Wednesday, May 29, 2013

When the going gets tough …

Following posts (ATMmarketplace, realtime.ir and comForte Lounge, as well as commentaries to LinkedIn groups) on the $45 Million heist from ATMs, it is appropriate to wrap-up this story with input from a party directly involved …

It is rare that I am ever at a loss for words, especially after alighting from a car following a quick dash through the countryside. However, this past weekend, the Memorial Day long weekend, I participated in our club’s three-stage fun “rally” deep in Moab, Utah’s, surrounding national parks where I proceeded to head in the wrong direction. However, there was nothing wrong with what we saw as we traversed the landscape!

Margo and I were new to this club so when the instructions arrived, we saw there was incorrect information provided and confused as we were with what we saw, we pressed on regardless only to turn an easy, 53 plus mile segment, into a marathon 250 plus miles. I had to really drive hard to redeem some of my self-esteem so that I could face my fellow drivers later in the day.

On the other hand, I hadn’t given up electing to correct my error and to aggressively pursue making amends for my mistake. While this is easily said and done, when it comes to games, events of this past week highlighted the importance of taking similar actions in business. I have to believe almost everyone has heard by now that following the acquisition of Chrysler by FIAT among the very first decisions made by the new parent was to give the green light to the Chrysler division, SRT, for the development of a new Viper high performance car – a “halo product” for the reinvigorated manufacturer.

However,
when one magazine secured a new SRT Viper to test it on the famous Mazda Raceway Laguna Seca course in Monterey, California, its performance wasn’t quite up to the expectations, with the new SRT Viper failing to match the lap times of a previous generation Corvette ZR1. Ouch! How did the SRT CEO, Ralph Gilles respond? According to the magazine, Gilles response to the bad news was a showcase for what we should expect from our business leaders.

True, the initial response by Gilles was that GM and Corvette cheated, but then the magazine reported, “Here’s the important part. People like Ralph Gilles get where they are (president and CEO of SRT and vice president of Design for Chrysler) because when the going gets tough, they roll up their sleeves and do something”. A well-worn cliché for sure, but then the reporter went on to add, “In this case, Gilles pushed a new car out the gates in just nine weeks … Ralph tweeting (the magazine’s) editor-in-chief and me, ‘You forced me to build this!’”

Yes, this new Viper, what SRT now calls the Viper TA (Track Attack), was able to circulate Laguna Seca faster than the much-lauded Corvette ZR1. However, when it comes to IT, there have also been headlines of late that have drawn equally a hands-on response, and one that is worth recognizing.

Readers who check out my postings to other blogs would have been hard pressed to miss the column inches I have devoted to following up on the recent fraudulent raids perpetrated on the global ATM network. As I observed in my first post to comForte Lounge, Are you still sure you are secure?,  there was a global raid on ATMs with criminal gangs fraudulently pilfering $45 million in two separate attacks; the first on December 21, 2012, that netted $5 million, with the second on February 14, 2013, a much bigger attack, that netted an additional $40 million.

I devoted all of my most recent post to ATMmarketplace, Cruising to EMV eventuality? , to the same topic where I referenced a USA Today reporter who quoted Brooklyn U.S. Attorney, Loretta Lynch, as having said “
In the place of guns and masks, this cybercrime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City.”

Lastly, in the post to realtime.ir, We need to step up our monitoring – the crooks are getting smarter!, I referenced a May 9, 2013, article in the New York Times where the reporter said, “Beyond the sheer amount of money involved, law enforcement officials said, the thefts underscored the vulnerability of financial institutions around the world to clever criminals working to stay ahead of the latest technologies designed to thwart them.” What also came out in these reports were references to social media exploitation with the possibility that this was the first ever reported “crowd-sourced criminal attack” on a financial institution.  

These raids,
on the world’s ATMs, represented theft of an unparalleled nature. Caught up in the storyline, unfortunately, were our good friends at ElectraCard Systems (ECS), out of Pune, India. ECS were the payment processor supporting RAKBANK out of the United Arab Emirates where criminals helped themselves to $5 Million. Central to the theft were prepaid cards that criminals had manipulated to allow unlimited withdrawals – no matter how much cash was withdrawn from an ATM with these prepaid cards, there was always more cash available.

With ECS now very much in the headlines, I reached out to the ECS executives for further information. What impressed me, as I began a dialogue with ECS, is how quickly they have responded to news of their involvement. As soon as the second raid took place, this time on the Bank of Muscat, operating out of Oman, where $40 Million was stolen, ECS issued a press release. Yes, ECS had been involved in the first, smaller, attack and yes, ECS now knew how it was perpetrated and yes, ECS was working with agencies around the world even as ECS carried out a forensic exercise to determine the impact on card holders as well as users of ECS software. Furthermore, in accordance with agreements in place, ECS was pursuing recertification with the likes of VISA and MasterCard to ensure no further damage.

In an interview I had with ECS Senior VP, Madhu Gopinath, as the news was breaking, he told me “When it comes to open-loop prepaid cards, there’s a fine line between growing a marketplace, embracing new populations of users, and the risks involved.” Madhu then gave me the link to the ECS  press release on Sunday, where ECS had assured users that “the PIN and magnetic stripe data seem to have been compromised outside the ECS processing environment.”

I now fully understand how the attack succeeded, but as I have already told others, the fact that I do know doesn’t obligate me to share any of the details. For the NonStop community what I can talk about is that even as the ECS product, Electra, runs today on NonStop, on this occasion, ECS was supporting RAKBANK from an implementation running on Unix. Having said this, I have to also admit that I don’t think the choice of platform would have produced a different result – NonStop could have just as easily been compromised.

However, what really impressed me was how ECS CEO, Ramesh Mengawade, like SRT’s CEO, Gilles, moved quickly – calling in the authorities, issuing a press release, and giving commentators like myself immediate access to key executives, including Madhu. At no time did ECS tried to duck key questions or ignore any of my requests. On the contrary, Madhu was quick to assure me that, “
No other clients were impacted, and no end-customers or individuals were affected at all; some of our customers just use our software; there was absolutely no impact to them.”

It is easy to get lost, just as it’s easy to accept inaccurate information. When it comes to money, there will always be those within our society only too willing to try to steal it. However, when fraudulent activities on this scale are uncovered, it isn’t always easy to confront the marketplace. Particularly when you are obliged not to discuss specifics, even as criminal investigations remain on-going, and your ability to provide explanations may be limited.

With this in mind, it is refreshing to see just how forthcoming ECS has been, and I have to believe such willingness to be as transparent as they have been encourages others to do so in the future. Not all of us feel comfortable rolling up our sleeves even as the going gets tough, but on the other hand, isn’t that what we expect from all of our industry leaders?
 

No comments: