RAK Bank on the Khalin Bin Al Waleed Street also known as Bank Street in Bur Dubai. Image Credit: Pankaj Sharma/Gulf News Archive

Dubai: Hacking, phishing and other hi-tech methods are feared to be the dominant ways in bank robberies in the future and are costing the global financial sector a hefty $1 billion (Dh3.67 billion) annually, according to reports.

In December 2012 and February this year, a gang of cybercriminals stole $45 million (Dh165 million) in a matter of hours by hacking their way into a database of prepaid debit cards — in two separate incidents last December and February this year — and then draining cash machines around the globe, US federal prosecutors said, blaming outmoded US card technology.

Two banks in the GCC — Rakbank in the UAE and the BankMuscat in Oman — were affected in the heist.

Seven people are under arrest in the US in connection with the case, which prosecutors said involved thousands of thefts from ATMs using bogus magnetic swipe cards carrying information from Middle Eastern banks.

“The fraudsters moved with astounding speed to loot fin-ancial institutions around the world, working in cells including one in New York,” US Attorney Loretta Lynch said.

She called it “a massive 21st-century bank heist” carried out by brazen thieves.
One of the suspects was caught on surveillance cameras, his backpack increasingly loaded down with cash, authorities said. Others took photos of themselves with giant wads of bills as they made their way up and down Manhattan.

Separate attacks

There were two separate attacks, one in December that reaped $5 million worldwide and one in February that snared about $40 million in 10 hours with about 36,000 transactions. The scheme involved attacks on two banks, Rakbank in the UAE and the Bank of Muscat in Oman, prosecutors said.

The plundered ATMs were in Japan, Russia, Romania, Egypt, Colombia, Britain, Sri Lanka, Canada and several other countries, and law enforcement agencies from more than a dozen nations were involved in the investigation, US prosecutors said.

“Rakbank has noted reports emanating from the USA in connection with a fraud of $5 million in which the Bank is named. We are given to understand that the overall fraud encompassed a number of banks not only in the Middle East but in the USA and other countries,” Graham Honeybill, Rakbank’s Chief Executive Officer, told Gulf News.

“The incident relates back to events in December 2012 and involved the Bank’s service provider in India. The amount of the potential loss was Dh17.4 million and this was fully provided for before the Bank closed its 2012 accounts. The Bank can confirm that none of its customers suffered any financial loss as a result of this fraud,” he said in an emailed statement. Such ATM fraud schemes are not uncommon, but the $45 million stolen in this one was at least double the amount involved in previously known cases, said Avivah Litan, an analyst who covers security issues for Gartner Inc.

Middle Eastern banks and payment processors are “a bit behind” on security and screening technologies that are supposed to prevent this kind of fraud, but it happens around the world, she said. “It’s a really easy way to turn digits into cash,” Litan said.

Continuous upgrade

Despite this, bankers say, they are continuously upgrading their systems to stay ahead of the cybercriminals. “However, despite our continuous vigilence, thing might happen — as cyberworld is the next frontier for all activities,” said a senior banker in Dubai, requesting anonymity.

Hackers got into bank databases, eliminated withdrawal limits on pre-paid debit cards and created access codes. Others loaded that data onto any plastic card with a magnetic stripe — an old hotel key card or an expired credit card worked fine as long as it carried the account data and correct access codes.

A network of operatives then fanned out to rapidly withdraw money in multiple cities, authorities said.

The cells would take a cut of the money, then launder it through expensive purchases or ship it wholesale to the global ringleaders. Lynch didn’t say where they were located.

It appears no individuals lost money. The thieves plundered funds held by the banks that back up prepaid credit cards, not individual or business accounts, Lynch said.
She called it a “virtual criminal flash mob,” and a security analyst said it was the biggest ATM fraud case she had heard of.

— With inputs from agencies