investigating how security at two
companies that are part of India's vast
IT services industry was breached in a
global ATM heist that saw $45 million
stolen from two banks in the Middle
East.
EnStage Inc, which operates from
Bangalore, and ElectraCard Services,
based in Pune, processed card
payments for the two banks that were
hit in the theft, several people familiar
with the situation said.
(Also see: Indian companies at
center of global cyber heist)
"We are investigating the technical
aspect," Gulshan Rai, director general
of the Indian Computer Emergency
Response Team (CERT), part of the
department of electronics and
information technology, told Reuters
by phone on Sunday.
"What kind of breach has happened in
the system, how did it happen, what
processes are in place, and the entire
technical aspect we will look at," he
said, adding that the agency had
started its investigation on Saturday.
U.S. prosecutors said on Thursday that
hackers broke into two card processing
companies, raising the balances and
withdrawal limits on accounts that
were then exploited in coordinated
ATM withdrawals around the world.
The prosecutors did not name the two
companies but said one was based in
India and the other in the United
States.
While details of what happened are
still sketchy, experts said the banks
could bring claims against the
processing companies in court, or they
could file claims with their insurers and
those of the processing companies.
According to a U.S. official and a bank
employee, who both spoke on
condition of anonymity, ElectraCard
Services was the company that
processed prepaid travel cards for
National Bank of Ras Al Khaimah PSC
(RAKBANK). RAKBANK suffered a $5
million coordinated heist at ATMs
around the world on December 21 last
year, according to the U.S. indictment.
In a statement on Sunday,
ElectraCard, or ECS, said it had been
affected by "fraud attacks" in
December. It said investigations show
that "PIN and Magnetic stripe data
seem to have been compromised
outside the ECS processing
environment."
MasterCard bought a 12.5 percent
stake in ElectraCard in 2010.
MasterCard, the network under which
the cards used in the heist were
issued, has said its security was not
compromised.
EnStage, which is incorporated in
Cupertino, California, but has
operations based in Bangalore, is the
company that processed card
payments for Bank of Muscat of
Oman, according to a source close to
Bank of Muscat. Bank of Muscat lost
$40 million in a coordinated heist on
February 19, according to Thursday's
indictment.
"Our customers were adversely
affected by this sophisticated crime,"
EnStage CEO Govind Setlur said in a
statement in the Times of India
newspaper.
Additional monitoring
A statement obtained by Reuters
from a company spokesman said:
"Since the time the incident occurred,
EnStage has retained independent
security experts to analyse the
intrusion and to recommend
enhancements to its information
security infrastructure. EnStage has
implemented both these
enhancements as well as additional
monitoring capabilities."
Setlur was travelling and could not be
reached for further comment on
Sunday.
An employee at the company's office
in central Bangalore who did not want
to be identified said that about 250
people work in the office but did not
give further details.
Bank of Muscat has not commented
on the case.
Police in Pune and Bangalore did not
immediately have information on the
matter when reached on Sunday.
The breach in security at Indian
operators is a blow to the country's
multi-billion dollar information
technology industry, which received
about half of all outsourcing contracts
in the world in 2011, according to
industry data.
India-based IT vendors, who rely on
the trust of global clients to handle
sensitive data, are dominated by
companies providing support services
to the global financial industry.
Eddie Schwartz, chief information
security officer for RSA Inc, a firm
that helps banks fight payment card
fraud, said that it is not surprising that
hackers would target banks that rely
on Indian firms to process
transactions.
Schwartz, who is based in Washington,
said there is not as much government
oversight in India as there is in the
United States and Western Europe.
"Hackers view India as a target. It's
got a fast-moving economy, a fast-
moving IT infrastructure," Schwartz
said.
Cyber security experts said the global
scope and speed of the $45 million
bank theft was unprecedented. The
global gang had operatives in 27
countries who fanned out to thousands
of ATMs in a matter of hours,
withdrawing money using fraudulent
prepaid debit cards, according to U.S.
prosecutors.
The ringleaders of the global operation
were believed to be outside the United
States, but U.S. prosecutors have
declined to give details, citing the
continuing investigation. Germany is
the only other country so far to
announce arrests.
ElectraCard is based in a plush office
park near the airport on the outskirts
of Pune, a fast-growing city in
Maharashtra that is a hub for the IT
and auto industries and is home to
several universities. A security guard
at the office park, where tenants
include IBM, would not allow in a
Reuters journalist without an
appointment on Sunday.
Unlisted ElectraCard had a net loss of
90.2 million rupees on net sales of
535.4 million rupees for the fiscal
year that ended in March 2012, a
sales decline of 1.6 percent, according
to a report by ratings agency Crisil.
Post a Comment