Bank security weaknesses led to cyber looting of $45M from ATMs

Indicted cyber thieves used pre-paid debit cards, maniulated bank accounts to withdraw huge sums from ATMs around the world

Alberto Yusi Lajud Pena, found dead in the Dominican Republic two weeks ago, was the leader of the New York cell of an international gang of cyber thieves that authorities allege stole a staggering $45 million from ATM machines around the world.

One startling aspect of the case, sure to be closely reviewed by banks worldwide, is that Pena and his cohorts pull off the theft quickly using just 17 prepaid debit cards.

Federal prosecutors in New York on Thursday handed down indictments against Pena and seven other individuals on cyber hacking charges related to the theft. The defendants allegedly formed a New York-based cell of an international group that hacked into global financial institutions to access prepaid debit card data that they later used to steal money from ATM machines.

Pena and his co-conspirators are accused of withdrawing about $2.8 million from ATMs in NYC on two separate occasions.

In the first operation last Dec. 22, the gang withdrew $400,000 in 750 fraudulent transactions at 140 ATM locations in the city in just two hours and 25 minutes. In February, the gang withdrew close to $2.4 million in 3,000 ATM transactions in the NYC area over a 10-hour period.

Details of the operation contained in court documents provide a fascinating look both at the sophisticated methods used by the hackers, and the vulnerabilities in the banking system that allowed it to happen.

The thefts began with an extensive intrusion last December into the network of an Indian credit card processing company that handles MasterCard and Visa prepaid debit cards.

Such cards are typically loaded with a finite amount of funds and are often used by employers in lieu of paychecks and by charitable organizations to distribute emergency assistance, according to a statement by the U.S. Department of Justice.

The hackers broke into the card processing company, manipulated account balances and eliminated withdrawal limits on each of five prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah in the United Arab Emirates.

Such manipulation of debit card information is referred to as "unlimited operation" in the cyber underworld and requires a very high degree of technical sophistication, according to the indictment. When successful, even a small number of compromised cards can lead to a "tremendous financial loss the victim financial institution," the indictment said.

The compromised account numbers, together with PINs needed to initiate withdrawals, were distributed to cell 'managers' like Pena in different parts of the world. The stolen account numbers were used to encode magnetic stripes on the back plastic cards such as gift cards and hotel key cards and later used to initiate the fraudulent withdrawals.

The first operation, in Dec. 2012, resulted in close to $5 million being withdrawn from ATM machines around the world in about 5,700 transactions. The hackers who had broken into the card processor network used their access to monitor the withdrawals to ensure they were not shortchanged.

In February, the group pulled off the same caper, but this time by breaking into a U.S.-based credit card processor that handles MasterCard and Visa prepaid debit card transactions.

In this instance, the hackers manipulated account balances and removed withdrawal limits on 12 prepaid debit cards issued by the Bank of Muscat in Oman. The compromised account numbers were distributed to gang members in 24 countries and used to create spoofed debit cards that were used to withdraw $40 million from ATM machines.

Members of Pena's gang were identified and nabbed from surveillance tapes provided by financial institutions and by owners of the ATM machines that were robbed.

The thefts highlight continuing vulnerabilities in the payment industry said Jim Stickley, chief technology officer at TraceSecurity Inc., a Baton Rogue, La.-based company risk and compliance management vendor with several banking customers.

Stickley said that no mechanisms appear to have existed to prevent the same debit card numbers from being used over and over again to complete thousands of transactions in different countries in a very short period of time.

"It's surprising that even some level of analytics wasn't used," to spot and prevent fraudulent transactions, he said. "When they were hitting 3,000 ATMs around the world at the same time, you'd think there'd be some analytics" to detect it, he said.

It's likely that the banks did not have monitoring systems in place to track prepaid debit cards. There's little chance that the bacnk would know who purchased such cards. There's little risk to the bank with such cards, because they have already been paid for, Stickley said.

"They probably treated it somewhat differently because there is no way they can call somebody to tell them they are shutting it down," he said. "I can see how they might have never imagined a situation where someone would use the cards in this manner."

Avivah Litan an analyst with Gartner, added that the theft "could have been prevented with simple steps like privileged user monitoring and alerts when account limits are raised in this manner." Accounts limits had to be raised substantially for the crooks to get so much money she said.

Strengthening authorization on raising account limits is one way to mitigate such issues she said.

Banks, for example, can enforce dual authorization whenever someone wants to raise accounts limits in the manner that needed to have been done in this case, she said.

PIN and Chip cards could also have prevented the heist, she said. Chip-and-PIN systems use smartcards that have embedded microprocessors (or chips) rather than magnetic stripes to store cardholder data.

To use the cards at an ATM machine a cardholder needs to have the original and personal identification number. "There simply wasn't enough attention paid to simple controls that should have been put on these systems," Litan said

"The only good news here is that consumers weren't hurt. The bad news is that the payment industry still has not learned its lesson," she said. "The industry needs to implement a major change in the way cardholders are authenticated, either using chip and PIN, biometrics, or something else much stronger than a PIN."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecurityMalware and Vulnerabilities

More about Department of JusticeGartnerInc.TopicVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts