The different components of a $45 million global bank heist — with a New York connection — were not that unusual as far as hacker-orchestrated data breaches go.
But the swiftness and scope of the scheme and thefts that unfolded make it a precedent-setting event for authorities and cyber-security specialists.
Cyber thieves with the help of cells in different countries made off with $40 million in about 36,000 transactions over a 10-hour period. They combined two common credit card schemes, according to Scott Neuman of NPR reports.
Hackers first accessed bank computers and downloaded prepaid debit card data while erasing the cards’ withdrawal limits.
Then they relayed the data to numerous co-conspirators, or “cashers,” who cloned the cards before embarking on a well-coordinated effort that involved withdrawing millions of dollars from ATMs worldwide.
The gang was able to make big withdrawals after hacking into an Indian and a U.S. credit card processing company to raise the balances and withdrawal limits on MasterCard prepaid debit cards, prosecutors said. They did not name the processing companies.
“It’s quite possible that these hacks may have been inside jobs,” John Trobough, president of Narus, which handles cybersecurity for governments and commercial enterprises, told NPR.org.
It could be current or former employees, he said.
Eight people in the New York offshoot of the operation siphoned $2.4 million from more than 2,900 ATMs during a span of over 10 hours, which prosecutors say ranks as the second-biggest bank robbery in the history of New York City.
Brooklyn U.S. Attorney Loretta Lynch called it “a massive 21st-century bank heist.”
“In the place of guns and masks, this cybercrime organization used laptops and the Internet,” Lynch said. “Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of A.T.M.’s in a matter of hours.”
The crime hinged on inadequate cybersecurity that allowed the hackers to penetrate back-end systems at banks. Better security protocols and more secure networks could solve that problem, experts told NPR.
“With increased employee oversight and stringent electronic monitoring within the bank, it would be more difficult for this type of theft to occur,” Trobough, president of Narus, told NPR.
More from NPR:
The second issue is the venerable magnetic stripe, a technology that Jim Pettitt, director of ATM security strategy and planning at Diebold, says has been around since the 1960s.
“Criminal organizations have exploited that pretty extensively and we’ve seen an upsurge of skimming since 2005,” he says. Encrypted chip technology is more secure. Europe has largely adopted it and the U.S. is “on the on-ramp,” he says.