|
 The gang used counterfeit Standard Bank credit cards to withdraw 1.4
billion yen ($13 million) in 14,000 transactions from ATMs at
7-Eleven convenience stores over three hours on a Sunday morning,
according to a source familiar with the matter.
Most ATMs in the 7-Eleven stores belong to Seven Bank, a Japanese
bank part-owned by Seven & I Holdings <3382.T> which runs the store
chain in Japan, one of only two Japanese banks that allow
withdrawals on foreign cards.
The thieves are still at large.
"They were smart in selecting Japan," said one banking security
consultant who asked not to be identified.
"They found a badly protected ATM network in a low-risk country,
guessing that the fraud analytics software would not automatically
block the transactions."
South Africa's Standard Bank <SBKJ.J> said on Monday it had suffered
the losses, not its customers, and that it had alerted the
authorities. It estimated its total loss at 300 million rand ($19
million).
The bank declined to comment further on Tuesday.
Seven Bank said it was cooperating with police. Japan's banking
regulator, the Financial Services Authority (FSA), and Japanese
police declined to comment.
Seven has about 22,000 ATMs across the country. Japan Post Bank also
accepts overseas credit cards, but only about 540 of its 27,000 are
open 24 hours a day.
Reports in Japanese media said the withdrawals were made on May 15
at ATMs in Tokyo and 16 prefectures across Japan's main island
Honshu and neighboring Kyushu. That would have taken a substantial
number of "mules" to make the transactions and ferry the cash, said
experts.
"($13 million) in a matter of hours is nothing short of blinding,"
said Dan Kelly, a Hong Kong-based cybersecurity researcher at Dragon
Threat Labs.
"The use of loopholes in the bank's procedures makes sense, but
trying to rustle up a mule network in one country without making too
much noise can't be easy."
FLOOD OF TRANSACTIONS
Experts said both banks should shoulder some blame for failing to
monitor the flood of transactions, saying they should have had
systems in place to catch spikes in unusual activity in so many
locations at the same time during what would usually be a quiet
period.
"The liability is on the issuing bank, which is Standard Bank, but
as the case gets further investigated, more blame will fall on the
acquiring bank," said Subhashish Bose, head of anti-financial crime
in Asia-Pacific for FICO, a U.S.-based software company that also
scores consumer credit risk.
[to top of second column] |
The criminals may have harvested the data in a variety of ways, said the experts
- possibly by "skimming" cards - but they would have had limited options when it
came to using them to withdraw cash.
For one thing, they would have to pick a country that still uses magnetic strip
card technology, not the newer and more secure "chip and pin" system, which
would have ruled out South Africa itself.
"If they would have gone to any of the surrounding countries, they would risk
detection (and blocking) by Standard Bank's fraud analytics software", which
would consider any transaction in such countries to be high risk, the banking
security consultant said.
The same risk assessment would have ruled out most other African countries,
Eastern Europe, the Middle East, Central Asia and Russia, the consultant added.
Japan, meanwhile, is considered low-risk because of low crime rates and its
banks, most of which do not accept foreign cards in their ATMs, the experts
said.
Japan has long been ignored by criminal gangs and cybercrime groups because of
its relative isolation. But that is changing, say specialists, and the country
has yet to catch up.
"They are less experienced in dealing with these frauds and are behind in terms
of monitoring, detection and response," said Stephen McCombie, an Asia-Pacific
cybercrime specialist at RSA, the security division of data storage firm EMC <EMC.N>.
Last year hackers broke into Japan's pension system and leaked more than a
million cases of personal data.
(Reporting By Jeremy Wagstaff and Taiga Uranaka; Editing by Alex Richardson)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
