Worldpay hackers indicted
Two alleged hackers in their twenties and an unknown “Hacker 3″ have been indicted on charges of hacking into a computer network operated by the Atlanta-based credit card processing company RBS WorldPay.
The indictment alleges that the group used sophisticated hacking techniques to compromise the data encryption that was used by RBS WorldPay to protect customer data on payroll debit cards. Payroll debit cards are used by various companies to pay their employees. By using a payroll debit card, employees are able to withdraw their regular salaries from an ATM.
“..Once the encryption on the card processing system was compromised, the hacking ring allegedly raised the account limits on compromised accounts, and then provided a network of “cashers” with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours.
The hackers then allegedly sought to destroy data stored on the card processing network in order to conceal their hacking activity. The indictment alleges that the “cashers” were allowed to keep 30 to 50 percent of the stolen funds, but transmitted the bulk of those funds back to the hackers and other co-defendants . Upon discovering the unauthorized activity, RBS WorldPay immediately reported the breach.
International cooperation was a significant factor in the resolution of this case. In a joint investigation with U.S. law enforcement authorities, Estonian Central Criminal Police apprehended 4 suspects in Estonia earlier this year. Each is facing related charges in Estonia. One suspect is also in custody in Estonia and is pending extradition to the United States. Federal prosecution of the Estonian defendants has been closely coordinated with the Estonian Office of the Prosecutor General. Furthermore, cooperation between the Hong Kong Police Force and the FBI also led to a parallel investigation in Hong Kong, resulting in the identification and arrest of two individuals who were responsible for withdrawing RBS WorldPay funds from ATMs there. The Netherlands Police Agency National Crime Squad High Tech Crime Unit and the Netherlands National Public Prosecutor’s Office also provided significant assistance…”
“Last November, in just one day, an American credit card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted. Today, almost exactly one year later, the leaders of this attack have been charged. This investigation has broken the back of one of the most sophisticated computer hacking rings in the world. This success would not have been possible without the efforts of the victim, and unprecedented cooperation from various law enforcement agencies worldwide,” said Acting U.S. Attorney Sally Quillian Yates of the Northern District of Georgia.
A similar breach occurred just after the RBS Worldpay breach was communicated within Heartland Payment systems, resulting in the exposure of data over 4 million cards. Suspects were arrested related to this data breach as well. Law enforcement apparently does a better and better job in the digital domain and is improving international cooperation at the same time.
Other than the direct result of criminals cloning cards and stealing money from the original card holder, which banks obviously will take as a loss, the related remediation costs are immense. Think of reissuing cards, fixing data security issues, beefing up other controls and the always difficult to measure costs of reputation loss. How much is the reputation of financial institutions nowadays anyway?
http://www.justice.gov/opa/pr/2009/November/09-crm-1212.html
http://www.v3.co.uk/vnunet/news/2234680/heartland-reveal-massive-credit
http://www.theregister.co.uk/2009/02/16/heartland_card_fraud_arrest/
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html
