Detangling the $45 Million CyberheistWhy Finding the Point of Compromise Could Prove Challenging
In the aftermath of the recent news about an international $45 million cyberheist and ATM cash-out scheme, experts say pinpointing the source of such a massive breach can prove to be extremely difficult. That's because so many different entities are now involved in the global payments chain.
"There are so many parties in the payments chain that it is very difficult to assign blame in these types of breaches," says financial fraud expert Avivah Litan, an analyst with consultancy Gartner Inc., who blogged about the attack. "There can easily be seven roundtrip hops or more between an ATM cash disbursement request and the cash disbursement. The leakage can happen at any of those points or hops."
News reports this week named two payments processors that had their networks hacked, leading to the card data compromises in the $45 million cyberheist. But one is claiming it had no data intercepted, and the other has yet to make a statement.
Al Pascual, senior security, risk and fraud analyst for Javelin Strategy & Research, says card data could have been obtained through any number of channels. "Couldn't these criminals just buy the cards legitimately and then breach the processor to alter the limits?" he asks. "Seems easier to me. Obtaining card data is less challenging for criminals than gaining access to a processor and altering their internal controls, though."
Regardless of the cause of a breach, however, it's critical that all card issuers monitor their networks and catch fraudulent transactions before card compromises lead to major financial losses, security experts advise.
The U. S. Department of Justice says the $45 million cyberheist took place in two operations, one in December 2012, which led to $5 million in losses, and the other in February, which triggered $40 million in losses.
Multiple media reports this week claimed that payments processors EnStage and ElectraCard Services, both based in India, had their networks breached as part of two well-orchestrated global ATM cash-out operations. The processors serviced transactions for prepaid debit cards issued by Middle Eastern banks Bank of Muscat in Oman and the National Bank of Ras Al Khaimah, d.b.a., RAKBANK, according to news reports.
"ECS was not impacted in the $40 million ATM heist in February 2013 ...," the processor says. "As already reported in the media earlier this year, there were fraud attacks which affected several institutions worldwide, including ECS, in December 2012 and [recent] reports shed more light on the incidents because of the recent arrests. ECS has engaged external agencies such as Verizon in its forensic and other investigations. Through these investigations, there is a now a better understanding of how this has been perpetrated. However, as the investigation has revealed, the PIN and magnetic-stripe data seem to have been compromised outside the ECS processing environment."
A spokesman from Enstage, which has not yet responded to the reports connecting it to the data breach, tells BankInfoSecurity the processor expects to issue a statement sometime this week.
Financial fraud experts say card issuers often have little recourse for recuperating stolen funds that result from massive breaches. "They don't know who is liable for the breach," says Gartner's Litan. "From conversations I've had with various issuer clients regarding recent breaches, the card brands (Visa and MasterCard) are often not as helpful in helping card issuers recover funds as the issuers would like them to be, perhaps because the card brands don't know where to assign the liability."
A card-fraud executive with one U.S.-based card issuer, who asked to not be named, says attackers are compromising and stealing information from multiple sources, which only compounds the liability challenge after a breach.
"The fraudsters are getting much more aggressive to use data from multiple compromises and not just one source, which has made it extremely difficult to pinpoint a specific compromise when a trend arises," the executive says. And that may have been the case in the $45 million cyberheist, he adds.
Issuers are often unsuccessful in lawsuits they pursue against a breached entity, such as a processor, the executive notes. From a legal perspective, too many questions can be raised: "Who is to say there was not another breach that we have not yet identified that caused that specific loss?" the executive asks.
Card issuers have established programs for data compromise recovery, the executive points out. But these programs only address breached entities not complying with the Payment Card Industry Data Security Standard at the time of the attack. Using PCI compliance as a benchmark has damaged the process, the executive adds: "We know that PCI compliance is not a factor in preventing the new strains of malware."
Processors and merchants are spending large sums of money to ensure PCI compliance, and that compliance is not preventing data leaks, Litan says. "They can do their best and spend lots of money and time becoming PCI certified, but this gives them no safe harbor," Litan says of breached processors and merchants. "And the auditors (qualified security assessors) that certify these eventually breached companies as PCI compliant have big disclaimers in their contracts that they take no responsibility if, in fact, their clients are breached."
Back on the Banks
In the $45 million cyberheist, the PCI standing of processors allegedly connected to the breach has yet to be determined. In its statement, ElectraCard Services noted that it is working to re-certify its compliance, "as part of the standard process."
"ECS has already taken several measures to further strengthen its processing environment and is confident of being re-certified and re-listed over the next couple of months," the processor states.
Ultimately, the unnamed card issuer says, the onus falls on banks to monitor card transactions and detect fraud. "I don't hold my breath that I will get any sizeable recovery after the loss is suffered, even if arrests are made," the executive says.