Indian processors fingered over $45m ATM heists

The card payment processing firms which saw their systems breached as part of two massive recent ATM heists have been named as India-based ElectraCard Services and EnStage.

  4 1 comment

Indian processors fingered over $45m ATM heists

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Last week US authorities charged eight people with taking part in the attacks that saw card data stolen from payment processors and used to withdraw $45 million from ATMs around the world.

ElectraCard Services has admitted that it was one payment processor involved in the first attack, which saw around $5 million stolen from accounts at the National Bank of Ras Al-Khaimah PSC in the UAE in December.

The firm's CEO, Ramesh Mengawade, told Reuters that crooks managed to breach its systems and increase the withdrawal limits on "three or four accounts". However, a statement insists that no PIN or mag-strip data was compromised.

Verizon has been called in to investigate the intrusion by ElectraCard Services, which says it is also in the process of re-certifying and re-listing itself for compliance with the PCI-DSS standards of the PCI Security Standards Council.

Meanwhile, EnStage has emerged as the processor hit as part of the second attack in February, which saw around $40 million looted from Bank of Muscat. "Our customers were adversely affected by this sophisticated crime," EnStage CEO Govind Setlur told the Times of India.

Sponsored [On-Demand Webinar] Solving the KYC challenge with end-to-end processes

Comments: (1)

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

This is one more incident that shows that large and scaleable identity thefts happen at processors' systems, and not while individual cardholders are shopping online and putting through one-off transactions. I hope regulators, especially in India, recognize this reality and eliminate 2FA requirements that add a lot of friction and cause heavy shopping cart abandonments. Instead, they should shift their focus to verifying how securely processors are storing card information. Accepting processors' stock response, "we're PCI-DSS compliant", to all questions about data security is simply not enough any more.

[Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming MandatesFinextra Promoted[Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates