A global network of hackers used sophisticated methods to steal an astonishing $45 million in mere hours, sending ripples to the security world.

Hackers

The New York prosecutors said Thursday that the money was stolen by criminals who hacked into a database of prepaid cards and then drained cash machines of their dollars.

The prosecutors informed that seven people were arrested in the U.S., accused of operating the New York cell. This network carried out thefts at ATM’s in 27 countries spanning from Canada to Russia.

Hackers Removed Pre-Paid Card Limits

The means adopted by the hackers was quite shocking. The hackers got access to bank databases and got the limits on pre-paid debit cards removed. They then incorporated access codes. Subsequently the data got loaded onto any plastic card with magnetic stripe, be it an old hotel key card or an expired credit card.

The cards carrying the account data and correct access codes were then fanned out to rapidly withdraw money in multiple cities by the network of operators. The cells would take a cut of the money, then launder it through expensive purchases or ship it wholesale to the global ringleaders.

Interestingly, it was reported no individual customers lost money. The network plundered money held by the banks that backup prepaid credit cards. Thus no individual or business accounts lost money in the incident.

Experts warn these types of ATM crimes are becoming increasingly common and their global nature makes them hard to investigate. Federal prosecutors say the case involved plundering ATM’s in 27 countries, cyber-attacks on two banks in the Middle East.

The incident involved two separate attacks, one in December that reaped $5 million worldwide and one in February that snared about $40 million in 10 hours with about 36,000 transactions. The scheme involved attacks on two banks, Rakbank in the United Arab Emirates and the Bank of Muscat in Oman, prosecutors said.

The New York prosecutors said the accused ringleader in the U.S. cell, Alberto Yusi Lajud-Pena, was reportedly killed in the Dominican Republic late last month. Further investigations continue and other arrests have been made in other countries, but prosecutors did not have details. An indictment unsealed Thursday accused Lajud-Pena and the other seven New York suspects of withdrawing $2.8 million in cash from hacked accounts in less than a day.

Ori Eisen, a cybercrime expert feels given the scale of the global credit card networks, it is almost impossible to detect every kind of attack.

An analyst covering security issues at Gartner Inc. remarked such ATM fraud schemes are not uncommon, but the $45 million stolen in this one was at least double the amount involved in previously known cases.

The first federal study of ATM fraud was 30 years ago, when the use of computers in the financial community was growing rapidly. At the time, the Bureau of Justice Statistics found nationwide ATM bank loss from fraud ranged from $70 and $100 million a year. However by 2008, the amount had risen to about $1 billion a year, said Ken Pickering, who works in security intelligence at CORE Security, a white-hat hacking firm that offers security to businesses.

Some feel a part of the fault lies with the ubiquitous magnetic strips on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor of ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic strips, they are still accepted around the world.