Following posts (ATMmarketplace, realtime.ir and comForte Lounge, as well as commentaries to LinkedIn groups) on the $45 Million heist from ATMs, it is appropriate to wrap-up this story with input from a party directly involved …
It is rare that I am ever at a loss for words,
especially after alighting from a car following a quick dash through the
countryside. However, this past weekend, the Memorial Day long weekend, I
participated in our club’s three-stage fun “rally” deep in Moab, Utah’s,
surrounding national parks where I proceeded to head in the wrong direction.
However, there was nothing wrong with what we
saw as we traversed the landscape!
Margo and I were new to this club so when the instructions arrived, we saw
there was incorrect information provided and confused as we were with what we
saw, we pressed on regardless only to turn an easy, 53 plus mile segment, into
a marathon 250 plus miles. I had to really drive hard to redeem some of my self-esteem
so that I could face my fellow drivers later in the day.
On the other hand, I hadn’t given up electing to correct my error and to
aggressively pursue making amends for my mistake. While this is easily said and
done, when it comes to games, events of this past week highlighted the
importance of taking similar actions in business. I have to believe almost
everyone has heard by now that following the acquisition of Chrysler by FIAT
among the very first decisions made by the new parent was to give the green
light to the Chrysler division, SRT, for the development of a new Viper high performance
car – a “halo product” for the reinvigorated manufacturer.
However, when one magazine secured a new SRT Viper to test it on the famous
Mazda Raceway Laguna Seca course in Monterey, California, its performance
wasn’t quite up to the expectations, with the new SRT Viper failing to match
the lap times of a previous generation Corvette ZR1. Ouch! How did the SRT CEO,
Ralph Gilles respond? According to the magazine, Gilles response to the bad
news was a showcase for what we should expect from our business leaders.
True, the initial response by Gilles was that GM and Corvette cheated, but then
the magazine reported, “Here’s the important part. People like Ralph Gilles get
where they are (president and CEO of SRT and vice president of Design for
Chrysler) because when the going gets tough, they roll up their sleeves and do
something”. A well-worn cliché for sure, but then the reporter went on to add,
“In this case, Gilles pushed a new car out the gates in just nine weeks … Ralph
tweeting (the magazine’s) editor-in-chief and me, ‘You forced me to build
Yes, this new Viper, what SRT now calls the Viper TA (Track Attack), was able
to circulate Laguna Seca faster than the much-lauded Corvette ZR1. However,
when it comes to IT, there have also been headlines of late that have drawn
equally a hands-on response, and one that is worth recognizing.
Readers who check out my postings to other blogs would have been hard pressed
to miss the column inches I have devoted to following up on the recent
fraudulent raids perpetrated on the global ATM network. As I observed in my
first post to comForte Lounge, Are you still sure you are secure? there was a global raid on ATMs with criminal
gangs fraudulently pilfering $45 million in two separate attacks; the first on
December 21, 2012, that netted $5 million, with the second on
February 14, 2013, a much bigger attack, that netted an additional $40 million.
I devoted all of my most recent post to ATMmarketplace, Cruising
to EMV eventuality? to the
same topic where I referenced a USA Today reporter who quoted Brooklyn U.S.
Attorney, Loretta Lynch, as having said “In the place of guns and masks, this cybercrime
organization used laptops and the Internet. Moving as swiftly as data over the Internet, the
organization worked its way from the computer systems of international
corporations to the streets of New York City.”
Lastly, in the post to realtime.ir, We
need to step up our monitoring – the crooks are getting smarter!, I referenced
a May 9, 2013, article in the New York Times where the reporter said, “Beyond
the sheer amount of money involved, law enforcement officials said, the thefts
underscored the vulnerability of financial institutions around the world to
clever criminals working to stay ahead of the latest technologies designed to
thwart them.” What also came out in these reports were references to social
media exploitation with the possibility that this was the first ever reported “crowd-sourced
criminal attack” on a financial institution.
These raids, on the world’s ATMs, represented theft of an unparalleled nature.
Caught up in the storyline, unfortunately, were our good friends at ElectraCard
Systems (ECS), out of Pune, India. ECS were the payment processor supporting
RAKBANK out of the United Arab Emirates where criminals helped themselves to $5
Million. Central to the theft were prepaid cards that criminals had manipulated
to allow unlimited withdrawals – no matter how much cash was withdrawn from an
ATM with these prepaid cards, there was always more cash available.
With ECS now very much in the headlines, I reached out to the ECS executives
for further information. What impressed me, as I began a dialogue with ECS, is
how quickly they have responded to news of their involvement. As soon as the
second raid took place, this time on the Bank of Muscat, operating out of Oman,
where $40 Million was stolen, ECS issued a press release. Yes, ECS had been
involved in the first, smaller, attack and yes, ECS now knew how it was
perpetrated and yes, ECS was working with agencies around the world even as ECS
carried out a forensic exercise to determine the impact on card holders as well
as users of ECS software. Furthermore, in accordance with agreements in place,
ECS was pursuing recertification with the likes of VISA and MasterCard to
ensure no further damage.
In an interview I had with ECS Senior VP, Madhu Gopinath, as the news was
breaking, he told me “When it comes to open-loop prepaid cards, there’s a fine
line between growing a marketplace, embracing new populations of users, and the
risks involved.” Madhu then gave me the link to the ECS press
release on Sunday, where ECS had assured users that “the PIN and
magnetic stripe data seem to have been compromised outside the ECS processing
I now fully understand how the attack succeeded, but as I have already told
others, the fact that I do know doesn’t obligate me to share any of the
details. For the NonStop community what I can talk about is that even as the
ECS product, Electra, runs today on NonStop, on this occasion, ECS was
supporting RAKBANK from an implementation running on Unix. Having said this, I
have to also admit that I don’t think the choice of platform would have
produced a different result – NonStop could have just as easily been
However, what really impressed me was how ECS CEO, Ramesh Mengawade, like SRT’s
CEO, Gilles, moved quickly – calling in the authorities, issuing a press
release, and giving commentators like myself immediate access to key executives,
including Madhu. At no time did ECS tried to duck key questions or ignore any
of my requests. On the contrary, Madhu was quick to assure me that, “No other clients were
impacted, and no end-customers or individuals were affected at all; some of our
customers just use our software; there was absolutely no impact to them.”
It is easy to get lost, just as it’s easy to accept inaccurate information.
When it comes to money, there will always be those within our society only too
willing to try to steal it. However, when fraudulent activities on this scale
are uncovered, it isn’t always easy to confront the marketplace. Particularly
when you are obliged not to discuss specifics, even as criminal investigations
remain on-going, and your ability to provide explanations may be limited.
With this in mind, it is refreshing to see just how forthcoming ECS has been,
and I have to believe such willingness to be as transparent as they have been
encourages others to do so in the future. Not all of us feel comfortable rolling
up our sleeves even as the going gets tough, but on the other hand, isn’t that
what we expect from all of our industry leaders?