A well-organized group of criminals recently stole $45 million by hacking into debit card systems, increasing cards’ withdrawal limits, and then using cloned debit cards to make a large number of coordinated withdrawals in two days at ATMs in 27 countries.
How was it possible for criminals to steal so much money from ATM machines in just two days? With massive amounts of security technology deployed by banks how did criminals manage to pull this crime off? And why should this be of concern to every entrepreneur and small business owner?
While there were clearly many factors that contributed to the success of the criminals, I believe that they successfully exploited four primary vulnerabilities, the sum of which provides a very important message to small business owners:
1. Avoid pre-paid debit cards
The criminals perpetrated their fraud using cloned pre-paid debit cards – which, unlike credit cards or bank-account-linked debit cards, do not have an associated human owner and historical pattern of usage. Hence, detecting anomalies is much more difficult – especially when the cards are first used. If someone uses a credit card in the New York area every day, for example, and on one morning someone else attempts to use it to withdraw a large amount of money from several ATMs in Eastern Europe, anti-fraud systems will immediately raise red flags. Alerts may not occur, however, if similar withdrawals were attempted with pre-paid debit cards; their owners and “normal” usage patterns are unknown, and smaller processing firms may lack the sophistication to detect problems.
2. Consider cards with chip-based technology
The cards used to perpetrate the crime contained data recorded on magnetic strips, and did not utilize chip-based technology. Despite remaining common in the USA (primarily due to the cost of replacing payment terminals), magnetic strips are outdated, and their security is inadequate. It is far easier to create a fake debit card that uses a magnetic strip, for example, than one that uses a chip. To appreciate just how antiquated magnetic strip technology is, consider how similar your current debit cards look to the ones you used a decade or two ago. Also, think about when the last time was that you used magnetic strip technology for recorded music (e.g., by recording onto an eight-track tape or cassette) or for video (e.g., by recording a movie to a Betamax or VHS tape).
3. Be sure to bank with internationally trusted banking institutions
The systems breached by the hackers were at overseas credit card processors, not at the cards’ issuing banks from whom the money was stolen. Overseas processors often lack the robust security infrastructure that banks utilize, and, especially in certain regions of the world, are not immune from insider threats and corruption. The combination of easier penetrability – either the result of insufficient technological defenses or through an ability to obtain access credentials by “paying off” someone on the inside – coupled with weaker fraud-detection systems, makes such systems a highly attractive target for hackers.
4. Rest assured, the bad guys never really get away
The hackers hired partners to make the actual withdrawals at ATMs in 27 different countries; by spreading out, and limiting the amount withdrawn at any particular location, they made correlating the various fraudulent withdrawals to the same source more difficult, especially for processors lacking technological sophistication. Ironically, this strategy may have also ultimately undermined the crooks; involving a large number of people in the perpetration of a crime dramatically escalates the chances of errors, and of someone getting caught and “talking.” While the people making the withdrawals may have been kept in the dark about the identities of the crime’s orchestrators, their communications and money transfer records should help direct law enforcement in the right direction.
While various actions could be taken to reduce the chances of a similar heist being perpetrated in the future, that is the focus of the parties involved in the card business and government regulators. This episode, however, should be a teaching moment for small business owners. Criminals have wisened up to the fact that while large banks have large amounts of money to steal, hacking less sophisticated firms may be, at times, more attractive. Smaller firms are more likely to lack advanced cybersecuity capabilities, are more likely to utilize outdated technologies, and are less likely to have high-level connections with law enforcement officials. Breaching them is easier, and the odds of getting caught are smaller. Furthermore, as was proven by the ATM crooks described above, smaller firms can be exploited to serve as the mechanism for stealing from banks or other larger firms with deep pockets.
This is an important consideration for all business owners. Criminals are working down the ladder and no firm is immune from attack; besides stealing from you, or using your systems to spread malware, a criminal who has breached your systems can use your data as a weapon against others. How hard would it be, for example, for someone to issue a phony purchase order to a supplier if he hacked your internal systems? How hard would it be to craft a fraudulent ACH payment from a partner or customer’s bank account – or even from employee accounts – if a hacker obtained the necessary information from your financial, payroll, direct payment, and direct deposit records? How hard would it be for a crook to social engineer a customer into diverting payment to her for goods or services you provided if she had access to all of your customer records? Could a criminal make fraudulent purchases using credit card information obtained from your internal systems, or issue fraudulent checks or ACH payments against a line of credit whose records are kept on a computer in your office?
Your business is not too small to think about cybersecurity. After all, what impact would it have on your business if any of the aforementioned – or any similar type of attack – occurred?