Criminals who stole millions of dollars from automatic teller machines across Japan in a three-hour spree probably chose the country because banks consider it a low fraud risk, security experts say.
The gang used counterfeit Standard Bank credit cards to withdraw ¥1.4 billion in 14,000 transactions from ATMs at 7-Eleven convenience stores over three hours on a Sunday morning, according to a source familiar with the matter.
Most ATMs in the 7-Eleven stores belong to Seven Bank, a Japanese bank part-owned by Seven & I Holdings, which runs the store chain in Japan, one of only two Japanese banks that allow withdrawals on foreign cards.
The thieves are still at large.
“They were smart in selecting Japan,” said one banking security consultant who asked not to be identified.
“They found a badly protected ATM network in a low-risk country, guessing that the fraud analytics software would not automatically block the transactions.”
South Africa’s Standard Bank said on Monday it had suffered the losses, not its customers, and that it had alerted the authorities. It estimated its total loss at 300 million rand ($19 million).
The bank declined to comment further on Tuesday.
Seven Bank said it was cooperating with police. Japan’s banking regulator, the Financial Services Authority (FSA), and police declined to comment.
Seven has about 22,000 ATMs across the country. Japan Post Bank also accepts overseas credit cards, but only about 540 of its 27,000 branches are open 24 hours a day.
Reports in local media said the withdrawals were made on May 15 at ATMs in Tokyo and 16 prefectures across Honshu and neighboring Kyushu. That would have taken a substantial number of “mules” to make the transactions and ferry the cash, said experts.
Dan Kelly, a Hong Kong-based cybersecurity researcher at Dragon Threat Labs, said $13 million in a matter of hours “is nothing short of blinding.”
“The use of loopholes in the bank’s procedures makes sense, but trying to rustle up a mule network in one country without making too much noise can’t be easy,” he said.
Experts said both banks should shoulder some blame for failing to monitor the flood of transactions, saying they should have had systems in place to catch spikes in unusual activity in so many locations at the same time during what would usually be a quiet period.
“The liability is on the issuing bank, which is Standard Bank, but as the case gets further investigated, more blame will fall on the acquiring bank,” said Subhashish Bose, head of anti-financial crime in the Asia-Pacific for FICO, a U.S.-based software company that also scores consumer credit risk.
The criminals may have harvested the data in a variety of ways, said the experts — possibly by “skimming” cards — but they would have had limited options when it came to using them to withdraw cash.
For one thing, they would have to pick a country that still uses magnetic strip card technology, not the newer and more secure “chip and pin” system, which would have ruled out South Africa itself.
“If they would have gone to any of the surrounding countries, they would risk detection (and blocking) by Standard Bank’s fraud analytics software”, which would consider any transaction in such countries to be high risk, the banking security consultant said.
The same risk assessment would have ruled out most other African countries, Eastern Europe, the Middle East, Central Asia and Russia, the consultant added.
Japan, meanwhile, is considered low-risk because of low crime rates and its banks, most of which do not accept foreign cards in their ATMs, the experts said.
Japan has long been ignored by criminal gangs and cybercrime groups because of its relative isolation. But that is changing, say specialists, and the country has yet to catch up.
“They are less experienced in dealing with these frauds and are behind in terms of monitoring, detection and response,” said Stephen McCombie, an Asia-Pacific cybercrime specialist at RSA, the security division of data storage firm EMC.
Last year hackers broke into Japan’s pension system and leaked more than 1 million cases of personal data.