Money Hacking

Saturday 29 June 2013

Stolen Millions Expose Middle East Banks' Vulnerability to Cyber Thieves

The men smiled at the smartphone camera, holding up wads of cash. They were members of a cybercriminal gang, eager to show off the spoils of targeting two banks in the Middle East: The National Bank of Ras al-Khaimah (Rakbank) in the United Arab Emirates, and the Bank of Muscat in Oman. In two different attacks, spanning just 10 hours, United States prosecutors said the gang of eight managed to steal US$45 million by hacking into a database of prepaid credit cards belonging to the banks, and then using fake swipe cards to withdraw money from ATMs in 27 countries.

Their gleeful spree would be cut short. Announcing the arrests of the gang members, the U.S. Attorney for the Eastern District of New York Loretta Lynch called it "a massive 21st-century bank heist," adding, "In the place of guns and masks, this cyber crime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City."

The arrests in the U.S. revealed the coordinated sophistication of the gang, and the ease by which they looted the banks. Experts say financial institutions in the Middle East are tempting targets for such heists, and they are partly to blame. They argue that institutions need better Internet security protocols, particularly when outsourcing information services, as regional companies regularly come under attack from politically motivated hackers as well.

"It's a question of enforcement of regulatory controls, which are broken and sketchy in the Middle East, so obviously you're going to have a higher number of cyber crimes in that particular context," said Gurpreet Dhillon, professor of information technology at Virginia Commonwealth University. "There's also an immaturity aspect with a lot of these organizations, in dealing with cyber crimes. There's all sorts of capabilities that go into cybercrime management, and I believe many organizations are premature in that sense."

Weak Links

The gang were actually strangers who came together via Internet forums where illicit information is traded and people are recruited for cyber crimes. Jason Weinstein, a lawyer who once oversaw the U.S. Justice Department's computer crime unit, told Reuters, "It's sort of like Craigslist for cyber criminals."

The gang planted computer viruses inside the financial institutions' networks. Once they had gathered enough information, they produced fake ATM cards, coding stolen data onto magnetic swipe strips. The cards were distributed to "cashers" whose sole role was to drain funds, and the money passed onto mules who moved them either in cash bundles or by buying luxury items.

The gang stole US$5 million from RakBank on Dec. 21, and the remaining millions from the Bank of Muscat on Feb. 19. The weak links exploited by the gang were two card payment processing centers in India. The gang managed to hack them, raised the balance and withdrawal limits on the compromised accounts, then sent out teams to make withdrawals.

The Indian companies that were hacked publicly acknowledged they had been successfully infiltrated after the attacks were made public. "In three or four accounts, there was a breach, where the limit of cash that can be withdrawn from a pre-paid card was increased," said Ramesh Mengawade, chief executive officer of ElectraCard Services, in an interview with Reuters. ElectraCard handled payment processing for RakBank's prepaid travel cards. EnStage was the other company attacked by the gang. "Our customers were adversely affected by this sophisticated crime," EnStage CEO Govind Setlur said in a statement in the Times of India.

In response to the attacks becoming known publicly, the chief executive officer of Rakbank, Graham Honeybill, told Reuters "none of its customers suffered any financial loss as a result of this fraud." In a note, the Bank of Oman stated, "We are exploring all avenues of recovery so as to protect shareholder interests and will advise the markets accordingly if there are any material developments in this regard."

Dhillon said the lack of disclosure beforehand was an example of organizational immaturity when it came to dealing with cyber security issues. He cited as an example the state of California, which requires institutions to inform their customers when a security breach occurs. "As a result, it has become natural for individuals to receive emails of this sort, that 'Yes, your account has been compromised, we're sorry about that, and here are the steps we are going to take.' That isn't a solution, but it's a step in the right direction. It brings about an awareness that there is a problem with security, and this is how you deal with it."

Some financial institutions may fear losing customers if they were to reveal how often their security is compromised. But Dhillon said not all attacks result in reputational loss. A few years back, Visa suffered a series of Denial of Service attacks that impacted a number of its clients, including banks. But the banks themselves were not compromised. "Sometimes its simply better to communicate the magnitude of the problem to your clients," he said.

