On May 9, 2013, a New York division of the U.S. Department of Justice reported the arrest and indictment of seven individuals behind a large and sophisticated fraud scheme involving prepaid cards that netted the fraudsters $45 million. According to the United States Attorney's Office for the Eastern District of New York, the cybercriminals hacked into the prepaid card processing systems associated with two foreign banks to manipulate withdrawal limits on prepaid accounts and hit ATMs in 26 countries with fake cards encoded with payment data from the stolen accounts.
The seven defendants in the case, all residents of Yonkers, N.Y., and an eighth reportedly murdered in late April 2013 in the Dominican Republic, apparently orchestrated two separate "Unlimited Operation" fraud schemes conducted between approximately October 2012 and April 2013. Unlimited Operations are characterized by their way of allowing fraudsters to abscond with virtually unlimited proceeds.
The office of U.S. Attorney Loretta E. Lynch said the first scheme targeted the network of an unnamed processor of MasterCard Worldwide-branded prepaid cards issued by the National Bank of Ras Al-Khaimah PSC (RakBank) in the United Arab Emirates. On Dec. 22, 2012, hackers penetrated the network and an undisclosed amount of prepaid accounts. The hackers manipulated the balances and withdrawal limits on the accounts, then had "money mules," also called "casher cells," in about 20 countries use counterfeit cards to withdraw funds from over 4,500 ATMs.
"In the New York City area alone, over the course of just two hours and 25 minutes, the defendants and their co-conspirators conducted approximately 750 fraudulent transactions, totaling nearly $400,000, at over 140 different ATM locations in New York City," the attorney's office said. In total, RakBank and the processor suffered approximately $5 million in losses.
The second attack occurred on the afternoon of Feb. 19, 2013, and lasted into the early morning of the next day, according to the prosecutor. This time, the same attack vector was used against a processor and the Bank of Muscat, located in Oman, a country that abuts the UAE and lies at the mouth of the Persian Gulf. The office did not specify if the processor was the same one attacked in the first operation, but the second attack was more destructive than the first.
"Over the course of approximately 10 hours, casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs," the attorney's office said, adding that the fraudsters withdrew about $2.4 million from nearly 3,000 ATMs in the New York City area alone.
Media reports have pegged ElectraCard Services (ECS), headquartered in Pune, India, as one of the victimized processors. ECS, a MasterCard partner and processor of travel cards for RakBank, admitted it was involved in the first attack, but not in the second. The company said the investigation into the second breach revealed that "PIN and magnetic stripe data seem to have been compromised outside the ECS processing environment."
The attorney's office offered further insight into the attacks, saying these operations target databases for such types of cards as payroll and disaster assistance. "The cybercriminals breach the debit card accounts' security protocols, then dramatically increase the balances and effectively eliminate the withdrawal limits on the accounts," Lynch's office said. "The elimination of withdrawal limits enables the participants to withdraw unlimited amounts of cash until the operation is shut down."
The next phase of such operations involves casher cells spread out around the world who encode mag stripe cards, such as gift cards, with the compromised card data, then use the stolen PINs associated with the cards to withdraw large sums from ATMs. As this is taking place, hackers maintain access to the breached networks to monitor the withdrawals.
Concerning the two-pronged attack, prosecutors have reportedly recovered hundreds of thousands of dollars in cash, two Rolex watches and a Mercedes SUV; they are also in the process of retrieving a Porsche Panamera. The attorney's office said the two luxury automobiles cost the fraudsters $250,000 in stolen loot. 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
