Reported by: banking|Updated: June 28, 2013
“Indian Outsourcing Under lens”, reads the subject line of a major news daily’s blog. The article further cites the occurence of a 45 Million dollar heist. Apparently, the heist has perched itself as the major reason to this subject-line and scores of online blogs. While everyone was preparing themselves to the New Year around the 21st December 2012, The Bank of Muscat unwillingly welcomed a fraudster within their Indian Payment procesor, Enstage Payments. The Cuppertino, California, based organization had to bear the brunt and some unsavory PR in the media for playing center-stage to a 40 Mn $ Fraud heist. In a seperate incident, The Ras-Al-Khaimah Bank was duped reportedly for 5 Mn $ and blame being rested on ElectraCard, a subsidiary company of Opus Payments.
Security Analysts and the FBI have been carrying out investigations on this occurence, but both Opus and Electracard have ruled out the probability of either an insider angle or a loop-hole within their technology. A point worth mentioning is the abundance of information and view available on this subject. Bloggers, Security analysts, and Regulators have opined on different blogs and online podcasts which can be as easily found as by implementing a simple search on google. Currently google brings out an updated result upto page 56.
So what does it take to enable a 45 Million Dollar Heist? Is it knowledge of systems, Management skills to handle looters across 27 countries, technology knowledge of cloning cards, knowledge of different bank’s customers? Or would a diploma in veterinary science to handle mules benefit? Considering mules are used to transport cash physically between borders. Unfortunately there is no crash course to teach Frauds and Scams, nor do organizations think intelligently like a fraudster to thwart such occurrences.
“On a scale of one to 10, this is a nine,” said Ori Eisen, founder and CEO of San Jose, Calif.-based security firm Fourth Parameter. “This specific attack requires a very high level of sophistication and perhaps some inside help. It requires organization and planning, and you can’t execute it every day.” He further adds, “The scale and nature of this operation can’t be executed by low to mid-level gangs. This is the high end of organized cybercrime — the loot is usually commensurate with the sophistication of the criminal.”
While we speculate, it would be interesting to refer to the modus operandi. The story starts in the Gulf, and has characters present within 27 countries. Withdrawal limits on two prepaid cards belonging to a UAE and an Omani Bank were sabotaged by hackers. They allegedly did so by managing to enter the secure premises of two payment processor companies. The accounts being processed at the centers of Enstage Payments (at their US office) and Pune, India based ElectraCard, a subsidiary of Opus Payments.
Seventeen, pre-paid cards paved as channels to usurping 45 Million dollars. It took 40,500 ATM withdrawals, swiped within hours each on Dec 22, and Feb 19 and Feb 20th. “In short, this was a highly organized and surgically clean loot, comparable to the casino theft-movie Ocean’s Eleven”, says Loretta Lynch, a U.S. Attorney on an NBC news report.
To Rewind, and provide a detailed insight, The “Unlimited Operation”, as the U.S. Department of Justice has monickered “begins with a hack into the computer system of a credit card processor. Compromises being made on prepaid debit card accounts, and elimination of withdrawal limits and account balances of those accounts. The elimination of withdrawal limits enables the participants to withdraw literally unlimited amounts of cash until the operation is shut down…. These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible”.
“First, over the course of months, the hackers plan and execute sophisticated cyber intrusions to gain unauthorized access to the computer networks of credit card processors that are responsible for processing prepaid debit card transactions. They target databases of prepaid debit cards, which are typically loaded with finite funds; such cards are used by many employers in lieu of paychecks and by charitable organizations to distribute disaster assistance. Next, the cybercrime organization cashes in, by distributing the hacked prepaid debit card numbers to trusted associates around the world. These associates operate cells or teams of “cashers,” who encode magnetic stripe cards, such as gift cards, with the compromised card data. When the cybercrime organization distributes the personal identification numbers (PINs) for the hacked accounts, the casher cells spring into action, immediately withdrawing cash from ATMs across the globe. The hacker-masterminds watched the ATM withdrawals on their computers, so they wouldn’t get cheated out of their share ”, added the source.
