Federal investigators announced five more arrests this week in connection with a $45 million ATM cash-out and prepaid card fraud scheme that came to light this summer (see Detangling the $45 Million Cyberheist).

Earlier, eight others were charged for the roles they allegedly played in this massive cyberheist that drained millions from bank accounts throughout the world within a matter of hours, federal prosecutors say.

Despite the arrests in this case, banking institutions can soon expect bigger and more sophisticated ATM cash-out schemes linked to prepaid cards, says Chuck Somers, vice president of ATM security and systems at Diebold Inc., one of the world's largest ATM manufacturers. That's because fraudsters' inside knowledge of banking systems and payments processes has made pulling off these types of global attacks far too easy, he contends.

In June, federal authorities charged eight suspects in another major ATM cash-out and cybercrime scheme that involved online account takeovers and prepaid card compromises. "This trend is of grave concern," says financial fraud expert Shirley Inscoe, an analyst with Aite, an industry consultancy and research firm. "The risk-reward picture is very attractive to those who are inclined to steal from others for their own personal gain" (see Another Huge Cash-Out Scheme Revealed).

Mike Urban, director of financial crime portfolio management for financial services firm Fiserv, says the industry will continually fight an uphill battle. "This further demonstrates the distributed nature of these attacks," Urban says. "The ongoing lesson is all entities in the financial services ecosystem need to proactively defend against ongoing attacks. This particular breach [method] has appeared several times [that we know of] over the last five years. Event monitoring, from the firewall to the ATM, would have triggered actions to prevent this loss or at least reduced the impact."

New York Cell

Those arrested Nov. 18 - Anthony Diaz, Saul Franjul, Saul Genao, Jaindhi Polanco and Jose Angeley Valerio - are suspected members of a New York-based cell believed to be part of an international cybercrime organization that used sophisticated intrusion techniques to steal prepaid debit card data and then use that data to make fraudulent ATM withdrawals, according the Department of Justice.

On Dec. 22, attackers compromised an unnamed credit card processor, which resulted in the breach of prepaid accounts managed by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the Middle East, according to a Justice Department release. Then the fraudsters made more than 4,500 fraudulent ATM withdrawals, totaling $5 million, in some 20 countries with fraudulent ATM/debit cards encoded with the prepaid card numbers compromised during the processor attack.

On Feb. 19-20, 2013, hackers compromised prepaid card accounts associated with Bank Muscat, another Middle Eastern Bank. Then $40 million was withdrawn from ATMs in 24 countries over a 10-hour period, authorities say

Diaz, Franjul, Genao, Polanco and Valerio, along with the so-called ATM cashers they oversaw as part of their New York crime cell, withdrew $2.8 million from more than 140 different ATMs in New York City, investigators say. The bulk of that cash was then sent to the organizers of the attacks, they allege.

"Newly seized photographic evidence reveals that the defendants sent the lion's share of the proceeds to the organization's leaders, including $800,000 of criminal cash proceeds sent in luggage and transported to Florida by bus for delivery to a cyberheist organizer," according to a statement from the U.S. Attorney's Office for the Eastern District of New York.

Arrests Scrape the Surface

Commenting on the latest arrests, Diebold's Somers says: "It looks like these people were on the lowest end of the chain - the ones who were actually at the machines making the withdrawals. Those are always the ones who are most likely to be caught, while the real masterminds - the ones that hacked into the back-end systems and knew how the transactions flowed - remain out there."

But Gartner analyst Avivah Litan, a fraud expert, says these new arrests prove law enforcement is improving its ability to connect the fraud dots.