Indian processors fingered over $45m ATM heists

Indian processors fingered over $45m ATM heists

The card payment processing firms which saw their systems breached as part of two massive recent ATM heists have been named as India-based ElectraCard Services and EnStage.

Last week US authorities charged eight people with taking part in the attacks that saw card data stolen from payment processors and used to withdraw $45 million from ATMs around the world.

ElectraCard Services has admitted that it was one payment processor involved in the first attack, which saw around $5 million stolen from accounts at the National Bank of Ras Al-Khaimah PSC in the UAE in December.

The firm's CEO, Ramesh Mengawade, told Reuters that crooks managed to breach its systems and increase the withdrawal limits on "three or four accounts". However, a statement insists that no PIN or mag-strip data was compromised.

Verizon has been called in to investigate the intrusion by ElectraCard Services, which says it is also in the process of re-certifying and re-listing itself for compliance with the PCI-DSS standards of the PCI Security Standards Council.

Meanwhile, EnStage has emerged as the processor hit as part of the second attack in February, which saw around $40 million looted from Bank of Muscat. "Our customers were adversely affected by this sophisticated crime," EnStage CEO Govind Setlur told the Times of India.

Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 15 May, 2013, 11:07Be the first to give this comment the thumbs up 0 likes

This is one more incident that shows that large and scaleable identity thefts happen at processors' systems, and not while individual cardholders are shopping online and putting through one-off transactions. I hope regulators, especially in India, recognize this reality and eliminate 2FA requirements that add a lot of friction and cause heavy shopping cart abandonments. Instead, they should shift their focus to verifying how securely processors are storing card information. Accepting processors' stock response, "we're PCI-DSS compliant", to all questions about data security is simply not enough any more.


Related News