New Arrests in $45 Million ATM Cash-OutExperts Warn of More Schemes on the Horizon
Federal investigators announced five more arrests this week in connection with a $45 million ATM cash-out and prepaid card fraud scheme that came to light this summer (see Detangling the $45 Million Cyberheist).
See Also: Rethinking Response
Earlier, eight others were charged for the roles they allegedly played in this massive cyberheist that drained millions from bank accounts throughout the world within a matter of hours, federal prosecutors say.
Despite the arrests in this case, banking institutions can soon expect bigger and more sophisticated ATM cash-out schemes linked to prepaid cards, says Chuck Somers, vice president of ATM security and systems at Diebold Inc., one of the world's largest ATM manufacturers. That's because fraudsters' inside knowledge of banking systems and payments processes has made pulling off these types of global attacks far too easy, he contends.
In June, federal authorities charged eight suspects in another major ATM cash-out and cybercrime scheme that involved online account takeovers and prepaid card compromises. "This trend is of grave concern," says financial fraud expert Shirley Inscoe, an analyst with Aite, an industry consultancy and research firm. "The risk-reward picture is very attractive to those who are inclined to steal from others for their own personal gain" (see Another Huge Cash-Out Scheme Revealed).
Mike Urban, director of financial crime portfolio management for financial services firm Fiserv, says the industry will continually fight an uphill battle. "This further demonstrates the distributed nature of these attacks," Urban says. "The ongoing lesson is all entities in the financial services ecosystem need to proactively defend against ongoing attacks. This particular breach [method] has appeared several times [that we know of] over the last five years. Event monitoring, from the firewall to the ATM, would have triggered actions to prevent this loss or at least reduced the impact."
New York Cell
Those arrested Nov. 18 - Anthony Diaz, Saul Franjul, Saul Genao, Jaindhi Polanco and Jose Angeley Valerio - are suspected members of a New York-based cell believed to be part of an international cybercrime organization that used sophisticated intrusion techniques to steal prepaid debit card data and then use that data to make fraudulent ATM withdrawals, according the Department of Justice.
On Dec. 22, attackers compromised an unnamed credit card processor, which resulted in the breach of prepaid accounts managed by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the Middle East, according to a Justice Department release. Then the fraudsters made more than 4,500 fraudulent ATM withdrawals, totaling $5 million, in some 20 countries with fraudulent ATM/debit cards encoded with the prepaid card numbers compromised during the processor attack.
On Feb. 19-20, 2013, hackers compromised prepaid card accounts associated with Bank Muscat, another Middle Eastern Bank. Then $40 million was withdrawn from ATMs in 24 countries over a 10-hour period, authorities say
Diaz, Franjul, Genao, Polanco and Valerio, along with the so-called ATM cashers they oversaw as part of their New York crime cell, withdrew $2.8 million from more than 140 different ATMs in New York City, investigators say. The bulk of that cash was then sent to the organizers of the attacks, they allege.
"Newly seized photographic evidence reveals that the defendants sent the lion's share of the proceeds to the organization's leaders, including $800,000 of criminal cash proceeds sent in luggage and transported to Florida by bus for delivery to a cyberheist organizer," according to a statement from the U.S. Attorney's Office for the Eastern District of New York.
Arrests Scrape the Surface
Commenting on the latest arrests, Diebold's Somers says: "It looks like these people were on the lowest end of the chain - the ones who were actually at the machines making the withdrawals. Those are always the ones who are most likely to be caught, while the real masterminds - the ones that hacked into the back-end systems and knew how the transactions flowed - remain out there."
But Gartner analyst Avivah Litan, a fraud expert, says these new arrests prove law enforcement is improving its ability to connect the fraud dots.
"There are still several more of them at large who hopefully will be arrested before too long," she says. "It also shows that law enforcement is doing a great job considering all the obstacles they have to overcome, including a glaring lack of legislation to make their jobs easier in the 21st century."
The five defendants arrested this week now face charges of conspiracy to commit access device fraud, the same charges filed in May against the scheme's original three defendants, Jael Collado, Jose Familia Reyes and Chung Yu-Holguin, according to the Justice Department. No pleas or trial dates for those defendants were mentioned in the Justice Department statement issued this week.
Four other defendants, Joan Luis Minier Lara, Evan Jose PeÃ±a, Elvis Rodriguez and Emir Yasser Yeje, already have pleaded guilty to similar charges. Another defendant, Alberto Yusi Lajud-PeÃ±a, was murdered in April, authorities say.
Breach Details Unclear
To pull off the $45 million heist, the fraudsters allegedly tapped into networks connected to the banks and then altered databases to raise the amount of funds available on prepaid debit cards, Somers says. This cash-out scheme is very unusual, he says, because it involved compromising prepaid card accounts,. "Fraud detection and other types of checks on the networks must have been bypassed, and because these were prepaid cards, they had to have skill and knowledge about the systems to know how that to do that," he says.
Multiple news media reports claimed that two payments processors - EnStage and ElectraCard Services, both based in India - were breached. According to those reports, EnStage's and ElectraCard's networks were linked to prepaid accounts managed by RAKBANK, and Bank Muscat.
But on May 13, ElectraCard Services issued a statement saying an internal forensics investigation had determined card data was not intercepted from its network.
The banks and processors did not respond to Information Security Media Group's request for comment about the attacks.
Litan says details continue to remain sketchy. But, she notes, "There was just a handful of cards used to take all $45 million out," based on information she gathered from international authorities.