Regional Targets

Rakbank and Bank of Muscat in Oman were easy targets, said one cyber security expert, partly because Middle Eastern banks let their customers put large sums on cards yet do not monitor them as carefully as banks in other regions would. "It's a target-rich environment in terms of soft electronic security," Shane Shook, global vice president of consulting for the security firm Cylance Inc., told Reuters.

"It's important for individuals to recognize that at the end of the day, they are the custodians of their own data," Dhillon added. "If they are not responsible users of their own data, what's the point of having security policies or security strategies for an enterprise? So it goes both ways. Increased individual awareness, and that enterprises are aware of their responsibilities of ensuring cyber security policies."

For companies, it is important to have good cyber security policy, Dhillon said, but oftentimes he said policies do not have anything to address actual problems. "So having policies make sense, and how you build them out, that's a whole educational awareness aspect that needs to be touched upon."

Another regional banker pointed out that for a number of regional institutions, cyber security still is a bottom-line issue because of cost, and do little diligence when it comes to securing information, or choosing partners for sensitive information service outsourcing. "They are unwilling to pay for such measures," said the banker, who was not authorized to speak publicly about the issue.

Dhillon is one of the authors of a new paper that will be presented at a cyber security conference. The paper, "Secure Outsourcing: An Investigation of the Fit Between Clients and Providers," speaks to the issue of security and outsourcing information services, such as payment processing.

"Many of the problems stem from a lack of fit between what IT outsourcing vendors consider to be the key success factors and what outsourcing clients perceive to be critical for the success of the relationship," the paper notes. "[The] majority of IT outsourcing projects fail because of a lack of appreciation as to what matters to the clients and the vendors. [Secondly], several IT outsourcing projects fall victim to security breaches because of a range of issues -- broken processes, or a failure to appreciate client requirements, among others."

"What the vendors perceive to be the top security issues are not necessarily in sync with what the client wants," Dhillon says. "I think the blame is shared. Once you get a vendor to do something, it is the responsibility of clients to ensure that all of the processes are secure, regardless of whether they are in-house or they have been outsourced."

The cyber robbery of Rakbank and the Bank of Muscat was similar to one in 2008, when a gang from Eastern Europe and Russia hacked the Royal Bank of Scotland's credit card processor. The indictment against the gang noted they drained US$9 million from more than 2,100 coordinated ATM withdrawals in less than half a day.

Other financial institutions in the Middle East have been attacked by hackers, but not for money. Last year, a self-described Saudi Arabian hacker posted details of 400,000 Israeli credit cards online. More Israeli bank accounts were compromised, before retaliation from Israeli hackers, who posted information from Saudi Arabian credit cards. Hackers then disrupted websites of the Tel Aviv Stock Exchange, El Al Airlines and several Israeli banks, the Abu Dhabi Securities Exchange and Tadawul, Saudi Arabia's exchange, then the United Arab Emirates' Central Bank website and that of the Arab Bank Palestine.

"From a government standpoint, some kind of regulatory framework has to be created," Dhillon says. "There are laws dealing with cybercrime in the Middle East. But they need to be revisited every so often, and integrated with the path of the rest of the world. It's not just one country having its own set of laws. How do they link up with the rest of the world?"

Dhillon noted that there isn't a complete harmonization of Internet regulations on an international scale, so the task remains difficult. Still, he said, "One of the problems of cyber security is that its not location dependent. So when you talk about regulatory frameworks, they have to go beyond your own country."

In Hours, Thieves Took $45 Million in A.T.M. Scheme

In two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, thieves stole $45 million from thousands of A.T.M.'s in a matter of hours.

In New York City alone, the thieves responsible for A.T.M. withdrawals struck 2,904 machines over 10 hours starting on Feb. 19, withdrawing $2.4 million.

The operation included sophisticated computer experts operating in the shadowy world of Internet hacking, manipulating financial information with the stroke of a few keys, as well as common street criminals, who used that information to loot the automated teller machines.

