Indian computer authorities to investigate what led to ATM heist

News by Danielle Walker

The two payment processors that were attacked to pull off a daring global ATM heist have been named, according to a report.

The two payment processors that were attacked to pull off a daring global ATM heist have been named, according to a report.

Pune, India-based ElectraCard Services and enStage, a company with operations in Bangalore and Cupertino, California, were infiltrated by hackers who compromised prepaid debit cards, allowing them to steal $45 million (£28 million) from ATMs around the world, according to sources speaking to news service Reuters.

US federal prosecutors announced charges last Thursday against eight individuals, who allegedly formed the New York-based operations of the international gang that stole cash from thousands of ATMs in dozens of countries between December 2012 and late February.

Law enforcement called the cyber attacks ‘unlimited operations', meaning that intruders hacked into the computer systems of credit card processors to compromise prepaid debit card accounts, then raise the limits on the accounts.

Aabhas Pandya, a spokesperson for enStage, declined to confirm whether the company was struck, but said via email to SC Magazine US that enStage “is in the midst of preparing a media statement” on the matter. ElectraCard did not immediately respond for comment.

Over the weekend, Gulshan Rai, director general of the Indian Cert, told Reuters that it was investigating ‘the technical aspect' of the attacks. What this organisation turns up could help other companies in the financial industry from suffering a similar fate, which often comes with few clues it is going to happen.

Avivah Litan, vice president and distinguished analyst at Gartner, told SC Magazine US that there may be other entities along the payment chain that could be to blame.

“When these payment systems were implemented and developed, no one thought about internet security and now they are accessible through the internet,” she said.

“Every payment request goes through at least a dozen points. Most of those points are accessible through the internet though, so there are many kinds of attack vectors.”

The hackers purposely targeted prepaid debit cards, which are fast becoming one of the hottest non-cash payment types for consumers, who are drawn to their flexibility. The customer decides how much to fund the card, and they don't have to worry about credit checks or scores.

However, the cards are vulnerable for this very reason: banks and processors have a difficult time discerning irregular activity because there's no credit history from which to draw.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews