Published May 11, 2013
DUBAI/NEW YORK – One of the credit card processing companies whose security was breached in a $45 million global cyber heist was India's ElectraCard Services, according to two people familiar with the situation.
ElectraCard Services processes prepaid travel cards for National Bank of Ras Al Khaimah PSC (RAKBANK), one of two Middle Eastern banks named by U.S. prosecutors on Thursday as victims of the heist, the people said.
The prosecutors said an international criminal gang made two coordinated hits on cash machines around the world, withdrawing $5 million on December 21 last year and a further $40 million on February 19 this year.
The gang was able to make big withdrawals after hacking into an Indian and a U.S. credit card processing company to raise the balances and withdrawal limits on MasterCard prepaid debit cards, the prosecutors said. They did not name the processing companies.
A U.S. official and an employee of RAKBANK in Dubai both said the Indian card processor - used in the heist on December 21, 2012 - was ElectraCard Services, which is based in Pune, India. The two people spoke on condition of anonymity.
Ramesh Mengawade, the CEO of ElectraCard Services and its parent firm, Opus Software Solutions, could not be reached through his executive assistant or through e-mail on Saturday. Calls to the mobile phone of another company official were not answered.
An official at an external public relations firm that works with ElectraCard also said he had not been able to reach Mengawade on Saturday and did not have immediate comment.
RAKBANK has said two of its Prepaid MasterCard Cards have been launched with the support of ElectraCard.
MasterCard bought a 12.5 percent stake in ElectraCard in 2010, ElectraCard has said. MasterCard has said it had cooperated with law enforcement in the investigation and stressed that its systems were not involved or compromised in the attacks.
Cyber security experts said the global scope and speed of the $45 million bank theft was unprecedented. The global gang had operatives in 27 countries who could fan out to thousands of ATMs in a matter of hours, and withdraw money using fraudulent prepaid debit cards, according to U.S. prosecutors.
The U.S. Justice Department gave details of the heist on Thursday in an indictment against eight men accused of being the New York cell of the organization. The department said seven of the men have been arrested.
Dominican police on Friday confirmed that the eighth, Alberto Lajud-Pena, allegedly the leader of the New York cell, was shot dead in a robbery attempt in the Dominican Republic on April 27. Investigators found $100,000 in cash in the house where he was killed, as well as an M-16 assault rifle, two 9 mm pistols, a revolver, ammunition clips and a telescopic sight. It was not clear if the killing or the money were related to the cyber thefts.
Also on Friday, German prosecutors said they arrested two Dutch citizens, a man and a woman, on February 19, who were withdrawing cash at machines in Duesseldorf from accounts at Bank of Muscat of Oman, the other bank named by U.S. prosecutors.
The ringleaders of the global operation were believed to be outside the United States, but U.S. prosecutors have declined to give details, citing the continuing investigation. Germany is the only other country so far to announce arrests.
Experts in cyber security said the heists expose an Achilles heel in the global financial industry: prepaid debit cards.
Prepaid cards have fewer controls on them than on regular credit and debit cards issued by banks. Each prepaid card issued is like a blank slate: anonymous, new, and lacking any credit history or individual behavior pattern against which bankers and payment processors can measure activity to look for red flags.
A thief moving from ATM to ATM with a personal credit card would likely quickly raise alarms, because his or her behavior would look out of place compared to the credit card user's normal activity, experts said.
RAKBANK said the fraud against it took place at the end of last year and resulted in losses of around $4.7 million for the United Arab Emirates-based lender. The bank said the loss had been fully provided for before it closed its 2012 accounts.
RAKBANK Chief Executive Graham Honeybill said he believed the fraud went wider than lenders in the Gulf region. "We are given to understand that the overall fraud encompassed a number of banks not only in the Middle East but in the USA and other countries," Honeybill said in a statement.
"The bank can confirm that none of its customers suffered any financial loss as a result of this fraud," he added.
While full details of the latest heists were still unknown, cyber experts said such conspiracies typically come together in Internet forums, where hackers can exchange or sell information and recruit others. Gaining access to such private websites can take years of cultivating an online reputation for extraordinary trust or skill.
"It's sort of like Craigslist for cyber criminals," said Jason Weinstein, a lawyer with Steptoe & Johnson who previously supervised the Justice Department's computer crime unit.
In the early stages, one or more geeks install computer viruses inside networks, then spend days or weeks gathering detailed information about a bank's operations as they plan the job.
As they get ready to carry out the job, "carders" produce fake payment cards by coding the stolen account numbers onto magnetic strips. Those cards are distributed to large numbers of "cashers", who withdraw money from cash machines. "Mules" help move the booty across borders, sometimes in the form of luxury goods that they purchase with the cash.
The ringleaders, who rake in the biggest profits, typically are at the least risk of getting caught, while the carders, cashers and mules take on the highest risk of arrest.
In a similar heist in 2008, prosecutors say a group of men from Estonia, Russia and Moldova hacked into Royal Bank of Scotland's credit card processor. According to a federal indictment, they used casher crews to withdraw $9 million in more than 2,100 coordinated cash machine transactions worldwide over less than 12 hours.
Members of the organization often live in different countries and may never know the true identity of the other co-conspirators, aside from their online personae. In some cases, hackers don't learn the names of their partners until they appear on an indictment.
That is particularly true for low-level employees, like the cashers arrested in New York this week.
"Those low level guys very often don't have any idea who's pulling the strings on the overall conspiracy," said Michael DuBose, the head of cyber investigations for Kroll Advisory Solutions and the former chief of the Justice Department's computer crime section.
(Additional reporting by Joseph Ax in New York and Tony Munroe in Mumbai; Writing by Eddie Evans, editing by Tiffany Wu and Raju Gopalakrishnan)