US charges cyber-crooks over US$45 million ATM crime

US officials have charged 8 people with taking part in two cyber-attacks that resulted in US$45 million of fraudulent cash withdrawals from ATMs in 27 countries.  According to the US Justice Department, the gang broke into the computers of two credit card processors, one in India in December 2012 and the other in the United States this February. They hacked data relating to pre-paid cards and then raised the balance limits, before sending the data to cells around the world that cloned the cards and used them fraudulently (with PINs) to withdraw cash from ATMs.

The money was stolen from two Middle Eastern banks. The reported losses have risen significantly since I first commented on the attacks in a post on 7th February 2013.  It's interesting to note that, of the 8 US citizens arrested, 7 originated from the Dominican Republic.  According to the latest European ATM Crime report published by EAST, the USA and the Dominican Republic are the top two locations for ATM related fraud losses for counterfeit (skimmed) European cards.

This is worrying stuff for US card issuers.  Such a scam is not so easy to perpetrate on EMV (Chip and PIN) cards.  As a chip is not present on a cloned (counterfeit) EMV card the clone can't be used for ATM cash withdrawals (unless the EMV card issuer allows it and most now don't).  Now that the cyber-criminal community has woken up to how easy it is to perpetrate this type of crime against non-EMV cards, their sights are likely to be set on US issued mag-stripe only cards, or non-EMV cards from other countries.

It is good to see that, if convicted, the defendants face a maximum sentence of 10 years' imprisonment on each of the money laundering charges and seven and a half on the conspiracy to commit access device fraud charge, restitution, and up to $250,000 in fines.  Nonetheless, criminals like to get easy cash, and this case may well spark copycat cyber-attacks.