Blog
Cruising to EMV eventuality?
May 17, 2013 by Richard Buckle — Founder and CEO, Pyalla Technologies, LLC
In the summer of 2009 Margo and I enjoyed a Baltic cruise. For me, the most interesting port of call was St. Petersburg, Russia. Long considered the "other Venice," the city's network of canals creates a similar setting.
Even as the calm waters of the canal beguiled and encouraged the photographer in us all, I noticed just how many people were sitting in coffee shops and cafes, oblivious, as they labored over laptop computers.
I recall being told at the time how it was sad to see so many unemployed PhDs simply filling in time before playing chess in the afternoon. Someone in the bus tour asked whether any of these computer enthusiasts were turning to criminal activities, particularly ATM skimming. The response that I overheard, surprising as it was, remains with me to this day.
"Oh no, I don't think anything this small interests criminals these days as much as finding ways to intercept major bank wire transfers. Why mess with pilfering hundreds or thousands of dollars when you could tap into millions, perhaps more! It's even possible the banks will never report such a loss."
I am sure that, in general, the good folks in St. Petersburg are not inclined to pursue such activities, but it's been hard of late not to think back on this, given a breaking story that I caught sight of in USA Today. "Hackers stole $45 million in ATM card breach," read the headline.
"In the place of guns and masks, this cybercrime organization used laptops and the Internet," U.S. Attorney Loretta Lynch said in the story. "Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City."
According to email exchanges with individuals at payments switches I work with, similar events have previously occurred.
In the Aug. 26, 2011, issue of newsletter, KrebsonSecurity, Brian Krebs (a former Washington Post reporter), blogged about Fidelity National Information Services Inc. Krebs said FIS "had incurred a loss of approximately $13 million related to unauthorized activities involving one client and 22 prepaid cards on its Sunrise, Florida based eFunds Prepaid Solutions ... cyberthieves broke into the FIS network and targeted the Sunrise platform's 'open-loop' prepaid cards."
Tucked away at the very end of the article was a comment about a prior similar attack against RBS WorldPay in Atlanta. In that case, a key figure from St. Petersburg, Russia, "monitored the fraudulent ATM withdrawals remotely in real-time using compromised systems within the payment card network."
Imagine then my surprise then when I logged on to the Wall Street Journal to read more about the $45 million heist, only to find that "investigators said they found an email exchange with an account associated with a criminal money laundering operation in St. Petersburg, Russia, describing wire transfers." For me, it was a sense of déjà vu; perhaps the calm waters in the canals were turning boisterous, rocking all boats!
Yahoo News published an article on whether the banks would get their money back. In this article, they reported that, "Oman-based Bank of Muscat lost $40 million and United Arab Emirates-based National Bank of Ras Al Khaimah PSC (RAKBANK) lost $5 million in the global heist … In the hit against Bank of Muscat, the processor is enStage Inc., based in Cupertino, California … In the RAKBANK case, the processor is India's ElectraCard Services."
ECS said in a press release on Sunday that data appeared to have been compromised outside its "processing environment." The company said it has "engaged external agencies such as Verizon in its forensic and other investigations. Through these investigations, there is a now a better understanding of how this has been perpetrated — however as the investigation has revealed, the PIN and magnetic stripe data seem to have been compromised outside the ECS processing environment (these bits of data are essential to make ATM withdrawals)."
I have enjoyed a lengthy relationship with ECS over the years so I reached out to Senior VP, Madhu Gopinath, who told me clearly, "when it comes to open-loop prepaid cards, there's a very fine line between growing a marketplace, embracing new populations of users, and the risks involved."
Madhu then observed, "with EMV in place across America, the 'mechanics' behind this current attack would have been so much harder to achieve. Duplication would be very difficult and it would require a huge expansion in (criminal) logistics to support."
It is my observation that this current event is not about payment processors per se but rather the processes (and policies) of the card issuers themselves.
It was only a few posts back that I wrote of this being the year for EMV adoption. As the specifics of this very large heist become better known, further mandates are sure to follow. However, I cannot get over how much less damage could have been inflicted if EMV were widely supported.
Yes, we have crossed some rough waters, so let us not lessen our diligence or simply "wait until we have to," as one vendor suggested to me, but rather, become more proactive. I can't imagine the laptops disappearing from the café tables of St. Petersburg any time soon.
About Richard Buckle
Richard Buckle is the founder and CEO of Pyalla Technologies, LLC. He has enjoyed a long association with the Information Technology (IT) industry as a user, vendor, and more recently, as an industry commentator, thought leader, columnist and blogger. Richard participates in the HPE VIP Community where he is part of their influencer team.
Related Media
SecurityPresented ByDiebold Nixdorf
Subscribe
Get the latest news and resources from ATM Marketplace.
Recent Posts