The first to be caught was a street crew operating in New York, their pictures captured as, prosecutors said, they traveled the city withdrawing money and stuffing backpacks with cash.

On Thursday, federal prosecutors in Brooklyn unsealed an indictment charging eight men — including their suspected ringleader, who was found dead in the Dominican Republic last month. The indictment and criminal complaints in the case offer a glimpse into what the authorities said was one of the most sophisticated and effective cybercrime attacks ever uncovered.

It was, prosecutors said, one of the largest heists in New York City history, rivaling the 1978 Lufthansa robbery, which inspired a scene in the movie “Goodfellas.”

Beyond the sheer amount of money involved, law enforcement officials said, the thefts underscored the vulnerability of financial institutions around the world to clever criminals working to stay a step ahead of the latest technologies designed to thwart them.

“In the place of guns and masks, this cybercrime organization used laptops and the Internet,” said Loretta E. Lynch, the United States attorney in Brooklyn. “Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of A.T.M.'s in a matter of hours.”

The indictment outlined how the criminals were able to steal data from banks, relay that information to a far-flung network of so-called cashing crews, and then have the stolen money laundered in purchases of luxury items like Rolex watches and expensive cars.

In the first operation, hackers infiltrated the system of an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards. Such companies are attractive to cybercriminals because they are considered less secure than financial institutions, computer security experts say.

The hackers, who are not named in the indictment, then raised the withdrawal limits on prepaid MasterCard debit accounts issued by the National Bank of Ras Al-Khaimah, also known as RakBank, which is in United Arab Emirates.

Once the withdrawal limits have been eliminated, “even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution,” the indictment states. And by using prepaid cards, the thieves were able to take money without draining the bank accounts of individuals, which might have set off alarms more quickly.

With five account numbers in hand, the hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards. On Dec. 21, the cashing crews made 4,500 A.T.M. transactions worldwide, stealing $5 million, according to the indictment.

While the street crews were taking money out of bank machines, the computer experts were watching the financial transactions from afar, ensuring that they would not be shortchanged on their cut, according to court documents.

MasterCard alerted the Secret Service to the activity soon after the transactions were completed, said a law enforcement official, who declined to be identified discussing a continuing investigation.

Robert D. Rodriguez, a special agent with the Secret Service for 22 years and now the chairman of Security Innovation Network, said that in some ways the crime was as old as money itself: bad guys trying to find weaknesses in a system and exploiting that weakness.

“The difference today is that the dynamics of the Internet and cyberspace are so fast that we have a hard time staying ahead of the adversary,” he said. And because these crimes are global, he said, even when the authorities figure out who is behind them they might not be able to arrest them or persuade another law enforcement agency to take action.

After pulling off the December theft, the organization grew more bold, and two months later it struck again — this time nabbing $40 million.

On Feb. 19, cashing crews were in place at A.T.M.'s across Manhattan and in two dozen other countries waiting for word to spring into action.

This time, the hackers had infiltrated a credit-card processing company based in the United States that also handles Visa and MasterCard prepaid debit cards. Prosecutors did not disclose the company’s name.

After securing 12 account numbers for cards issued by the Bank of Muscat in Oman and raising the withdrawal limits, the cashing crews were set in motion. Starting at 3 p.m., the crews made 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours. In New York City, a team of eight people made 2,904 withdrawals, stealing $2.4 million.

Surveillance photos of one suspect at various A.T.M.'s showed the man’s backpack getting heavier and heavier, Ms. Lynch said, comparing the series of thefts to the caper at the center of the movie “Ocean’s Eleven.”

While the New York crew had a productive spree, the crews in Japan seem to have been the most successful, stealing around $10 million, probably because some banks in Japan allow withdrawals of as much as $10,000 from a single bank machine.

“The significance here is they are manipulating the financial system to be able to change these balance limits and withdrawal limits,” said Kim Peretti, a former prosecutor in the computer crime division of the Justice Department who is now a partner in the law firm Alston & Bird. “When you have a scheme like this, where the system can be manipulated to quickly get access to millions of dollars that in some sense did not exist before, it could be a systemic risk to our financial system.”

