Blog article
See all stories »

An article relating to this blog post on Finextra:

Indian processors fingered over $45m ATM heists

The card payment processing firms which saw their systems breached as part of two massive recent ATM heists have been named as India-based ElectraCard Services and EnStage.

See article

Why Is This Data Breach Different?

What data breach? Are you talking about the one that happened at Heartland in 2009? Or, maybe the Fidelity one from 2011? Again, no?

Oh, you're referring to the latest one that led to the arrests in New York of several people who fraudulently withdrew $45M from several ATMs.

By now, it should be obvious what's different about the latest breach. If not, read on.

High-profile breaches in the past, like the ones that hit Heartland Payment Systems and Fidelity National Information Services, involved theft of payment card information. The current one has gone further and has actually resulted in the loss of money. It's accordingly known as "$45M ATM heist" than data breach.

Like other past breaches into payment information, this one also began as breaking and entering into the databases of several payment processors - including ElectraCard Services and EnStage - who hold sensitive card information of banking customers. The first B&E into ElectraCard Services happened in December 2012 and the second one involving EnStage, in February 2013. At the time, there was little publicity about these breaches, at least nothing that caught my eye. The real media frenzy began only when the scamsters who used the stolen information to withdraw money from ATMs were apprehended in NYC about 10 ten days ago. In other words, this is one of the rare cases of a high-profile data breach that is directly linked to financial losses.

Like an onion peel, details of the present incident are unraveling day by day. I hope we'll eventually get answers to the following questions:

  • Where were the PIN and magstripe data stolen from? (According to its statement, it was not from ElectraCard Services)
  • Was the data stolen from inhouse data centers of the payment processors? Or was it located on a "cloud" provided by some third party cloud services companies? Although this might seem irrelevant for a common man, it's necessary to get into these details so that security professionals can plug the right holes.
  • Between the time the security breaches reportedly happened in December 2012 / February 2013 and the ATM heists  occurred earlier this month, did the banks involved - National Bank of Ras Al-Khaimah PSC and Bank of Muscat - reach out to all the affected cardholders and ask them to change their ATM PIN numbers?
  • How soon were the withdrawal frequencies and limits reset to their original - and correct - values?

I also hope this incident makes it amply clear to regulators that large scale frauds happen as a result of breaches into payment processors' systems, and not when individual cardholders are shopping online and putting through one-off transactions. Keeping this in mind, they should revisit their present approach of trying to prevent fraud by insisting on cumbersome two-factor authentication for all sizes of online and mobile payment transactions. Such a procedure adds friction and causes heavy shopping cart abandonment (more on that here) while proving futile when sensitive data comes under an attack where it's found in bulk. Instead, regulators should shift their focus to ensuring that payment card information is encrypted and stored absolutely safely. In this context, the CEO of Heartland Payment Systems set the tone by accepting that, when it comes to security levels to be maintained by payment processors, PCI certification is necessary but not sufficient.

45M ATM Heist

Comments: (3)

A Finextra member
A Finextra member 21 May, 2013, 09:14Be the first to give this comment the thumbs up 0 likes

Good analysis, and indeed it seems that quite a few people get distracted and suggest various add-ons only making things more complicated and costly, rather than aiming at the root cause. The ATM online authorization process is well structured and proven since decades - it depends on secure authorization systems on secure platforms that can't be hacked. If service providers now move to cheaper platforms (Windows and Linux) having thousands of known vulnerabilities, one should not be surprised that authorization systems now do get hacked, limits are removed for particular cards and massive fraud now becomes possible. Certifications like PCI are certainly useful but cannot prevent fraud - it takes secure technology to protect those critical payments processes.                                  

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 22 May, 2013, 12:27Be the first to give this comment the thumbs up 0 likes

@FinextraM: TY for your comment. There are many articles blaming lack of EMV for this incident but, as this Fed article makes clear, "the fact that 94 percent of the ATM cash withdrawals took place at ATMs outside the United States shows that we (USA) are not the non-EMV island that we are often portrayed as." Personally, I'd await info on which data centers were involved before linking the security vulnerabilities exploited in this heist to Windows / Linux. Until we know more, we can't be sure that they aren't mainframes or Unix systems!

A Finextra member
A Finextra member 22 May, 2013, 13:14Be the first to give this comment the thumbs up 0 likes

From that FED article:

"The real threat from this attack comes from the criminals' ability to gain access to the card management application on a real-time basis. It is still unclear whether they gained the account number and PIN from accessing the card management system or through the more traditional skimming means. What is clear is that they had the ability to continually replenish account balances and reset usage limit parameters during the 10–13 hour attack that involved more than 3,600 withdrawal transactions from ATMs located in 26 different countries."

So unless these were two insider scams within a short time (at two different banks with two different payments providers, each involving active insider fraud) one must assume that the two card management systems have been hacked from the outside.

Traditionally, such card management systems are run on NonStop systems or IBM mainframe platforms (and only to a lesser extent on Unix). These platforms are known to be very secure, no successful outsider hacks have become known for decades. And in fact, such ATM running schemes were unheard of ever since online authorization was introduced. What's the expected result when moving to "newer" and less secure platforms ?