Co-ordinated hits on cash machines

An ATM machine on Third Avenue in New York. It is just one of the many that were used as cyber thieves around the world stole $45mn by hacking into debit card companies, scrapping withdrawal limits and helping themselves from cash machines.

By Dinesh Nair and Jessica Dye /Reuters

One of the credit card processing companies whose security was breached in a $45mn global cyber heist was India’s ElectraCard Services, according to two people familiar with the situation.

ElectraCard Services processes prepaid travel cards for National Bank of Ras Al Khaimah PSC (RAKBANK), one of two Middle Eastern banks named by US prosecutors on Thursday as victims of the heist, the people said.

The prosecutors said an international criminal gang made two co-ordinated hits on cash machines around the world, withdrawing $5mn on December 21 last year and a further $40mn on February 19 this year.

The gang was able to make big withdrawals after hacking into an Indian and a US credit card processing company to raise the balances and withdrawal limits on MasterCard prepaid debit cards, the prosecutors said. They did not name the processing companies.

A US official and an employee of RAKBANK in Dubai both said the Indian card processor - used in the heist on December 21, 2012 - was ElectraCard Services, which is based in Pune, India. The two people spoke on condition of anonymity.

Ramesh Mengawade, the CEO of ElectraCard Services and its parent firm, Opus Software Solutions, could not be reached through his executive assistant or through e-mail yesterday. Calls to the mobile phone of another company official were not answered.

An official at an external public relations firm that works with ElectraCard also said he had not been able to reach Mengawade yesterday and did not have immediate comment.

RAKBANK has said two of its Prepaid MasterCard Cards have been launched with the support of ElectraCard.

MasterCard bought a 12.5% stake in ElectraCard in 2010, ElectraCard has said. MasterCard has said it had co-operated with law enforcement in the investigation and stressed that its systems were not involved or compromised in the attacks.

Cyber security experts said the global scope and speed of the $45mn bank theft was unprecedented. The global gang had operatives in 27 countries who could fan out to thousands of ATMs in a matter of hours, and withdraw money using fraudulent prepaid debit cards, according to US prosecutors.

The US Justice Department gave details of the heist on Thursday in an indictment against eight men accused of being the New York cell of the organisation. The department said seven of the men have been arrested.

Dominican police on Friday confirmed that the eighth, Alberto Lajud-Pena, allegedly the leader of the New York cell, was shot dead in a robbery attempt in the Dominican Republic on April 27. Investigators found $100,000 in cash in the house where he was killed, as well as an M-16 assault rifle, two 9 mm pistols, a revolver, ammunition clips and a telescopic sight. It was not clear if the killing or the money were related to the cyber thefts.

Also on Friday, German prosecutors said they arrested two Dutch citizens, a man and a woman, on February 19, who were withdrawing cash at machines in Dusseldorf from accounts at Bank of Muscat of Oman, the other bank named by US prosecutors.

The ringleaders of the global operation were believed to be outside the US, but US prosecutors have declined to give details, citing the continuing investigation. Germany is the only other country so far to announce arrests.