India outsourcing under scanner after $45-mn global ATM heist
New York: Outsourcing of jobs by global financial institutions to Indian shores has come under scanner, with the perpetrators of a USD 45-million worldwide ATM heist apparently breaching computer systems of a payment processing firm in India for their con job.
According to charges filed by the US federal prosecutors here, eight persons have been indicted for participating in two worldwide cyber attacks culminating into a huge USD 45 million being withdrawn fraudulently from ATMs across the world in a matter of few hours earlier this year.
The modus operandi for the heist included hacking into computer systems of payment processing companies -- one in the US and another in India -- to compromise the account details of prepaid card account customers of two banks (one in the UAE and another in Muscat). This was followed by unlimited withdrawals from ATMs across the world.
This is the fourth major instance in less than a year when outsourcing of key jobs by global financial conglomerates to India has found a mention by global regulatory or enforcement agencies for wrong reasons, including for ineffective controls against suspicious transactions, a global rate rigging scandal, money laundering risks and now a huge swindle operation.
Late last year, a joint probe by British and Swiss regulators found key controls for "detection of suspicious trading activity" failed at an India outsourcing unit, contributing to USD 2.3-billion loss caused by a rogue trader of global banking giant UBS.
Months before that, outsourcing of key oversight jobs by two global banks -- HSBC and Standard Chartered -- to India had come under the regulatory scanner in the US and UK for ineffective controls against suspicious transactions.
The latest case of an apparent breach of systems at offshoring units in India has come to the fore despite outsourcing of key financial jobs to India continuing to remain under regulatory scanner in the US and the UK.
As per an advisory issued by the UK financial market regulator FCA (Financial Conduct Authority) about offshore centres of British banks, the "financial crime training in India needs to be better supported by financial crime teams in the UK".
The FCA said that "fake CVs, inconsistent references, and previous employers being reluctant to provide references or share data were common in India. India does not have the electronic database infrastructure in place to allow fast, effective checking of the bona fides of individuals. So firms need to apply a wide range of strategies to fill this gap."
The US Federal Deposit Insurance Corporation's Advisory Committee on Systemic Resolution has also listed data and operational centres in India among the top-priority jurisdiction for monitoring of potential risks at SIFIs (Systemically Important Financial Institutions).
According to the government's court filings, two such 'Unlimited Operations' were conducted between October 2012 and April 2013, although prosecutors have not disclosed names of either of the two companies.
The first operation, on December 22, 2012, targeted a credit card processor that processed transactions for prepaid MasterCard debit cards issued by UAE's Rakbank.
After hacking into the card processor's computer network, they compromised the bank's prepaid card accounts, manipulated the balances and withdrawal limits, while casher cells across the globe operated a coordinated ATM withdrawal campaign.
In total, more than 4,500 ATM transactions were conducted in approximately 20 countries around the world using the compromised Rakbank account data, resulting in about USD 5 million of losses to the credit card processor and Rakbank.
The New York City area alone saw 750 fraudulent transactions, totaling nearly USD 400,000, at over 140 different ATM locations within just two hours and 25 minutes.
The second Unlimited Operations occurred in the afternoon of February 19 and lasted till early morning of February 20, 2013. This operation again breached the network of a credit card processor that serviced MasterCard prepaid debit cards, this time issued by the Bank of Muscat, located in Oman.
In this attack, casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about USD 40 million from ATMs over the course of approximately 10 hours. An amount totalling USD 2.4 million was withdrawn in about 3,000 ATM transactions in New York City alone.
The Department of Justice said in a statement that the eight persons charged for the heist later laundered hundreds of thousands of dollars in illicit cash proceeds.
Besides, they also invested the criminal proceeds in portable luxury goods, such as expensive watches and cars and the government authorities have already seized hundreds of thousands of dollars in cash and bank accounts, two Rolex watches and a Mercedes SUV, and is in the process of forfeiting a Porsche Panamera. The Mercedes and Porsche were purchased with USD 250,000 in proceeds of this heist.
If convicted, they face a maximum sentence of 10 years of imprisonment on each of the money laundering charges and 7.5 years on the conspiracy to commit access device fraud charge, restitution, and up to USD 250,000 in fines.