It was unclear to whom the hacked accounts belonged, and who might ultimately be responsible for the losses.

The indictment suggests a far-reaching operation, but there were few details about the people responsible for conducting the hacking or who might be leading the global operation. Law enforcement agencies in more than a dozen countries are still investigating, according to federal prosecutors. The authorities said the leader of the New York cashing crew was Alberto Lajud-Peña, 23, whose body was found in the Dominican Republic late last month. Seven other people were charged with conspiracy to commit “access device fraud” and money laundering.

The prosecutors said they were all American citizens and were based in Yonkers. The age of one defendant was given as 35; the others were all said to be 22 to 24. Mr. Lajud-Peña fled the United States just as the authorities were starting to make arrests of members of his crew, the law enforcement official said.

On April 27, according to news reports from the Dominican Republic, two hooded gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched.

Nicole Perlroth, Frances Robles and Mosi Secret contributed reporting.

Hacking syndicates threaten banking

The number of organized hacking syndicates targeting financial institutions around the world is growing at a disturbingly fast rate. And so is the number of banks willing to pay these high-tech extortionists hush money to protect their reputations, according to a security expert at The World Bank.

Cases in which banks, brokerage firms and other financial institutions have quietly paid hacking syndicates extortion money are "extremely widespread," said Tom Kellermann, senior data risk management specialist at The World Bank in Washington. Kellermann, who co-authored a study on the electronic security risks facing the global financial community, presented the findings during an Oct. 29 online seminar sponsored by Cable & Wireless Internet Services Inc. in Vienna, Va.

The 127-page study details the growing security challenges facing the financial sector as a result of the industry's unprecedented dependence on the public telecommunications system, rapid adoption of wireless systems and outsourcing of operations to third parties.

And the growing dependency on Internet technologies that are linked to sensitive back-end systems, such as customer databases and real-time stock data, has made online extortion a major "safety and soundness issue" for the financial markets, Kellermann said.

80% Go Unreported

Kellermann cited reports from Framingham, Mass.-based IDC and Stamford, Conn.-based Gartner Inc. that indicate that roughly 80% of cybercrime incidents in the financial sector go unreported to law enforcement agencies.

Moreover, he contends that IT employees keep many of these incidents from senior banking executives "due to the reality that they may be fired." Banks don't report these incidents mainly because they want to maintain customer and investor trust, according to Kellermann.

At the same time, massive underreporting has created a vicious catch-22 for an industry that continues to struggle with dwindling budgets. "It has a magnifying effect because there's no actuarial data to justify the extra expense on security," said Kellermann. "We are losing this war."

Budget issues have also led banks and other financial companies to outsource operations. But that can have disastrous consequences for hundreds of banks at once if the hosting company doesn't implement proper security protections, Kellermann said. He cited an incident last year in which hackers penetrated the systems run by S1 Corp., an Atlanta-based provider of electronic finance services to the financial industry. The incident led to the compromise of more than 300 banks, credit unions, insurance providers and investment firms simultaneously.

Coverups Not Common

Security experts and banking officials contacted for this story agreed that the vast majority of incidents go unreported. However, they said they aren't convinced that internal coverups by bank IT personnel are widespread.

"I don't think that security incident coverups are common," said Joe Busa, an IT manager at Citizens Bank in Providence, R.I. "It is very hard to cover a mistake completely from your peers."

According to Gartner analyst John Pescatore, all publicly traded companies are required by the Securities and Exchange Commission to report all events that could have a material effect on the business. However, "there have been very few computer security incidents serious enough to be classified as a material event," said Pescatore

Cyber attack: Blame game is on, but Yes Bank, RPG to sort out hacking issue

MUMBAI: Yes Bank and RPG Life Sciences (of HarshGoenka) are blaming each other for the Rs 2.4 crore the company lost due to the second reported hacking of a current account of a corporate. The bank says that it is the responsibility of the account holder to prevent misuse at its end and it (the bank) is responsible only for the back-end which it claims is safe.