US federal authorities have charged eight hackers in connection with a $45m debit card fraud scheme linked to the hacking of card processors in the US and India.
They were charged in a New York district court with conspiracy to commit access device fraud, money laundering conspiracy and two counts of money laundering, according to US reports.
"The defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the internet and stretched around the globe," US attorney Loretta Lynch said in a statement.
"In the place of guns and masks, this cyber crime organisation used laptops and the internet," she said.
Police are holding seven people in custody, while the eighth suspect and leader of the group, Alberto Yusi Lajud-Pena, is reported to have been murdered two weeks ago.
The hackers are believed to have broken into prepaid debit card databases to raise the limit on cards before withdrawing money from cash machines in 26 countries using cloned debit cards.
In the place of guns and masks, this cyber crime organisation used laptops and the internet
US attorney Loretta Lynch
The indictment said in such operations hackers manipulate account balances, and in some cases security protocols, to eliminate withdrawal limits on individual accounts.
"As a result, even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution," the indictment said.
In a similar heist in 2008, a gang that took money from cash machines in 49 cities around the world using cloned debit cards.
The thefts stemmed from a data breach at RBS WorldPay in which hackers stole the personal data of 1.5 million card holders a month earlier.
It is not known if the payment card processors targeted in the latest heist were compliant with the Payment Card Industry Data Security Standard (PCI-DSS), a code of best practices created by the card industry designed to prevent hackers from obtaining card details.
This is a serious incident that raises a lot of questions about the security of the current payment systems, said Costin Raiu, director of global research at security firm Kaspersky Lab.
More on payment card fraud
- Fraudsters widen card-skimming operations in Europe
- Barclays Bank card data vulnerable to mobile phone scanning fraud
- Credit card fraud drops as industry fights back
- UK companies breaching credit card compliance
- FBI undercover operation leads to huge online credit card fraud sting
However, he said while insecure magnetic stripes on cards are still used in the US when performing payments with cards, this has been mostly abandoned in Europe and replaced by more secure chips.
The cyber criminals specialised in card fraud, and focused on replicating real cards on "blank" cards by reprogramming the magnetic stripe.
“A lot of these attacks would go away or decrease by getting rid of the stripe and updating the US payment systems to use the chips,” said Raiu. “It makes sense for the banks to invest in upgrading the cards in the US and worldwide.”
David Emm, senior security researcher at Kaspersky Lab, said the latest thefts highlight the global nature of cyber crime.
“This in turn highlights the importance of Europol's European Cybercrime Centre (EC3) as a focal point for combating cyber crime,” he said.