Indian card processor in $45 million heist is ElectraCard

12 May, 2013

One of the credit card processing companies whose security was breached in a $45 million global cyber heist was India's ElectraCard Services, according to two people familiar with the situation. ElectraCard Services processes prepaid travel cards for National Bank of Ras Al Khaimah PSC (RAKBANK), one of two Middle Eastern banks named by US prosecutors on Thursday as victims of the heist, the people said.
The prosecutors said an international criminal gang made two co-ordinated hits on cash machines around the world, withdrawing $5 million on December 21 last year and a further $40 million on February 19 this year. The gang was able to make big withdrawals after hacking into an Indian and a US credit card processing company to raise the balances and withdrawal limits on MasterCard prepaid debit cards, the prosecutors said. They did not name the processing companies.
A US official and an employee of RAKBANK in Dubai both said the Indian card processor - used in the heist on December 21, 2012 - was ElectraCard Services, which is based in Pune, India. The two people spoke on condition of anonymity. Ramesh Mengawade, the CEO of ElectraCard Services and its parent firm, Opus Software Solutions, could not be reached through his executive assistant or through e-mail on Saturday. Calls to the mobile phone of another company official were not answered.
An official at an external public relations firm that works with ElectraCard also said he had not been able to reach Mengawade on Saturday and did not have immediate comment. RAKBANK has said two of its Prepaid MasterCard Cards have been launched with the support of ElectraCard.
MasterCard bought a 12.5 percent stake in ElectraCard in 2010, ElectraCard has said. MasterCard has said it had co-operated with law enforcement in the investigation and stressed that its systems were not involved or compromised in the attacks. Cyber security experts said the global scope and speed of the $45 million bank theft was unprecedented. The global gang had operatives in 27 countries who could fan out to thousands of ATMs in a matter of hours, and withdraw money using fraudulent prepaid debit cards, according to US prosecutors.
The US Justice Department gave details of the heist on Thursday in an indictment against eight men accused of being the New York cell of the organisation. The department said seven of the men have been arrested. Dominican police on Friday confirmed that the eighth, Alberto Lajud-Pena, allegedly the leader of the New York cell, was shot dead in a robbery attempt in the Dominican Republic on April 27. Investigators found $100,000 in cash in the house where he was killed, as well as an M-16 assault rifle, two 9 mm pistols, a revolver, ammunition clips and a telescopic sight. It was not clear if the killing or the money were related to the cyber thefts.
Also on Friday, German prosecutors said they arrested two Dutch citizens, a man and a woman, on February 19, who were withdrawing cash at machines in Duesseldorf from accounts at Bank of Muscat of Oman, the other bank named by US prosecutors. The ringleaders of the global operation were believed to be outside the United States, but US prosecutors have declined to give details, citing the continuing investigation. Germany is the only other country so far to announce arrests.
Experts in cyber security said the heists expose an Achilles heel in the global financial industry: prepaid debit cards. Prepaid cards have fewer controls on them than on regular credit and debit cards issued by banks. Each prepaid card issued is like a blank slate: anonymous, new, and lacking any credit history or individual behaviour pattern against which bankers and payment processors can measure activity to look for red flags. A thief moving from ATM to ATM with a personal credit card would likely quickly raise alarms, because his or her behaviour would look out of place compared to the credit card user's normal activity, experts said.
RAKBANK said the fraud against it took place at the end of last year and resulted in losses of around $4.7 million for the United Arab Emirates-based lender. The bank said the loss had been fully provided for before it closed its 2012 accounts. RAKBANK Chief Executive Graham Honeybill said he believed the fraud went wider than lenders in the Gulf region. "We are given to understand that the overall fraud encompassed a number of banks not only in the Middle East but in the USA and other countries," Honeybill said in a statement.
"The bank can confirm that none of its customers suffered any financial loss as a result of this fraud," he added. While full details of the latest heists were still unknown, cyber experts said such conspiracies typically come together in Internet forums, where hackers can exchange or sell information and recruit others. Gaining access to such private websites can take years of cultivating an online reputation for extraordinary trust or skill. "It's sort of like Craigslist for cyber criminals," said Jason Weinstein, a lawyer with Steptoe & Johnson who previously supervised the Justice Department's computer crime unit.

Read Comments