By Stephen Bryen
The big story this week is the work of sophisticated thieves who were able to take cash from ATM machines in the United States and in at least 23 other countries. The amount stolen is estimated at $46 million. While about a dozen have been arrested for the crimes, there are no doubt plenty of others who so far have eluded the police, and the amount stolen could be much higher than so-far reported.
How was it done? Two Middle East banks were hacked by professionals. One of the banks, Rakbank is located in the UAE, the other, the Bank of Muscat, is in Oman. In addition, an as yet unnamed Indian credit card processing company was also hacked. The scam was to create “pre-paid” money cards (VISA, MasterCard) ostensibly issued by the banks. The scammers created the pre-paid accounts and they removed the fail-safe dollar ceiling on withdrawals, so that one card could potentially empty an ATM. The cards themselves are typical magnetic strip cards commonly used in ATM machines.
Looking at the crime itself, there are two striking facts.
The first is that the hacking must have been an inside job, because the hackers understood the banks’ set up, how the accounts were organized, and had the know how to manipulate the supervisory software. They were able to create the accounts within the bank and credit processing facility, including authentication, disable the cash limits normally applied on accounts, and operate the scam on a global basis through a network of associates. So far there have not been arrests of any insiders, but it is only a matter of time before they are apprehended.
Years ago a huge bank heist was pulled off through cyber attacks on Citibank accounts. It was also a multinational operation, and it required insiders to help in the theft. Essentially that scam involved moving money from one account to another. Like the ATM case, it was a multinational operation affecting accounts and transactions in many countries. Once money was transferred, the owner of the now cash-rich account would go to the bank and withdraw the cash or transfer the cash elsewhere or convert it to another instrument, such as bonds.
There were some arrests and convictions, but the hidden hand in the Citibank case were Russians in an organization the FBI called “The Russian Business Network.” It is well to keep in mind that the Citibank case also involved stealing ATM pins.
We don’t yet know the masterminds behind the $46 million ATM crime, and it remains for law enforcement to try and ferret out the real source of the scheme. It would have to be an organization with global connections and with strong organizational capabilities and links to an underground of criminals willing to rob individual ATMs for a share of the loot. A Russian Mafia linked organization cannot be ruled out.
Another potential source for the operation are terrorist groups with the capability to carry out such operations, perhaps linked to Iran. This needs to be explored. The targets, after all, were Middle Eastern Banks that represent the establishment in the UAE and Oman. While $46 million is not an especially large hit on these banks, given the resources of these banks, we need to keep in mind that the amount so far reported may only be part of the actual crime. An insider group may also have taken very large sums from these banks, and used the ATM scam to draw attention away from pilfering large accounts at the banks.
The other striking issue about these theft operations targeting banks is how poor the banking security system actually is, and how the system lacks simple protection such as strong authentication and encrypted accounts. One of the reasons is, of course, a desire by banks to exploit modern electronic transactions to the fullest, because they require very little labor or overhead, making it easy for banks to load them with transaction fees and credit charges. Small losses are covered by the Bank’s and credit card company’s insurance. In fact, as we move rapidly to a cashless society, or one that accepts electronic tokens instead of paper dollars or checks, banking security issues loom large. Bitcoin, for example, has already been hacked and is proving utterly unreliable and suspect. In fact, the entire banking and credit system is vulnerable and poses a considerable economic and security danger to modern nations.