Indian computer authorities to investigate what led to $45 million ATM heist

Share this article:

The two payment processors that were attacked to pull off a daring global ATM heist have been named, according to a report.

Pune, India-based ElectraCard Services and enStage, a company with operations in Bangalore and Cupertino, Calif., were infiltrated by hackers who compromised prepaid debit cards, allowing them to steal $45 million from ATMs around the world, according to sources speaking to news service Reuters.

Federal prosecutors announced charges last Thursday against eight individuals who allegedly formed the New York-based operations of the international gang that stole cash from thousands of ATMs in dozens of countries between December 2012 and late February.

Law enforcement called the cyber attacks “unlimited operations," meaning intruders hacked into the computer systems of credit card processors to compromise prepaid debit card accounts, then raise the limits on the accounts.

On Tuesday, Aabhas Pandya, a spokesperson for enStage, declined to confirm whether the company was struck, but said via email to SCMagazine.com that enStage “is in the midst of preparing a media statement” on the matter. ElectraCard did not immediately respond for comment.

Over the weekend, Gulshan Rai, director general of the Indian CERT, told Reuters that it was investigating “the technical aspect” of the attacks. What this organization turns up could help other companies in the financial industry from suffering a similar fate, which often comes with few clues it is going to happen.

“It's not like someone making a bomb, where you can be alerted to individuals buying large amounts of fertilizer,” Darren Hayes, program chair and assistant computer science professor at Pace University in New York, told SCMagazine.com. “This is a crime with fewer alerts."

Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazine.com that there may be other entities along the payment chain that could be to blame.

“When these payment systems were implemented and developed, no one thought about internet security and now they are accessible through the internet,” she said. “Every payment request goes through at least a dozen points. Most of those points are accessible through the internet though, so there are many kinds of attack vectors.”

The hackers purposely targeted prepaid debit cards, which are fast becoming one of the hottest non-cash payment types for consumers, who are drawn to their flexibility. The customer decides how much to fund the card, and they don't have to worry about credit checks or scores. But the cards are vulnerable for this very reason: Banks and processors have a difficult time discerning irregular activity because there's no credit history from which to draw. 

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.