Exclusive: Indian firm in global ATM heist admits system breached
By Kaustubh Kulkarni
PUNE, India (Reuters) - An Indian payment card processing company acknowledged on Monday that hackers breached its security to increase the limits on some pre-paid card accounts in a global ATM heist in December.
ElectraCard Services said no customer data was stolen from it and any tampering of ATM cards occurred elsewhere.
"To withdraw money from a pre-paid card, one needs an ATM card that has a magnetic strip, which has encoded data. You also need a PIN. The forensic report says that this data and PIN was not compromised at the ElectraCard data centre," said Ramesh Mengawade, chief executive officer of ElectraCard Services.
"However, in three or four accounts, there was a breach, where the limit of cash that can be withdrawn from a pre-paid card was increased," he said in an interview at his office in the western Indian city of Pune.
U.S. prosecutors said on Thursday that hackers broke into two unnamed card processing companies, raising the balances and withdrawal limits on accounts that were then exploited in coordinated ATM withdrawals around the world that stole a combined $45 million from two Middle Eastern banks.
ElectraCard Services was the company that processed prepaid travel cards for National Bank of Ras Al Khaimah PSC RAKB.AD (RAKBANK), according to a U.S. official and a bank employee who both spoke on condition of anonymity. RAKBANK suffered a $5 million coordinated heist at ATMs around the world on December 21 last year, the U.S. indictment said.
"What happened in December was an industry-wide attack," Mengawade said in his first interview since the case came to light last week. "There were pranks in India; there were pranks in the U.S., in Europe and at processors as well."
The company said the attack was external and no one inside the company was involved, and that it became aware of it within an hour and immediately notified clients and the police. Continued...