The two payment processors that were attacked to pull off a daring global ATM heist have been named, according to a report.
Pune, India-based ElectraCard Services and enStage, a company with operations in Bangalore and Cupertino, Calif., were infiltrated by hackers who compromised prepaid debit cards, allowing them to steal $45 million from ATMs around the world, according to sources speaking to news service Reuters.
Federal prosecutors announced charges last Thursday against eight individuals who allegedly formed the New York-based operations of the international gang that stole cash from thousands of ATMs in dozens of countries between December 2012 and late February.
Law enforcement called the cyber attacks “unlimited operations," meaning intruders hacked into the computer systems of credit card processors to compromise prepaid debit card accounts, then raise the limits on the accounts.
On Tuesday, Aabhas Pandya, a spokesperson for enStage, declined to confirm whether the company was struck, but said via email to SCMagazine.com that enStage “is in the midst of preparing a media statement” on the matter. ElectraCard did not immediately respond for comment.
Over the weekend, Gulshan Rai, director general of the Indian CERT, told Reuters that it was investigating “the technical aspect” of the attacks. What this organization turns up could help other companies in the financial industry from suffering a similar fate, which often comes with few clues it is going to happen.
“It's not like someone making a bomb, where you can be alerted to individuals buying large amounts of fertilizer,” Darren Hayes, program chair and assistant computer science professor at Pace University in New York, told SCMagazine.com. “This is a crime with fewer alerts."
Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazine.com that there may be other entities along the payment chain that could be to blame.
“When these payment systems were implemented and developed, no one thought about internet security and now they are accessible through the internet,” she said. “Every payment request goes through at least a dozen points. Most of those points are accessible through the internet though, so there are many kinds of attack vectors.”
The hackers purposely targeted prepaid debit cards, which are fast becoming one of the hottest non-cash payment types for consumers, who are drawn to their flexibility. The customer decides how much to fund the card, and they don't have to worry about credit checks or scores. But the cards are vulnerable for this very reason: Banks and processors have a difficult time discerning irregular activity because there's no credit history from which to draw.