Worldwide $45m ATM cyber-heist highlights vulnerabilities in card security

An international gang of cyber thieves stole $45 million using bank ATMs in a heist spread across 27 countries. The attack showed off some of the vulnerabilities of current financial security systems.

U.S. Attorney Loretta Lynch said that the suspects had "participated in a massive 21st century bank heist that reached across the internet and stretched around the globe.” Lynch compared the “surgical” heist with the film Ocean’s Eleven.

“These defendants allegedly formed the New York-based cell of an international cybercrime organization that used sophisticated intrusion techniques to hack into the systems of global financial institutions, steal prepaid debit card data, and eliminate withdrawal limits,” the Attorney’s office said in a statement.

The attack targeted prepaid credit cards. By raising the limit on cloned cards the hackers were able to withdraw “unlimited” funds for short periods. In New York, the hackers withdrew $2.8 million in hours.

"It's usually prepaid debit cards. That's the card of choice in this. The bad guys know the system and they have been able to exploit it," said Joe Petro, MD of Promontory Financial Group and a former fraud expert from Citigroup, speaking to Reuters.  "The vulnerability stems from third-party processors, who may not have the same level of security systems that banks are able to have.”

“You have pockets of very strong security and security awareness - some of the big banks do great security research - but the fragmentation of electronic commerce undermines that work,” says ESET Senior Research Fellow David Harley.

“There are several points at which online transactions requiring authentication can spring a leak: poor password practice by uneducated users, poor protection of credentials data by the service provider, interception of credentials and other information in transit through MITM and MITB attacks, security problems with intermediaries such as ISPs and, in this case, card processors. It's practically impossible to pay cash anywhere but over the counter these days, but security for electronic transactions hasn't kept pace with the growth in that market.”

The hack targeted third-party payment processing companies for pre-paid MasterCard debit cards issued by two Middle Eastern banks.