The FBI managed to bust the New York Cell of the mastermind. The eight member new York Cell managed to keep 20 per cent of their haul, and sent the rest to their organizers. The cashers later laundered the money in part by buying rolex watches and luxury cars. The feds havent provided much information about the international investigation into the global heist, or say how many people have been arrested in other countries. “The New York cell was made up of eight Dominican-Americans living in Yonkers, NY. The first member was arrested on March 27, trying to flee to the Dominican Republic. The alleged ringleader, Alberto Yusi Lajud-Peña, wasn’t arrested because he’s dead”, The New York Times explains
The FBI in their investigations only provided a cue they received on an email that linked the New York cell to a money-laundering gang in St. Petersburg, Russia. The New NY group got caught through old fashioned police work, mixed with a dash concurrent investigation techniques. The thieves got photographed by multiple ATMs, their backpacks getting visibly heavier at each stop, and some opting to post photographs of their bounty with wads of cash.
Lajud-Peña fled the United States just as the authorities were starting to make arrests of members of his crew, commented law enforcement officials. On April 27, according to news reports from the Dominican Republic, two hooded gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched, cites our source, The New York Times.
Pinpointing and blame-shifts, even though extremely unavoidable in such circumstances, are also difficult to mention, since relativity is not being shifted to one entity. “That’s because so many different entities are now involved in the global payments chain.” Reasoned a quote from a Gartner Analyst.
There are so many parties in the payments chain that it is very difficult to assign blame in these types of breaches,” says financial fraud expert Avivah Litan, an analyst with consultancy Gartner Inc., who blogged about the attack. “There can easily be seven roundtrip hops or more between an ATM cash disbursement request and the cash disbursement. The leakage can happen at any of those points or hops.”
Al Pascual, senior security, risk and fraud analyst for Javelin Strategy & Research, says card data could have been obtained through any number of channels. “Couldn’t these criminals just buy the cards legitimately and then breach the processor to alter the limits?” he asks. “Seems easier to me. Obtaining card data is less challenging for criminals than gaining access to a processor and altering their internal controls, though.” Regardless of the cause of a breach, however, it’s critical that all card issuers monitor their networks and catch fraudulent transactions before card compromises lead to major financial losses, security experts’ advice.
Madeline Aufseeser, a senior analyst with Aite Group who follows payments processors, said she was relieved to learn that the case appeared to be limited to smaller processors. “It looks like an isolated, very targeted incident,” she said, noting that the major firms in the industry have highly sophisticated protocols to limit fraud damages. The big players include First Data Corp, FIS, Galileo Mastercard Inc’s Mastercard Integrated Processing Solutions, Tsys and Visa Inc’s Visa Debit Processing Service.
Philip Philliou, managing partner of Philliou Partners LLC, a firm that helps banks and retailers select payment processors, predicted smaller processing firms will lose business as a result of this theft. Banks will decide they are not willing to assume the additional risk that comes with using smaller firms, he said.
Yikes, says Tom Levenson at Balloon Juice. “I have no doubt that there are folks involved in this that you really, really don’t want to irritate.” But while $45 million is a huge haul, this is still the “least surprising story of the year,” he argues.”The cyber-security people I talk to have to hold their hands over the mouths to stop themselves from blurting “WAKE UP SHEEPLE!!!!!” — as that trust rests on a rickety tangle of hardware and software. So while there’s a kind of Great Train Robbery thrill to the idea of capers like these, this could get ugly indeed”. concludes Levenson.
