The recent Banking Fraud where US $45 million (Rs 250 crores) were withdrawn in cash across 27 countries was a sensational international cyber crime that warrants a serious analysis by all Cyber Crime and Cyber Security experts. What is intriguing was that only 12 card accounts were used to conduct 36000 transactions withing 2 and half hours to withdraw the amount from different ATMs.
This fraud highlights how Cyber Crime can create chaos in the Physical financial world and raises questions about how we secure our financial systems in future against the breaches created by the rapid progress of “Technology”.
The dangers of “Technology Ahead of Security” on the part of the bankers and “Convenience Ahead of Security” on the part of the Customers have rendered E Banking vulnerable to the point where it can destroy the global economy.
The sophistication with which the crime was executed clearly reminds one of the various Hollywood movies such as or Ocean Eleven series where bags of hard cash is taken away by successful operators. While in the film, clever robbers rob from other persons who have amassed money by cheating the public and therefore evoke silent admiration of their success, the current Great E Bank Robbery has hurt the common man on the street and his hard-earned savings. It is therefore a serious matter to be guarded against so that there is no “Sequels of Great E Banking Robberies” to contend with.
This article in fox news tries to capture the modus operandi of this Great E Banking Robbery. This crime was a mix of “Hacking”, “Data Theft”, “Data Manipulation” and “Card Cloning” and executed across countries by a gang of coordinated criminals.
First two card processing IT Companies one in India and another in USA (also maintaining a data center in Bangalore) were hacked and some credit card data was accessed. Some insider involvement or past employee involvement can be speculated in this operation. After accessing the card data, it was used for cloning the cards. However what made the operation ingenious was that the criminals were not simply satisfied with cloning active cards and removing money upto the available balance. They perhaps knew that this would limit their opportunities to the available balances and also the unauthorized withdrawals would get quickly discovered because active users would immediately notice the withdrawals and report it to the banks.
They therefore struck at cards which had lower probability of quick reaction from the customers. They chose “Prepaid Cards” where money was already loaded and hence the withdrawals were not subjected to the same rigour as other cards which would raise fresh “authentication requests” for each new withdrawal. Additionally they chose cards which were perhaps been sparingly used which represented some thing similar to “Dormant Accounts” in Banking terminology. To offset the probability that such cards may have smaller balances than the cards with a credit line, they used their hacking ability to modify the amounts available in the cards to higher levels. Again by using the charging of prepaid cards instead of transferring of money to the mule accounts, criminals created an easy cash delivery mechanism through the ATMs without the need to create one more parking slot for the money.
In order to execute the cash withdrawals the criminals acted as a coordinated gang across 27 countries. The cloned cards were created out of transfer of Magnetic Strip data to the end point fraudsters or to their local manager who loaded the data on blank cards and delivered them to several chosen fraudsters who went to the ATMs and withdrew the money on receipt of the cue from the kingpin. Probably, some havala route was used to enable passing off of commission to the kingpin after the money was withdrawn. In New York city alone, $2.8 million was taken away from different ATMs without raising any alarm.
The heist was executed first in December when over 150 minutes, 4500 fraudulent transactions were conducted and US$5 million was withdrawn in cash. Then the fraudsters lied low until February and perhaps felt that their earlier fraud had gone unnoticed. They then struck again and over a period of 10 hours executed 36000 transactions taking away $40 million.
At the end of it, one must appreciate the efforts of the law enforcement to quickly bring the culprits to the Court within three months from the second heist at least in New York.
However the Banking industry has to now worry about how they secure E banking transactions in the future. Similarly the fraud insurance companies also need to worry about the implications of such losses. Probably this will increase the cost of E Banking in future and the advantage of “Economy” in using of technology in banking has gone for a six.
Today’s nature of Cyber Crimes are easily repeatable and hence we in India need to worry about how we address similar issues if they arise in India. The incident once again confirms that the customer is at the mercy of the system in the hands of the Bankers which may not be properly secured.
Banks should therefore stop blaming the customer in such cases.
Bankers who keep saying that “Our systems are secure and unless you share your password or PIN, there is no way such frauds can take place” should eat their words..
Adjudicators, Cyber appellate Tribunal and the Judges in different Courts in India need to take note of this modus operandi before taking decisions in Phishing and Card fraud cases. If an organization like Electra Card the Pune based specialized card processing company with PCI Compliance and other security measures could be hacked, then the systems of Banks which are not secured at similar levels are more prone to such risks.
I urge RBI to immediately constitute an expert committee to review the implementation of Information Security in Banks on which RBI had given guidance notes on April 29, 2011 and also February 28, 2013 and push Banks to tighten up the security levels without a day’s delay.