Exclusive: Indian firm in global ATM heist admits system breached
An Indian payment card processing company acknowledged on Monday that hackers breached its security to increase the limits on some pre-paid card accounts in a global ATM heist in December.
ElectraCard Services said no customer data was stolen from it and any tampering of ATM cards occurred elsewhere.
"To withdraw money from a pre-paid card, one needs an ATM card that has a magnetic strip, which has encoded data. You also need a PIN. The forensic report says that this data and PIN was not compromised at the ElectraCard data centre," said Ramesh Mengawade, chief executive officer of ElectraCard Services.
"However, in three or four accounts, there was a breach, where the limit of cash that can be withdrawn from a pre-paid card was increased," he said in an interview at his office in the western Indian city of Pune.
U.S. prosecutors said on Thursday that hackers broke into two unnamed card processing companies, raising the balances and withdrawal limits on accounts that were then exploited in coordinated ATM withdrawals around the world that stole a combined $45 million from two Middle Eastern banks.
ElectraCard Services was the company that processed prepaid travel cards for National Bank of Ras Al Khaimah PSC (RAKBANK), according to a U.S. official and a bank employee who both spoke on condition of anonymity. RAKBANK suffered a $5 million coordinated heist at ATMs around the world on December 21 last year, the U.S. indictment said.
"What happened in December was an industry-wide attack," Mengawade said in his first interview since the case came to light last week. "There were pranks in India; there were pranks in the U.S., in Europe and at processors as well."
The company said the attack was external and no one inside the company was involved, and that it became aware of it within an hour and immediately notified clients and the police.
Another processing company, EnStage, which is incorporated in Cupertino, California, but has operations based in Bangalore, handled card payments for Bank of Muscat of Oman, sources have said. Bank of Muscat lost $40 million in a coordinated heist on February 19.
"Our customers were adversely affected by this sophisticated crime," EnStage CEO Govind Setlur said in a statement in the Times of India newspaper on Sunday.
ElectraCard was not associated with the February incident.
OUTSIDE INVESTIGATOR
ElectraCard hired U.S.-based Verizon Communications to investigate what happened in the December heist.
Verizon is one of the largest companies that certify that companies are in compliance with payment card industry standards set by Visa and MasterCard . It is also one of the biggest providers of incident response services to companies that are victims of cyber attacks.
"They are saying, yes, the fraudsters entered the system but they have not found any data because we don't store the data," said Ravi Sundaram, ElectraCard's head of strategy and corporate services.
"While somebody might have accessed my data in an unauthorized way, it still doesn't mean you can do an ATM withdrawal," he added.
The company has about 100 customers globally, all of them in financial services, and said it had not lost any in the wake of the December incident.
"This incident in no way impacts or troubles us in terms of our financials," Sundaram said. "We are well protected for that."
The head of the Pune police cyber crimes cell could not immediately confirm late on Monday whether a complaint had been filed by ElectraCard in the matter.
"It's an international gang and the U.S. is prosecuting them," Mengawade said.
After the incident, operations continued as usual, Mengawade said. "We put stop withdrawal instructions on only those cards which were showing such transactions," he said.
ElectraCard was delisted from a global industry standards body after the incident, but is still authorized to conduct transactions. Mengawade said he expects to be re-certified by June.
MasterCard bought a 12.5 percent stake in ElectraCard in 2010. MasterCard, the network under which the cards used in the heist were issued, has said its security was not compromised.
ElectraCard Services is a subsidiary of Opus Software Solutions, which is also headed by Mengawade.
(Additional reporting by Jim Finkle in Boston; Writing by Tony Munroe; Editing by Raju Gopalakrishnan)