Break the Back of Bank Frauds

Posted on May 13, 2013 by Vijayashankar Na

The Great E Bank Robbery in which US$ 45 million (Rs 250 crores) was drawn in cash in about 40000 fraudulent withdrawals spread over 12 and half hours on two different days, across 27 countries is an eye opener to the Cyber Security world on how well the underground Cyber Criminal gang is organized.

The investigations so far have revealed that the information on certain cards were obtained through the hacking of the systems in the data processing companies and were used to clone the cards. But it required a group of individuals who had to go to individual ATMs one after another and draw the cash, stash them in their bags and run to the next ATM etc until they exhausted the cash in all ATMs around them or until they received a “Stop” note from their boss.

We need to note that without the assistance of these “End Point Fraudsters” whom we some times call as “Mules”, the fraud could not have succeeded. It is these end point fraudsters who took the risk of being caught and punished. The hackers who remained in the back felt a lot safer since it is difficult to identify, capture and prosecute them. Similarly even behind these hackers who actually downloaded the card data and increased/removed the card limits, there were others who dropped a Trojan or conducted a Social Engineering attack to steal the access credentials for the sensitive data. There is also a possibility of an existing or past employee of the organization in which the data breach occurred who might have caused the breach either out of financial lure or out of vengeance. The possibility of negligence without malice of such an employee also cannot be ruled out.

At this time it is difficult to say with certainty if the data breach occurred only at the two card processing companies which are in the center of the investigation. If the card data was not effectively encrypted then it would be a serious issue of negligence. It is reported that these card processing companies were “PCI Compliant”.

In this context, it is also necessary for us to focus on the general status of Information Security in the IT Sector and in particular the BPO sector all over India and more so in Bangalore,  Pune and Gurgaon. We need to initiate such action as would silence the India bashers in US who have already started their campaign against outsourcing. This can hurt the Indian economy seriously.

We need to recognize that what has happened today to Banks in Gulf and at ATMs in New York or elsewhere can happen or will happen to banks in India and the ATMs in India. Hence Indian Banks as well as RBI should start a campaign to ensure that such “Bank Heists” donot occur in India where Indian Customers will be left to fight with the Bankers in long drawn legal battles. We know that the cases of S.Umashankar Vs ICICI bank has dragged on now for 5 years despite a favourable verdict from the Adjudicator of Tamil Nadu and several more cases are pending with adjudicators for more than 2-3 years.  Banks will be happy to take all cases to judicial processes since they can regenerate the lost money within 3 years while the customer is kept waiting for justice.

Now it is time for RBI to immediately constitute an expert committee to ensure that its regulations are strictly followed by banks in letter and spirit. One of the requirements that need to be tightened is the CCTV camera system in ATMs. It is necessary to ensure that the CCTV cameras used are of high resolution and are always functioning. If CCTV cameras are dysfunctional, the ATM should stop cash dispensation. We should also encourage customers to register “Face Recognition Authentication” systems so that there is no way a third party can withdrawn money from the customer’s account. Since some customers are in the habit of allowing their relatives to withdraw the amount on their behalf, they should be properly educated and encouraged to obtain multiple ATM cards for their authorized kith and kin whom they want to authorize withdrawals and have their face recognition built into  the system.

We also need to further tighten the KYC system and penalize the Banks heavily when KYC failure leads to frauds. Banks should undertake a security audit of all their outsource partners  including those who conduct KYC. I have observed that for genuine customers like me Banks have posed problems in KYC while many fraudsters have been able to open and operate accounts without any problem. This indicates that some times KYC is followed in letter but not in spirit. This has to be corrected.

It is also necessary for Banks to use “Adaptive Authentication” and raise the bar when stakes are higher. This requires a close monitoring of customer behaviour and if Banks are not doing this already, it is a criminal negligence that needs to be punished. Current RBI guidelines suggest such systems to be in place by June 30, 2013 and we need to watch how Banks react to the latest guidelines.

If “End Point Fraudsters” are eliminated through the Face Recognition system at ATMs, better KYC at Banks and adaptive authentication, security can be enhanced by several notches and we can break the back of these Cyber Frauds.

Overall we need to re-evaluate the security of our Banking systems in the light of the Great E Banking Robbery and ensure a Safe E Banking environment.

