast cars and luxury watches before they were caught, and that the gang leader was murdered in the Dominican Republic, recovery seems unlikely.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code