While some frauds, particulary the ones in domestic markets have the liberty to go unnoticed, the value of the two recent frauds, have had tremendous spotlight. More importantly so, considering the security loopholes in Indian Outsourcing environments, and prepaid cards being issued in the Gulf. The latter more severe, since customers in the Gulf are generally allowed to put much larger amounts on prepaid cards and the banks don’t monitor the cards as closely. “Hackers only need to find one vulnerability to cause millions of dollars of damage,” analyzed Mark Rasch, former cyber-crimes prosecutor being quoted on a Reuters report.
“Banks in Third World countries have horrible cyber-security, so it’s pretty easy to break in and steal information. All it takes is the very simplest hacks, like SQL injection or phishing.”, says Robert Graham, CEO, Errate Security, Atlanta, US. He feels that though such scams are indigenous in their mechanisms, cloning cards is a simple methodology. “A magnetic-stripe writer costs $200,” he retorts while continuing. “With such a device, you can easily program any credit card in your wallet to one of the stolen accounts. Blanks can also be obtained easily” Such devices can be used to “clone” a credit card or debit card — a library card, a hotel-room key, a store membership card.
Both Banks, have had to bear the casualties within their Annual Statements, to cushion investors and customers. The casualty of bad media and negative branding, being a force that both Banks and the outsourcing agencies finding difficult to cope with. “The good news is that it’s not individuals who are having money stolen from their accounts, but rather the financial institutions,” said Graham Cluley, a senior technology consultant with the Sophos security firm in Abingdon, England. “Mind you, ultimately, they pass the costs of such things on to the general public.”
“It took a well-coordinated and very busy industrious criminal gang — a directed mob,” said George Smith, senior fellow with Washington, D.C.-based think tank GlobalSecurity.org. He further adds, “If you have such a similar mob you can put together, you can think about trying to duplicate this type of thing,” Smith said. “But you’ll have to have some startup capital, since it’s not quite something you can just walk out the door and assemble off the cuff.”
Road to Recovery
A big question being raised is, have the banks been able to recover these frauds? A Reuters report states uncertainty if the Bank of Muscat and The RAK Bank could be compensated for the losses. Experts have also commented that the Banks could pursue legal cases and sue their payment processing companies. However, the contracts generally limit the processor’s liability. “They can’t make everybody whole, or they’ll be out of business,” Michael Klaschka of Integro Insurance Brokers told Reuters. “The bank may have very little recourse against the credit card processor.”
An option that the banks could utilize is to seek payment from their insurers under general policies, since some insurers offer coverage for cyber crime. The biggest question in this remains is if both Banks opted for a Cyber Fraud Insurance.”It’s certainly possible that the bank could be left holding the bag,” Frederick Rivera of financial services law firm Perkins Coie was quoted in a Reuters report. To add to the Bank’s woes, there is the question of Jurisdiction. Both banks are located in the Middle East and one of the processing companies is based in India, it is unclear which court would have jurisdiction over the case. Still, credit card companies impose rules on banks and processors that apply across jurisdictions.
Losers- Brand Loss?
All said and done, it is imperative to note the biggest loser within this occurrence. Would it be the Banks, the agencies embroiled in this news or a new entity? There has been a major liability shift in terms of losing intangible value- Post this occurrence, analysts have opined that organizations would shy from investing in India outsourcing deals.
An ET report linking the Fraud occurrence, pegged the Chinese environment at par with the Indian ones. ” The Chinese have proven time and again that their work is unbeatable when it comes to speed and cost-efficiency. ” starts the report. “China outsourcing industry comprises of over 10,000 firms. Industry revenue touched USD 14.4 BN in 2010 (accounting for 28.7 per cent of global market) and is projected to grow to $ 44 BN by 2014, according to data available. 58 per cent of revenue for Chinese service providers last year came from domestic buyers. Though the Ministry of Commerce aims to grow the industry by 30 per cent annually and reach target of USD 85 BN by 2015. There are 24 model cities for outsourcing in China designated by government. Favourable state policies for exemption help to wade over pressure due to appreciation of RMB,” suggests Ajay Muttreja, President, Tecnova India Ltd.