Naavi

Posted in Bank, Cyber Crime, ITA 2008, RBI, Uncategorized | 1 Comment

INCERT to conduct enquiries on Great E Bank Robbery

Posted on May 13, 2013 by Vijayashankar Na

As referred to in our earlier post on the $45 million Global Card fraud, IN CERT is reportedly conducting an enquiry on the security breach alleged to have occurred at the two card processing companies in India. .

In the meantime the Pune based Electra Card services has given out a statement stating that the data breach has occurred “Outside their environment”.

 

Naavi

Related Article in ET:

Another Article in ET

Related Article in TOI

Posted in Cyber Crime, ITA 2008 | Leave a comment

Attention now turns on India as an outsourcing destination

Posted on May 12, 2013 by Vijayashankar Na

As could be expected, the Great E- Banking Robbery has now brought Indian Outsourcing industry to the center of controversy. The Reuter report

Already some security experts in US have started a campaign for shifting the card processing business to some large US companies. Probably in the short run some business will move out of India since “Security” is an issue on which no financial institution wants to compromise.

However, at this point of time it is not clear where the Indian companies failed. It would be necessary for INCERT to conduct its own  enquiry and undertake necessary steps to document what really caused the security breaches and what can e done in future to secure the BPO industry’s interests.

Naavi

Posted in Cyber Crime, RBI | 1 Comment

TN Police throw up their hands in Phishing Case

Posted on May 12, 2013 by Vijayashankar Na

Tamil Nadu police had the distinction of achieving the first ever conviction under ITA 2000 way back in 2004. It has also had the distinction of solving several Credit card frauds some of whom had international footprint.

However these appear to be past glories as the current administration under the AIADMK Government appear to show no inclination to investigate Cyber Crimes. In one of the complaints filed by a Phishing Victim, Police have recently sent a letter stating that they are unable to trace the accused and hence would like to close the case.

Unfortunately it appears that the Police have not made an honest attempt to investigate since they donot appear to have made any attempt to investigate the bank officials wtihout whose assistance the fraud could not have been successfully completed. There were more than 15 branches of Punjab National Bank involved in the fraud and the Police donot seem to have visited any of these branches and interrogated any of the officials.

This gross inefficiency is in stark contrast with the successful investigation of the New york police in the $45 million bank fraud reported recently in which 8 persons were arrested and charge sheet filed within 5 months.

Normally Ms  J.Jayalalitha is considered to be a better administrator than Mr Karunanidhi. But under her leadership the Cyber Crime police in TN seem to have lost the direction.

Coupled with this after Ms Jayalalitha took over as CM, the Adjudication system in Tamil Nadu has also been in active. It appears that age has caught up with Ms J Jayalalitha and rendered her weak in administration of law enforcement in Tamil Nadu.

Probably victims of Cyber Crimes in Tamil Nadu may have to invoke the assistance of the Human Rights Commission to make Police act.

Naavi

Posted in Cyber Law | Leave a comment

The Kingpin of the Great E Banking Robbery shot dead by his partners

Posted on May 12, 2013 by Vijayashankar Na

The spectacular US$ 45 million global bank heist has already claimed the life of the suspected kingpin.

Alberto Yusi Lajud-Peña, one of a number of suspected ringleaders behind a coordinated and sophisticated global bank heist operation that netted the thieves $45 million in stolen funds, was mowed down inside his Dominican Republic home last month while playing dominoes, robbing authorities of the chance to bring him to justice with his alleged co-conspirators. It is suspected that the killing is related to disputes in sharing of the fraud proceeds.

The total number of transactions booked in the December 21, 2012 operation was around 4000, all in about 750 ATMs in Manhattan within about 2.5 hours. On February 19 there were 46000 transactions involving 36000 ATMs and 12 different card accounts across 24 different countries all within 10 hours. The precision with which this massive fraud has been committed simply is astounding.

(See related article) 

Naavi

 

 

Posted in Bank, Cyber Crime | Leave a comment

Modus Operandi of the Great E-Bank Robbery

Posted on May 12, 2013 by Vijayashankar Na

The recent Banking Fraud where US $45 million (Rs 250 crores) were withdrawn in cash across 27 countries was a sensational international cyber crime that warrants a serious analysis by all Cyber Crime and Cyber Security experts. What is intriguing was that only 12 card accounts were used to conduct 36000 transactions withing 2 and half hours to withdraw the amount from different ATMs.

