Another Huge Cash-Out Scheme RevealedExperts Say Banks Must Enhance Defenses, Monitoring
Federal authorities have charged eight suspects in yet another ATM cash-out and cybercrime scheme that involved online account takeovers and prepaid card compromises.
See Also: Taking Advantage of EMV 3DS
So far, four arrests have been made in the case, which also involved fraudulent ATM withdrawals and wire transfers to overseas accounts, as well as identity theft, in some cases, to perpetrate tax fraud, investigators say.
The government's ongoing investigation has so far identified attempts to defraud the victim companies and their customers of more than $15 million, federal prosecutors say.
This is the second major cash-out scheme revealed by federal authorities in recent weeks. In May, authorities announced the separate indictment of eight other individuals allegedly linked to a $45 million global ATM cash-out and money-laundering scheme.
Experts say these types of cash-out attacks are an emerging trend that card-issuing banks and credit unions need to take seriously.
"This trend is of grave concern," says financial fraud expert Shirley Inscoe, an analyst with Aite, an industry consultancy and research firm. "The risk-reward picture is very attractive to those who are inclined to steal from others for their own personal gain."
International Crime Ring
Those charged in the latest cash-out case have been linked to an international cybercrime ring that hacked customer accounts at more than a dozen banks, brokerage firms, payroll processing companies and government agencies, according to a statement from the U.S. Attorney's Office for the District of New Jersey.
"According to the complaint unsealed today, cybercriminals penetrated some of our most trusted financial institutions as part of a global scheme that stole money and identities from people in the United States," says U.S. Attorney Paul J. Fishman.
"Today's charges and arrests take out key members of the organization, including leaders of crews in three states that used those stolen identities to cash-out hacked accounts in a series of internationally coordinated modern-day bank robberies. We will continue to pursue our investigation into this scheme and our fight against the rising threat of criminals for whom computers are the weapon of choice."
Hackers allegedly intercepted account and cardholder data after gaining unauthorized access to computer networks of global financial institutions and organizations, including Aon Hewitt; Automated Data Processing Inc.; Citibank N.A.; E-Trade; Electronic Payments Inc.; Fundtech Holdings LLC; iPayment Inc.; JPMorgan Chase Bank N.A.; Nordstrom Bank; PayPal; TD Ameritrade; the U.S. Department of Defense; the Defense Finance and Accounting Service; TIAA-CREF; USAA and Veracity Payment Solutions Inc.
Once inside the victim companies' computer networks, the defendants and conspirators allegedly diverted money from accounts of the companies' customers to bank accounts and prepaid debit cards controlled by the defendants. They then employed crews of individuals known as cashers to withdraw the stolen funds from ATMs and through fraudulent purchases in New York, Massachusetts, Illinois, Georgia and elsewhere, authorities say.
The defendants and their conspirators also allegedly laundered the proceeds from their scheme and made international wire transfers to the leaders of the conspiracy overseas, according to federal prosecutors.
The eight defendants have been charged with conspiracy to commit wire fraud, money laundering and ID theft. In addition to fraudulent funds transfers, ATM withdrawals and purchases, the ring also allegedly stole U.S. identities to file fraudulent tax returns with the Internal Revenue Service, authorities say.
According to the complaint, Oleksiy Sharapka of Kiev, Ukraine, allegedly directed the conspiracy with the help of Leonid Yanovitsky, also of Kiev. Oleg Pidtergerya of Brooklyn, Robert Dubuc of Malden, Mass., and Andrey Yarmolitskiy of Atlanta allegedly managed crews in their respective cities. Richard Gundersen of Brooklyn and Lamar Taylor of Salem, Mass., allegedly worked for Pidtergerya and Dubuc, respectively. Ilya Ostapyuk of Brooklyn allegedly facilitated the movement of the fraudulent proceeds.
Pidtergerya, Ostapyuk and Dubuc were arrested June 12 at their homes, and Yarmolitskiy was arrested June 11. Taylor and Gundersen are being pursued by law enforcement, and Sharapka and Yanovitsky, Ukrainian nationals, remain at large.
If convicted, each of the defendants faces a maximum penalty of 20 years in prison for conspiracy to commit wire fraud, 20 years for conspiracy to commit money laundering and 15 years for conspiracy to commit identity theft. The wire fraud and identity theft counts also carry a maximum fine of $250,000, or twice the gross amount of pecuniary gain or loss resulting from the offenses. The money laundering conspiracy count carries a maximum fine of $500,000, or twice the value of the monetary instruments involved.
'A Huge Carrot'
While it's promising to see law enforcement quickly making arrests, Aite's Inscoe says authorities will always be chasing the next case because these types of attacks have proven too easy to pull off. "The amount of money available represents a huge carrot that is potentially theirs," she says.
This is why banking institutions, as card issuers and overseers of online accounts, have to take responsibility for ensuring stronger security across the payments chain, says Joe Rogalski, a security consultant and former fraud and compliance officer for First Niagara Bank, a $36 billion institution in New York state.
"It comes down to assessing their systems the way an attacker would," he says. "This would typically involve a red team trying to break in and perpetrate fraud. It is important that they are looking at the entire program, when evaluating controls, because a breakdown in process could be, and usually is, more devastating than technology."
Inscoe says banking institutions also should monitor for system and network intrusions as well as shore up their firewalls. "Banks' fraud departments should be monitoring the account activity of their customers, using behavioral analytics and other forms of fraud detection," she adds. "These criminal rings have been withdrawing large amounts of cash at ATMs, sending wires, etc. If this happens on a customer's account who typically never withdraws large sums, has never sent a wire or never has sent a wire to the designated bank or account before, those transactions should be verified prior to the funds leaving the bank."