Our report published on June 2 – How hackers stole over Rs 2 cr from 10 ATMs in Kolkata highlighted the technical modus In the month of May, a series of ATMs were hacked in Kolkata leading to a loss of Rs 2 crores. Our report published on June 2 – How hackers stole over Rs 2 cr from 10 ATMs in Kolkata highlighted the technical modus operandi and how the attack was feasible technically, which has now been vetted by the local law enforcement agencies on the basis of initial finding collected during interrogation with mastermind. The case was exactly the same as we predicted.
Technical Facts: A technical report after investigations conducted opined that it was probably “Logical ATM attack”. It was further stated that this type of attack is MiTM (Man in the middle) based attack.
It is further stated that such attacks basically focus on the communication between the host and the ATM PC and fake the host response for the transactions without debiting the money from the account. It is opined that an attacker can execute this attack by either in planting malware in the networks are making himself or do it externally.
In the incident at hand, it is assumed that the attackers used a hardware device to connect between the ATMs PC and the dispenser, whereby, the attacker would send cash dispensing commands directly to the ATM without any bank side validation.
Now comes the critical area of the requirement of physical ATM cards initiate the communication in the 1st place and to get the banking details.
We are all aware of the recent Dominos , SITA Etc incidents where data relating to credit/debit card details of customers were splashed in the public domain and hence it is not very difficult to gain information/data and thereafter create a programmable ATM card. Once this is done the attacker and is ready to execute the cyber attack.
Techno-Legal Aspects: What is an ATM machine and it working?
In simple terms the ATM is just an extension of the bank and the ATM terminal is a sort of remote computer with a Safe Cash box attached to it. It is made up of the CPU (microprocessor) which carries out processing of information/data, visual display unit (VDU) which comprises of screen and keyboard which acts as an interface with the client/customer, the currency box which stores the cash, the cash dispenser which dispenses the cash and a receipt printer that produces hard copy of the transaction and have been affected.
As per S. 2 (1) (I) Of The Information Technology Act, 2000, ‘computer’ is defined as any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic and memory functions in many places of electronic, magnetic or optical impulses and includes all input, output, processing, storage, computer software or communication facilities which are elected or related to the computer in a computer system or computer network. Going by this definition, an ATM safely and surely comes within the purview of the definition of computer.
Now coming back to the attack on the ATMs as a result of which money to the tune of over 2 crore was illegally withdrawn from the ATM and The Times of India reported dated 7th of June, 2021 stating that 2 men who are allegedly the masterminds of the heist, have been arrested from Surat in Gujrat and the other 2 men who hosted the main gang in Kolkata, community with them and finally had the main gang to withdraw the money have also been arrested from Kolkata.
Serial Offender : The same Manoj Gupta from Delhi had been caught for ATM Scam at Kolkata in Jan 2020 (famously connected with Romanian Gang Story). At that time he used Skimming devices in ATMs. Working with several clients, over last 7-8 yrs we have come across with this man’s name in almost all the corporate phishing scams since 2017. Our recommendation to Law Enforcement Agencies to keep this man under house arrest if no law can keep him behind bars. Alternatively, one can think of hiring him to protect the BFSI segment, utilizing his skills.
A quick look at the legal recourses available for victim institution & Law Enforcement Agencies
The bank probably has multiple legal recourses available to it. It appears from the facts mentioned herein above that the attack/heist was a result of adept planning and execution. Although four people seem to have been arrested as per the information available in the public domain, the involvement of more people cannot be ruled out at this stage.
Hence there is surely substance to analyse the involvement of a common intention with an angle of criminal conspiracy together with the able assistance and help from the local members of the gang. There is also an indication of theft of money from the ATM for which appropriate provisions of the Indian Penal Code could be applied.
The act of the perpetrators in tricking the ATM machine by mimicking a genuine ATM transaction by using complex techniques that have been mentioned in the technical report, thereby unauthorizedly accessing the ATM machine by probably using fake credentials, and withdrawing currency from the ATM, amounts to serious offences enshrined under Chapter XI of the Information Technology Act, 2000.
It definitely requires a detailed study of the facts and circumstances to provide an in-depth legal opinion, as to the mode in which the Bank could legally proceed against the perpetrators.
Opinion Credit : Cyber Techno-Legal Team of Armantec, led by Shamsher Bahadur – Cyber Security Practise Head.
This Article has been Submitted by Armantec Solutions Pvt Ltd (www.armantecsystems.com), a Noida Based Threat Intelligence & RED Teaming Consulting Firm, with the prime focus on Cyber Frauds & Ransomware Attacks Solution.