Sri Lanka was one of the targets for a worldwide gang of criminals who stole US$ 45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then draining cash machines around the globe, US federal prosecutors said – and outmoded American card technology may be partly to blame.
Seven people were under arrest on Thursday in the US in connection with the case, which prosecutors said involved thousands of thefts from ATMs using bogus magnetic swipe cards carrying information from Middle Eastern banks.
The fraudsters moved with astounding speed to loot financial institutions around the world, working in cells including one in New York, Brooklyn US Attorney Loretta Lynch said.
She called it “a massive 21st-century bank heist”.
One of the suspects was caught on surveillance cameras, his backpack increasingly loaded down with cash, authorities said.
Others took photos of themselves with giant wads of bills as they made their way up and down Manhattan.
To make it possible, hackers got into bank databases, eliminated withdrawal limits on pre-paid debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe - an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes. A network of operatives then fanned out to rapidly withdraw money in multiple cities.
The thieves plundered funds held by the banks that back up prepaid credit cards, not individual or business accounts, Lynch said. The scheme attacked Rakbank in the United Arab Emirates and the Bank of Muscat in Oman, prosecutors said.
The plundered ATMs were in Japan, Russia, Romania, Egypt, Colombia, Britain, Sri Lanka, Canada and several other countries, and law enforcement agencies from more than a dozen nations were involved in the investigation, US prosecutors said.
The accused ringleader in the US cell, Alberto Yusi Lajud-Pena, was reportedly killed in the Dominican Republic late last month, prosecutors said. His body was found with a suitcase of US$ 100,000 cash.
An indictment unsealed on Thursday accused Lajud-Pena and the other seven New York suspects of withdrawing US$ 2.8 million in cash from hacked accounts in less than a day.
Such ATM fraud schemes are not uncommon, but the US$ 45 million stolen in this one was at least double the amount involved in previously known cases, said Avivah Litan, an analyst who covers security issues for Gartner Inc.
Middle Eastern banks and payment processors are “a bit behind” on security and screening technologies that are supposed to prevent this kind of fraud, but it happens around the world, she said.
Some of the fault lies with the ubiquitous magnetic strips. The rest of the world has largely abandoned cards with magnetic strips in favour of ones with built-in chips nearly impossible to copy.
The New York suspects were charged with conspiracy and money laundering. If convicted, they face 10 years in prison.