Rakbank was defrauded Dh17.4 million as part of an orchestrated complex global bank heist, involving several rings of criminals, worth more than Dh165 million.
The theft emerged as a group of seven American men were charged by the US Attorney’s office in New York for withdrawing cash from cash machines and transporting money.
It is understood authorities in the UAE are involved in the investigation, though police were not available for comment on Friday.
A cyber-security expert estimates dozens of organised criminals were involved in the scam, during which criminals made some 40,500 cash machine withdrawals in 27 countries during two single coordinated incidents in December and February.
The charged men were not accused of either hacking into the credit card processing firms or managing the operation, indicating the gang’s masterminds, believed to be outside of the US, are at large.
US Attorney for the Eastern District of New York Loretta Lynch told reporters the criminals hacked the computers of two Master Card credit card processors — one in India last December and the other in the United States in February — and secured important details.
The details enabled them to programme counterfeit debit cards, distributed to operatives around the world, who hit the cash machines at the same time, after the gang had hacked into bank websites and increased the available cash and withdrawal limits on the account the fake cards were tied to. The Bank of Muscat was also targeted.
Rankbank chief executive officer Graham Honeybill said in a statement no customers had suffered any financial loss as a result of the fraud.
“The amount of the potential loss was Dh17.4 million and this was fully provided for before the bank closed its 2012 accounts.”
The incident happened in December, and “involved the bank’s service provider in India”, where its Master Card processor is located.
A spokeswoman for the bank refused to comment on the bank’s security, citing the ongoing court case, but said it was the provider ,“not us”, which had been exploited. The bank recorded a Dh1.4 billion profit last year.
Honeybill said other banks from around the world were targeted, though analysts have said the Middle East’s lax credit card limits and policies would have been attractive.
“The smart criminal is going to look at the banking industry and see where an exploitation would not draw as much interest. What the good criminals are doing here is undertaking behaviour that doesn’t look too unusual,” said Roger Cressey, senior vice-president at leading technology consultants Booz Allen Hamilton.
Cressey, who has worked in cybersecurity and counter-terrorism for both the Bill Clinton and George W. Bush administrations, told Khaleej Times the banks were remiss in having no alarm sytem in place when the debit card limits were increased by the criminal hackers.
“What’s fascinating about this event — and it really is not just an attack, it’s an event — is there is a cleverness and a complexity to it that should serve as a wake up call to the financial services industry on a global level.”
There were three lessons to be taken out of what is one of the largest bank robberies on record: banks needed agreements with their providers laying out security levels, they must review their internal processes to ensure adequate checks were in place, and all employees must be continuously trained, with technology crime increasing at breakneck speed.
The creditcard service provider, likely a contractor, was the “weak link”.
“If you look at how these attacks transpired, the criminals found the vulnerability in the financial services ecosystem…and exploited it.”
Such instances of cybercrime had long happened, with this case the visible tip of the iceberg — with smaller scams potentially being hushed by banks.
“We should assume there’s much more going on…the banks will always…respond to customers when there’s been a breach…but high level publicity that’s not something they’re wanting.”
Cybercrime was a new wave of criminality and a “high priority” for criminals, with an increased incidence of such thefts likely, Cressey said.
Lynch said an investigation was ongoing to see if other cells were operating in the US, Lynch said, adding the country’s law enforcers had worked with counterparts in Japan, Canada, Germany, Romania, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand, and Malaysia in addition to the UAE.