KUALA LUMPUR: A Latin American gang exploited flaws in the authentication process to hack into at least 14 automated teller machines (ATM) in Selangor, Johor and Malacca and got away with almost RM3mil.
The ATMs hit over the past week were those at the branches of the Affin Bank, Al Rajhi Bank and Bank Islam but individual accounts of the banks were not breached.
The thieves are believed to have cloned bank credentials into Europay-Mastercard-Visa (EMV) chips on subscriber identification module (SIM) cards and reprogrammed them with a malware (malicious software).
It is learnt that the group targeted ATMs using old operating systems.
According to a cyber security expert, the malware “tricks” the ATM into allowing the transaction.
“By bypassing the authentication, they can withdraw any amount of cash,” said the expert.
He said that while the method of programming EMV chips was available online, the equipment needed was hard to come by.
“The gang would also need to know the inner workings of the banks involved,” he said.
Malaysia was the first country in the region to migrate to EMV chip-based cards in response to the widespread counterfeiting of magnetic strip credit cards in early 2000.
A recent paper presented by five Cambridge University professors highlighted weaknesses in the protocol and random number generation of the chips, exposing card users to skimming risks.
After the spate of ATM thefts were reported yesterday, police launched a special operation to track down the culprits.
A special squad comprising officers from Bukit Aman and state contingents have been deployed under Ops Godam ATM.
Federal police Commercial Crimes Investigation Department deputy director (Cyber and Multimedia Crimes) SAC Mohd Kamarudin Md Din said the gang members were still believed to be in the country.
A Selangor Commercial Crime Investigation Department spokesman described the heists as “highly professional” and something the force had never seen before.
He said police have retrieved one of the SIM cards used by the suspects from an ATM in Subang Jaya and have sent it for investigation.
Closed-circuit television (CCTV) footage from the Petaling Jaya and Subang Jaya robberies showed two Latin American men taking turns to enter the banks and withdraw money by inserting the SIM cards into the machines’ slot.
Affin Bank Bhd and Affin Islamic Bank Bhd reassured customers that their accounts had not been compromised.
“We are cooperating with the police and have put in additional control measures for ATMs at branches and off-site locations,” the banks said in a joint statement.