Stolen Millions Expose Middle East Banks’ Vulnerability to Cyber Thieves

The men smiled at the smartphone camera, holding up wads of cash. They were members of a cybercriminal gang, eager to show off the spoils of targeting two banks in the Middle East: The National Bank of Ras al-Khaimah (Rakbank) in the United Arab Emirates, and the Bank of Muscat in Oman. In two different attacks, spanning just 10 hours, United States prosecutors said the gang of eight managed to steal US$45 million by hacking into a database of prepaid credit cards belonging to the banks, and then using fake swipe cards to withdraw money from ATMs in 27 countries.

Their gleeful spree would be cut short. Announcing the arrests of the gang members, the U.S. Attorney for the Eastern District of New York Loretta Lynch called it "a massive 21st-century bank heist," adding, "In the place of guns and masks, this cyber crime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City."

The arrests in the U.S. revealed the coordinated sophistication of the gang, and the ease by which they looted the banks. Experts say financial institutions in the Middle East are tempting targets for such heists, and they are partly to blame. They argue that institutions need better Internet security protocols, particularly when outsourcing information services, as regional companies regularly come under attack from politically motivated hackers as well.

"It’s a question of enforcement of regulatory controls, which are broken and sketchy in the Middle East, so obviously you’re going to have a higher number of cyber crimes in that particular context," said Gurpreet Dhillon, professor of information technology at Virginia Commonwealth University. "There’s also an immaturity aspect with a lot of these organizations, in dealing with cyber crimes. There’s all sorts of capabilities that go into cybercrime management, and I believe many organizations are premature in that sense."

Weak Links

The gang were actually strangers who came together via Internet forums where illicit information is traded and people are recruited for cyber crimes. Jason Weinstein, a lawyer who once oversaw the U.S. Justice Department’s computer crime unit, told Reuters, "It’s sort of like Craigslist for cyber criminals."

The gang planted computer viruses inside the financial institutions’ networks. Once they had gathered enough information, they produced fake ATM cards, coding stolen data onto magnetic swipe strips. The cards were distributed to "cashers" whose sole role was to drain funds, and the money passed onto mules who moved them either in cash bundles or by buying luxury items.

The gang stole US$5 million from RakBank on Dec. 21, and the remaining millions from the Bank of Muscat on Feb. 19. The weak links exploited by the gang were two card payment processing centers in India. The gang managed to hack them, raised the balance and withdrawal limits on the compromised accounts, then sent out teams to make withdrawals.

The Indian companies that were hacked publicly acknowledged they had been successfully infiltrated after the attacks were made public. "In three or four accounts, there was a breach, where the limit of cash that can be withdrawn from a pre-paid card was increased," said Ramesh Mengawade, chief executive officer of ElectraCard Services, in an interview with Reuters. ElectraCard handled payment processing for RakBank’s prepaid travel cards. EnStage was the other company attacked by the gang. "Our customers were adversely affected by this sophisticated crime," EnStage CEO Govind Setlur said in a statement in the Times of India.

In response to the attacks becoming known publicly, the chief executive officer of Rakbank, Graham Honeybill, told Reuters "none of its customers suffered any financial loss as a result of this fraud." In a note, the Bank of Oman stated, "We are exploring all avenues of recovery so as to protect shareholder interests and will advise the markets accordingly if there are any material developments in this regard."

Dhillon said the lack of disclosure beforehand was an example of organizational immaturity when it came to dealing with cyber security issues. He cited as an example the state of California, which requires institutions to inform their customers when a security breach occurs. "As a result, it has become natural for individuals to receive emails of this sort, that ‘Yes, your account has been compromised, we’re sorry about that, and here are the steps we are going to take.’ That isn’t a solution, but it’s a step in the right direction. It brings about an awareness that there is a problem with security, and this is how you deal with it."

Some financial institutions may fear losing customers if they were to reveal how often their security is compromised. But Dhillon said not all attacks result in reputational loss. A few years back, Visa suffered a series of Denial of Service attacks that impacted a number of its clients, including banks. But the banks themselves were not compromised. "Sometimes its simply better to communicate the magnitude of the problem to your clients," he said.

Regional Targets

Rakbank and Bank of Muscat in Oman were easy targets, said one cyber security expert, partly because Middle Eastern banks let their customers put large sums on cards yet do not monitor them as carefully as banks in other regions would. "It’s a target-rich environment in terms of soft electronic security," Shane Shook, global vice president of consulting for the security firm Cylance Inc., told Reuters.

"It’s important for individuals to recognize that at the end of the day, they are the custodians of their own data," Dhillon added. "If they are not responsible users of their own data, what’s the point of having security policies or security strategies for an enterprise? So it goes both ways. Increased individual awareness, and that enterprises are aware of their responsibilities of ensuring cyber security policies."

For companies, it is important to have good cyber security policy, Dhillon said, but oftentimes he said policies do not have anything to address actual problems. "So having policies make sense, and how you build them out, that’s a whole educational awareness aspect that needs to be touched upon."

Another regional banker pointed out that for a number of regional institutions, cyber security still is a bottom-line issue because of cost, and do little diligence when it comes to securing information, or choosing partners for sensitive information service outsourcing. "They are unwilling to pay for such measures," said the banker, who was not authorized to speak publicly about the issue.

Dhillon is one of the authors of a new paper that will be presented at a cyber security conference. The paper, "Secure Outsourcing: An Investigation of the Fit Between Clients and Providers," speaks to the issue of security and outsourcing information services, such as payment processing.

"Many of the problems stem from a lack of fit between what IT outsourcing vendors consider to be the key success factors and what outsourcing clients perceive to be critical for the success of the relationship," the paper notes. "[The] majority of IT outsourcing projects fail because of a lack of appreciation as to what matters to the clients and the vendors. [Secondly], several IT outsourcing projects fall victim to security breaches because of a range of issues — broken processes, or a failure to appreciate client requirements, among others."

"What the vendors perceive to be the top security issues are not necessarily in sync with what the client wants," Dhillon says. "I think the blame is shared. Once you get a vendor to do something, it is the responsibility of clients to ensure that all of the processes are secure, regardless of whether they are in-house or they have been outsourced."

The cyber robbery of Rakbank and the Bank of Muscat was similar to one in 2008, when a gang from Eastern Europe and Russia hacked the Royal Bank of Scotland’s credit card processor. The indictment against the gang noted they drained US$9 million from more than 2,100 coordinated ATM withdrawals in less than half a day.

Other financial institutions in the Middle East have been attacked by hackers, but not for money. Last year, a self-described Saudi Arabian hacker posted details of 400,000 Israeli credit cards online. More Israeli bank accounts were compromised, before retaliation from Israeli hackers, who posted information from Saudi Arabian credit cards. Hackers then disrupted websites of the Tel Aviv Stock Exchange, El Al Airlines and several Israeli banks, the Abu Dhabi Securities Exchange and Tadawul, Saudi Arabia’s exchange, then the United Arab Emirates’ Central Bank website and that of the Arab Bank Palestine.

"From a government standpoint, some kind of regulatory framework has to be created," Dhillon says. "There are laws dealing with cybercrime in the Middle East. But they need to be revisited every so often, and integrated with the path of the rest of the world. It’s not just one country having its own set of laws. How do they link up with the rest of the world?"

Dhillon noted that there isn’t a complete harmonization of Internet regulations on an international scale, so the task remains difficult. Still, he said, "One of the problems of cyber security is that its not location dependent. So when you talk about regulatory frameworks, they have to go beyond your own country."