Indian card processor in $45 million heist is ElectraCard

New York, May 11 – One of the credit card processing companies whose security was breached in a $45 million global cyber heist was India's ElectraCard Services, according to two people familiar with the situation.

 

ElectraCard Services processes prepaid travel cards for National Bank of Ras Al Khaimah PSC (RAKBANK), one of two Middle Eastern banks named by U.S. prosecutors on Thursday as victims of the heist, the people said.

 

The prosecutors said an international criminal gang made two coordinated hits on cash machines around the world, withdrawing $5 million on December 21 last year and a further $40 million on February 19 this year.

 

The gang was able to make big withdrawals after hacking into an Indian and a U.S. credit card processing company to raise the balances and withdrawal limits on MasterCard prepaid debit cards, the prosecutors said. They did not name the processing companies.

 

A U.S. official and an employee of RAKBANK in Dubai both said the Indian card processor – used in the heist on December 21, 2012 – was ElectraCard Services, which is based in Pune, India. The two people spoke on condition of anonymity.

 

Ramesh Mengawade, the CEO of ElectraCard Services and its parent firm, Opus Software Solutions, could not be reached through his executive assistant or through e-mail on Saturday. Calls to the mobile phone of another company official were not answered.

 

An official at an external public relations firm that works with ElectraCard also said he had not been able to reach Mengawade on Saturday and did not have immediate comment.

 

RAKBANK has said two of its Prepaid MasterCard Cards have been launched with the support of ElectraCard.

 

MasterCard bought a 12.5 percent stake in ElectraCard in 2010, ElectraCard has said. MasterCard has said it had cooperated with law enforcement in the investigation and stressed that its systems were not involved or compromised in the attacks.

 

Cyber security experts said the global scope and speed of the $45 million bank theft was unprecedented. The global gang had operatives in 27 countries who could fan out to thousands of ATMs in a matter of hours, and withdraw money using fraudulent prepaid debit cards, according to U.S. prosecutors.

 

The U.S. Justice Department gave details of the heist on Thursday in an indictment against eight men accused of being the New York cell of the organization. The department said seven of the men have been arrested.

 

Dominican police on Friday confirmed that the eighth, Alberto Lajud-Pena, allegedly the leader of the New York cell, was shot dead in a robbery attempt in the Dominican Republic on April 27. Investigators found $100,000 in cash in the house where he was killed, as well as an M-16 assault rifle, two 9 mm pistols, a revolver, ammunition clips and a telescopic sight. It was not clear if the killing or the money were related to the cyber thefts.

 

Also on Friday, German prosecutors said they arrested two Dutch citizens, a man and a woman, on February 19, who were withdrawing cash at machines in Duesseldorf from accounts at Bank of Muscat of Oman, the other bank named by U.S. prosecutors.

 

The ringleaders of the global operation were believed to be outside the United States, but U.S. prosecutors have declined to give details, citing the continuing investigation. Germany is the only other country so far to announce arrests.

 

PREPAID CARDS

 

Experts in cyber security said the heists expose an Achilles heel in the global financial industry: prepaid debit cards.

 

Prepaid cards have fewer controls on them than on regular credit and debit cards issued by banks. Each prepaid card issued is like a blank slate: anonymous, new, and lacking any credit history or individual behavior pattern against which bankers and payment processors can measure activity to look for red flags.

 

A thief moving from ATM to ATM with a personal credit card would likely quickly raise alarms, because his or her behavior would look out of place compared to the credit card user's normal activity, experts said.

 

RAKBANK said the fraud against it took place at the end of last year. REUTERS