News that a Florida-based bank has been left holding the baby in a $13 million ATM fraud highlights the increasingly complex world of cybercrime and the multi-faceted layers of security needed to defend against it, says Lieberman Software.
According to Philip Lieberman, President and CEO of Lieberman Software, the privileged identity management and security management specialist, the case is an interesting one as it appears to involve the hacking of the affected financial institution's computer system that controlled the bank's pre-paid debit card security parameters.
“The cybercriminals appear to have tampered with the daily cash withdrawal limits on 22 pre-paid cards, effectively allowing the cards – and their clones – to drain all the cash from a machine, and then some. Conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs,” he said.
“You don't need to be a math genius to realise that each of the pre-paid cards – and their clones – were used to withdraw an average of around $590,000per card. Assuming an average ATM transaction limit of $400, that's around 1,500 individual ATM sessions per card account,” he added.
Lieberman - whose company supplies multi-faceted security technologies to large companies seeking to simplify their complex IT security, reporting and auditing systems - went on to say that, given that the fraud must have taken place over a few days – possibly a holiday weekend – the scale of the ATM withdrawal project must have been immense.
Had the fraudsters staged their cash withdrawal scam over a longer period, he explained, then the bank's fraud analysis systems would have kicked in and the card cash withdrawal facility been locked down pending a full-scale investigation.
The Lieberman Software president says that the simple act of the hackers gaining access to the card database system and manipulating the cash withdrawal limits for the 22 cards has had immense consequences for the bank concerned, although the fact that in-bank ATMs typically hold around $80,000 - and smaller machines hold around $30,000 – probably saved the bank from losing more than $13 million.
In fact, when you crunch the numbers, says Lieberman, you come up with the interesting analysis that, assuming an average ATM cash capacity of $50,000, the fraudsters must have drained the cash from around 260 ATMs in total, suggesting that they probably targeted the machines in a limited area with several hundred mules on the ground drawing the cash.
“This raises the interesting question as to how much more the fraudsters could have withdrawn if they had more mules on the ground, and more cloned cards in their possession. It also begs the question why the bank's own anti-fraud pattern analysis systems didn't spot what was going on before they did,” he said.
“According to security researcher Brian Krebs' report on this fascinating saga, the FBI, banks and other agencies are not saying a lot about the fraud, which I think speaks volumes. It also suggests that defending against multi-faceted fraud of this nature, even if you are a bank, is easier said than done,” he added