Database Breach Results in $45M TheftBy Adrian Lane
Today’s big news is the hack against banking systems to pre-authenticate thousands of ATM and pre-paid debit cards. The attackers essentially modified debit card databases in several Middle Eastern banks, then leveraged their virtual cards into cash. From AP Newswire:
Hackers got into bank databases, eliminated withdrawal limits on pre-paid debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe – an old hotel key card or an expired credit card worked fine as long as they carried the account data and correct access codes.
A network of operatives then fanned out to rapidly withdraw money in multiple cities, authorities said. The cells would take a cut of the money, then launder it through expensive purchases or ship it wholesale to the global ringleaders. Lynch didn’t say where they were located. The targets were reserves held by the banks to fund pre-paid credit cards, not individual account holders, Lynch said … calling it a ”virtual criminal flash mob,”. The plundered ATMs were in Japan, Russia, Romania, Egypt, Colombia, Britain, Sri Lanka, Canada and several other countries, and law enforcement agencies from more than a dozen nations were involved in the investigation, U.S. prosecutors said
It’s not clear how many of the thieves have been caught, or what percentage of the cash has been retrieved. Apparently this was the second attack, with the first successfully pulling $5 million from ATMs. Police only caught up with some of the attackers on the second attack, after they had managed to steal another $40M. How the thefts were detected is not clear, but it appears that it was part of a murder investigation of one of the suspects, and not fraud detection software within the banking system. The banks are eager to point to the use of mag stripe cards as the key issue here, but if your database is owned an attacker can direct funds to any account.