Bank security weaknesses led to cyber looting of $45M from ATMs

Indicted cyber thieves used pre-paid debit cards, maniulated bank accounts to withdraw huge sums from ATMs around the world

1 2 Page 2
Page 2 of 2

Members of Pena's gang were identified and nabbed from surveillance tapes provided by financial institutions and by owners of the ATM machines that were robbed.

The thefts highlight continuing vulnerabilities in the payment industry said Jim Stickley, chief technology officer at TraceSecurity Inc., a Baton Rogue, La.-based company risk and compliance management vendor with several banking customers.

Stickley said that no mechanisms appear to have existed to prevent the same debit card numbers from being used over and over again to complete thousands of transactions in different countries in a very short period of time.

"It's surprising that even some level of analytics wasn't used," to spot and prevent fraudulent transactions, he said. "When they were hitting 3,000 ATMs around the world at the same time, you'd think there'd be some analytics" to detect it, he said.

It's likely that the banks did not have monitoring systems in place to track prepaid debit cards. There's little chance that the bacnk would know who purchased such cards. There's little risk to the bank with such cards, because they have already been paid for, Stickley said.

"They probably treated it somewhat differently because there is no way they can call somebody to tell them they are shutting it down," he said. "I can see how they might have never imagined a situation where someone would use the cards in this manner."

Avivah Litan an analyst with Gartner, added that the theft "could have been prevented with simple steps like privileged user monitoring and alerts when account limits are raised in this manner." Accounts limits had to be raised substantially for the crooks to get so much money she said.

Strengthening authorization on raising account limits is one way to mitigate such issues she said.

Banks, for example, can enforce dual authorization whenever someone wants to raise accounts limits in the manner that needed to have been done in this case, she said.

PIN and Chip cards could also have prevented the heist, she said. Chip-and-PIN systems use smartcards that have embedded microprocessors (or chips) rather than magnetic stripes to store cardholder data.

To use the cards at an ATM machine a cardholder needs to have the original and personal identification number. "There simply wasn't enough attention paid to simple controls that should have been put on these systems," Litan said

"The only good news here is that consumers weren't hurt. The bad news is that the payment industry still has not learned its lesson," she said. "The industry needs to implement a major change in the way cardholders are authenticated, either using chip and PIN, biometrics, or something else much stronger than a PIN."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
  
Shop Tech Products at Amazon