From the information so far, they did this by exploiting 2 weaknesses:
- Broke into bank computers and stole prepaid debt cards, erasing their withdrawal limits.
- Got the data into the hands of others who cloned the cards and hit numerous ATMs.
We are seeing the rise of such organized cybercrime. And frankly, the numbers in just this case are staggering: thieves were in 27 countries, and they made about 36,000 withdrawals over 10 hours to accumulate $45 million. That works out to about a withdrawal of $1,111 every 10 seconds.
All the cards stolen were MasterCard prepaid debit cards, and only 2 banks were targeted. In December, it was cards issues by the National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates. Then in February it was cards issued by the Bank of Muscat in Oman. I have to wonder if there was a reason those banks were the target.
What I haven't seen is the size of this overall group, which may not be known at this point. A small group has been arrested in the US (apparently the "US cell"), and another individual who was apparently the leader of that cell was killed in the Dominican Republic (by who is not clear). What about the overall ringleaders? Maybe they killed the guy US ringleader to prevent any links back to them. (yeah, I guess I read too many thrillers...)
Am sure we will get more info on this case as it moves along. I wonder how procedures may be changed or improved in light of this.
Here are some of the articles on this matter:
Global Post on the heist. Business Insider on how it was done. NPR on it.
Dark Reading on the 8 caught in NY