An article from November 2015 described the situation with a relatively new type of fraud, with the help of which criminals stole money from bank accounts: Hackers invented a new scheme for stealing money, stealing 250 million rubles. How exactly the fraud occurred, briefly:
The criminal received a payment card, topped it up and immediately withdrew the deposited money from an ATM, requesting a check. The transaction data was then sent to an accomplice who had access to the infected POS terminals. Through the terminals, according to the transaction code, the cancellation of cash withdrawal was generated. As a result, the card balance was instantly restored and the attacker had “canceled” money in his account. The criminals repeated these actions repeatedly until the ATMs ran out of cash, modifying their scheme after the banks corrected the error. Then several court cases were opened against the perpetrators; the “money mules” were from London, Ukraine, Latvia and Lithuania.
However, now news has appeared about a very similar situation, including the names of the affected companies. The amount of damage this time is almost twice as large - about half a billion rubles.
PJSC Bank Kuznetsky
PJSC Bank Kuznetsky is a small regional bank in terms of assets, the only credit organization registered in the Penza region. Key areas of activity are servicing and lending to corporate clients, attracting public funds into deposits and lending to individuals. The main source of financing the bank's activities is deposits from individuals (55.7%). The bank's network is represented by the head office in Penza, 20 additional offices, four operational cash desks outside the cash desk and three operational offices. The entire bank network, except for two operational offices in Samara and the Chuvash Republic, is located and operates in the Penza region. The number of bank staff as of April 1, 2016 was 350 people. The network of proprietary devices includes 45 ATMs and 114 terminals. Information from Banki.ru.
In August 2015, fraudsters or their accomplices, using MasterCard cards issued by Kuznetsky Bank, withdrew 470 million rubles from ATMs of other banks. The scammers used the OPC payment system, which then included more than 200 banks and which allowed cash withdrawals at lower rates. UCS is an operational and payment clearing center for OPC.
Typically, scammers make 5-10 approaches to the ATM, each time withdrawing the maximum possible amount (200,000 rubles, 40 banknotes with a face value of 5,000 rubles). The peculiarity of this case is that more than 3,000 such operations were performed per day, and the total amount reached almost 470 million rubles. Judging by the amount and number of transactions, fraudsters had to empty more than 200 ATMs belonging to different banks in a short period of time. It is even physically impossible to manually perform such a number of payment cancellation operations, so we can confidently say that it was not an employee who acted, but hackers who had previously gained access to the bank’s infrastructure.
The situation is very similar to the one described earlier, this is a “transaction reversal” attack: a fraudster, using the card of the issuing bank, withdraws cash from an ATM. Immediately after this, the fraudster’s accomplice sends a request to the payment system to cancel the operation. “Due to the cancellation of the operation, the amount on the card account does not change, so fraudsters can repeat this two-step again and again until they get tired,” says Dmitry Kuznetsov, director of methodology and standardization at Positive Technologies. “In this case, the issuer will have a debt to the acquirer for an amount equal to the amount of cash withdrawn.”
When the scammers withdrew the first hundred thousand rubles, the balance available on the issuer’s correspondent account decreased by this amount, and after the operation was canceled it was restored, although the issuer actually owed the acquirer a hundred thousand. With each subsequent fraudulent operation, the balance in the correspondent account either decreased or was restored.
The court indicated that transactions in the OPC payment system are carried out in accordance with the rules of MasterCard, and, according to them, only the acquiring bank (i.e., the owner of the ATM) has the right to cancel the transaction in real time, and the issuing bank (in our case "Kuznetsky") could cancel the operation only after seven calendar days. But the defendant UCS, despite this, carried out the cancellation operation on behalf of Kuznetsky.
“According to our information, investigative actions are being carried out in criminal cases that have not yet been completed,” says a representative of the NGO ORS.
According to unconfirmed information, the first arrests in this case took place in the fall.
From the materials it follows that immediately after the incident, ORS paid the banks from whose ATMs the money was stolen, 470 million rubles, and the claim against UCS was filed on November 2, 2015. According to a person close to one of the parties, Kuznetsky could not compensate damage to the banks, since he did not have such funds; for the OPC it was more a matter of reputation.
The criminal must compensate for the harm caused. If the hackers are not caught, then there is no one to compensate for the damage. If they are caught, then they don’t have that kind of money anyway,” argues Dmitry Kuznetsov. “The damage is compensated by the one who, based on the results of the trials, turned out to be “more wrong.”
Total: the Moscow court recovered 470 million rubles from the processing company UCS, considering that it was its fault that the fraudsters stole these funds from Kuznetsky Bank, because UCS violated the terms of the contract.
The criminal received a payment card, topped it up and immediately withdrew the deposited money from an ATM, requesting a check. The transaction data was then sent to an accomplice who had access to the infected POS terminals. Through the terminals, according to the transaction code, the cancellation of cash withdrawal was generated. As a result, the card balance was instantly restored and the attacker had “canceled” money in his account. The criminals repeated these actions repeatedly until the ATMs ran out of cash, modifying their scheme after the banks corrected the error. Then several court cases were opened against the perpetrators; the “money mules” were from London, Ukraine, Latvia and Lithuania.
However, now news has appeared about a very similar situation, including the names of the affected companies. The amount of damage this time is almost twice as large - about half a billion rubles.
PJSC Bank Kuznetsky
PJSC Bank Kuznetsky is a small regional bank in terms of assets, the only credit organization registered in the Penza region. Key areas of activity are servicing and lending to corporate clients, attracting public funds into deposits and lending to individuals. The main source of financing the bank's activities is deposits from individuals (55.7%). The bank's network is represented by the head office in Penza, 20 additional offices, four operational cash desks outside the cash desk and three operational offices. The entire bank network, except for two operational offices in Samara and the Chuvash Republic, is located and operates in the Penza region. The number of bank staff as of April 1, 2016 was 350 people. The network of proprietary devices includes 45 ATMs and 114 terminals. Information from Banki.ru.
In August 2015, fraudsters or their accomplices, using MasterCard cards issued by Kuznetsky Bank, withdrew 470 million rubles from ATMs of other banks. The scammers used the OPC payment system, which then included more than 200 banks and which allowed cash withdrawals at lower rates. UCS is an operational and payment clearing center for OPC.
Typically, scammers make 5-10 approaches to the ATM, each time withdrawing the maximum possible amount (200,000 rubles, 40 banknotes with a face value of 5,000 rubles). The peculiarity of this case is that more than 3,000 such operations were performed per day, and the total amount reached almost 470 million rubles. Judging by the amount and number of transactions, fraudsters had to empty more than 200 ATMs belonging to different banks in a short period of time. It is even physically impossible to manually perform such a number of payment cancellation operations, so we can confidently say that it was not an employee who acted, but hackers who had previously gained access to the bank’s infrastructure.
The situation is very similar to the one described earlier, this is a “transaction reversal” attack: a fraudster, using the card of the issuing bank, withdraws cash from an ATM. Immediately after this, the fraudster’s accomplice sends a request to the payment system to cancel the operation. “Due to the cancellation of the operation, the amount on the card account does not change, so fraudsters can repeat this two-step again and again until they get tired,” says Dmitry Kuznetsov, director of methodology and standardization at Positive Technologies. “In this case, the issuer will have a debt to the acquirer for an amount equal to the amount of cash withdrawn.”
When the scammers withdrew the first hundred thousand rubles, the balance available on the issuer’s correspondent account decreased by this amount, and after the operation was canceled it was restored, although the issuer actually owed the acquirer a hundred thousand. With each subsequent fraudulent operation, the balance in the correspondent account either decreased or was restored.
The court indicated that transactions in the OPC payment system are carried out in accordance with the rules of MasterCard, and, according to them, only the acquiring bank (i.e., the owner of the ATM) has the right to cancel the transaction in real time, and the issuing bank (in our case "Kuznetsky") could cancel the operation only after seven calendar days. But the defendant UCS, despite this, carried out the cancellation operation on behalf of Kuznetsky.
“According to our information, investigative actions are being carried out in criminal cases that have not yet been completed,” says a representative of the NGO ORS.
According to unconfirmed information, the first arrests in this case took place in the fall.
From the materials it follows that immediately after the incident, ORS paid the banks from whose ATMs the money was stolen, 470 million rubles, and the claim against UCS was filed on November 2, 2015. According to a person close to one of the parties, Kuznetsky could not compensate damage to the banks, since he did not have such funds; for the OPC it was more a matter of reputation.
The criminal must compensate for the harm caused. If the hackers are not caught, then there is no one to compensate for the damage. If they are caught, then they don’t have that kind of money anyway,” argues Dmitry Kuznetsov. “The damage is compensated by the one who, based on the results of the trials, turned out to be “more wrong.”
Total: the Moscow court recovered 470 million rubles from the processing company UCS, considering that it was its fault that the fraudsters stole these funds from Kuznetsky Bank, because UCS violated the terms of the contract.
