A team of hackers with organized crime connections stole $45 million by hacking into software that manages prepaid debit cards. The hackers removed the limits on debit card accounts, allowing "cashing crews" to make thousands of fraudulent ATM withdrawals worldwide over a matter of hours. The lesson? System protection is only as strong as its weakest link. Companies need to step outside the standard assessment routine and look at security the way hackers do.
According to the authorities, the eight suspects were part of a thoroughly 21st century bank job. Forget the tense, split-second timing of old style caper movies. The suspects hacked into the systems of two firms that handle prepaid debit accounts for a pair of banks in the Gulf region of the Middle East.
The suspects then executed what prosecutors call an "unlimited operation," so called because they systematically removed the limit settings that are normally placed on prepaid debit accounts. With these limits removed, "cashing crews" in cities around the world simply went from ATM to ATM, withdrawing all the money they could.
The operation spanned at least 26 countries, and in New York City alone it netted about $2.4 million from close to 3000 ATM transactions. The February ATM sweep, which took place in about ten hours, followed an earlier similar operation in December.
Banking industry cybersecurity specialists will have to analyse the specific flaws exploited by the hackers. But the broader lesson applies to cybersecurity in all industries. Security cannot be a routine exercise aimed at filling out an assessment scorecard. Firms need to learn how to think creatively, like the attackers who are targeting them.
At GRT Corporation we have 17 years in thinking about security in a non-routine way. Let us help you to build comprehensive, holistic security that protects against "unlimited" threats.