Wednesday, February 4, 2009

More ($9 million) on the RBS Breach (Video)

Below you'll  find a fascinating story by John Deutzman with Fox NY regarding the recent RBS WorldPay breach.  Didn't hear of it?  That's probably because they issued their press release concerning the breach during the busy Christmas season, December 23rd. 

To read about what I thought about it then, visit "Mother of All Hacks Coming?  from December 24th.

This incident happened after midnight on November 8th.  Now...I know how they got the PINs, (here's a hint, you're on candid camera), so the most intriguing part of this story, at least in my opinion, is the fact that the hackers were able to lift the daily limits on the cards, providing a larger payday. That's the coup de' tat. 

The coordination and scope of this effort is also amazing even causing the FBI to make comments to that effect.  130 different ATM machines in 49 cities with 100 cards in 30 minutes. 

As the story goes, no suspects, only mule drivers, but I think Clive Owens is going to be the guy behind it when they do the movie.  Speaking of movies, watch the video on the right if you have the time.


Reported by John Deutzman


A Fox 5  investigation   exposes a  worldwide ATM  scam that  swindled $9  million and  possibly  jeopardized sensitive information from  people around  the world. Law enforcement sources  told Fox 5 it's   one of the most frightening  well-coordinated heists   they've ever seen. (Watch video report at right.) 

Photos from security video obtained by Fox 5 show of  a small piece of a huge scam that took place all in one  day in a matter of hours. According to the FBI,   ATMs from 49 cities were hit -- including Atlanta, Chicago, New York, Montreal, Moscow and Hong Kong.


"We've seen similar attempts to defraud a bank through ATM machines but not, not anywhere near the scale we have here," FBI Agent Ross Rice told Fox 5.

These people in the photos are believed to be "cashers," low-level players, in a scheme devised from some mastermind -- a dangerous computer hacker or hacking ring authorities fear could strike again. Here's how it all came down, according to information Fox obtained from the FBI and law enforcement sources:

The computer system for a company called RBS WorldPay was hacked. One service of the company is the ability for employers to pay employees with the money going directly to a card, called payroll cards, a lot like a debit card that can be used in any ATM. The hacker was able to infiltrate the supposedly secure system and steal the information necessary to duplicate or clone people's ATM cards.

"We've never seen one this well coordinated," the FBI said.

Then shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack of ATM machines around the world. "Over 130 different ATM machines in 49 cities worldwide were accessed in a 30-minute period on November 8," Agents Rice said. "So you can get an idea of the number of people involved in this and the scope of the operation."

Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again.

When it was all over, they only used 100 cards but they ripped off $9 million.
The RBS Web site says that card holders will not be responsible for any unauthorized transactions. But there is fear that the hackers might have had access to sensitive information used in identity theft for a potential 1.5 million customers -- including their including Social Security numbers.

"The number of machines that were accessed, the number of cities that were targeted, and the number of people that had to be involved in this is quite significant," Agent Rice said.

Investigators are hoping a break in the case may come from one of the cashers. The theory is they probably were recruited, paid a small fee to be solders in the scam, and might be likely to rat out the people who hired them.

There are millions of people out there these days with these payroll cards. RBS officials say they have sent out letters to anyone who might have been affected. They are also offering one-year credit protection for people whose Social Security number may have been jeopardized by this scam. However, the good news is that it doesn't look like any identity theft has occurred yet.

So far, the FBI has no suspects and has made no arrests in this scam. An attorney in Atlanta has filed a class-action lawsuit against RBS WorldPay for allegedly failing to protect personal information.

RBS WorldPay told Fox 5 the company has hired a security firm to try to figure out what happened and to prevent it from happening again.

VIEW DOCUMENTS:

Disqus for ePayment News