This fraud highlights how Cyber Crime can create chaos in the Physical financial world and raises questions about how we secure our financial systems in future against the breaches created by the rapid progress of “Technology”.

The dangers of “Technology Ahead of Security” on the part of the bankers and “Convenience Ahead of Security” on the part of the Customers have rendered E Banking vulnerable to the point where it can destroy the global economy.

The sophistication with which the crime was executed clearly reminds one of the various Hollywood movies such as  or Ocean Eleven series where bags of hard cash is taken away by successful operators. While in the film, clever robbers rob from other persons who have amassed money by cheating the public and therefore evoke silent admiration of their success, the current Great E Bank Robbery has hurt the common man on the street and his hard-earned savings. It is therefore a serious matter to be guarded against so that there is no “Sequels of Great E Banking Robberies” to contend with.

This article in fox news tries to capture the modus operandi of this Great E Banking Robbery.  This crime was a mix of “Hacking”, “Data Theft”, “Data Manipulation” and  “Card Cloning” and executed across countries by a gang of coordinated criminals.

First two card processing IT Companies one in India and another in USA (also maintaining a data center in Bangalore) were hacked and some credit card data was accessed. Some insider involvement or past employee involvement can be speculated in this operation. After accessing the card data, it was  used for cloning the cards. However what made the operation ingenious was that the criminals were not simply satisfied with cloning active cards and removing money upto the available balance. They perhaps knew that this would limit their opportunities to the available balances and also the unauthorized withdrawals would get quickly discovered because active users would immediately notice the withdrawals and report it to the banks.

They therefore struck at cards which had lower probability of quick reaction from the customers. They chose “Prepaid Cards” where money was already loaded and hence the withdrawals were not subjected to the same rigour as other cards which would raise fresh “authentication requests” for each new withdrawal. Additionally they chose cards which were perhaps been sparingly used which represented some thing similar to “Dormant Accounts” in Banking terminology. To offset the probability that such cards may have smaller balances than the cards with a credit line, they used their hacking ability to modify the amounts available in the cards to higher levels. Again by using the charging of  prepaid cards instead of transferring of money to the mule accounts, criminals created an easy cash delivery mechanism through the ATMs without the need to create one more parking slot for the money.

In order to execute the cash withdrawals the criminals acted as a coordinated gang across 27 countries. The cloned cards were created out of transfer of Magnetic Strip data to the end point fraudsters or to their local manager who loaded the data on blank cards and delivered them to several chosen fraudsters who went to the ATMs and withdrew the money on receipt of the cue from the kingpin. Probably, some havala route was used to enable passing off of commission to the kingpin after the money was withdrawn. In New York city alone, $2.8 million was taken away from different ATMs without raising any alarm.

The heist was executed first in December when over 150 minutes, 4500 fraudulent transactions were conducted and US$5 million was withdrawn in cash. Then the fraudsters lied low until February and perhaps felt that their earlier fraud had gone unnoticed. They then struck again and over a period of 10 hours executed 36000 transactions taking away $40 million.

At the end of it, one must appreciate the efforts of the law enforcement to quickly bring the culprits to the Court within three months from the second heist at least in New York.

However the Banking industry has to now worry about how they secure E banking transactions in the future. Similarly the fraud insurance companies also need to worry about the implications of such losses. Probably this will increase the cost of E Banking in future and the advantage of “Economy” in using of technology in banking has gone for a six.

Today’s nature of Cyber Crimes are easily repeatable and hence we in India need to worry about how we address similar issues if they arise in India. The incident once again confirms that the customer is at the mercy of the system in the hands of the Bankers which may not be properly secured.

Banks should therefore stop blaming the customer in such cases.

Bankers who keep saying that “Our systems are secure and unless you share your password or PIN, there is no way such frauds can take place” should eat their words..

Adjudicators, Cyber appellate Tribunal and the Judges in different Courts in India need to take note of this modus operandi before taking decisions in Phishing and Card fraud cases. If an organization like Electra Card the Pune based specialized card processing company with PCI Compliance and other security measures could be hacked, then the systems of Banks which are not secured at similar levels are more prone to such risks.

I urge RBI to immediately constitute an expert committee to review the implementation of Information Security in Banks on which RBI had given guidance notes on April 29, 2011 and also February 28, 2013 and push Banks to tighten up the security levels without a day’s delay.

Naavi

Posted in Bank, Cyber Crime, ITA 2008, RBI | 1 Comment