The following blog was formulated from an article in the Wall Street Journal titled, "Hackers Indicated in Widespread ATM Heist," printed Wednesday, November 11, 2009. The article was written by Siobhan Gorman and Evan Perez.
FBI officials are currently cooperating with Royal Bank of Scotland in the ongoing investigation of what prosecutors in Atlanta, Georgia announced as one of the "most brazen and damaging electronic-bank heists disclosed to date." The U.S. Justice Department has indicated eight Russian and Eastern European computer hackers broke into ATMs in hundreds of cities world-wide and stole $9 million in a matter of hours. This is a primary case of the booming online theft from financial institutions, which accounts for more money stolen electronically, or in data breaches than through bank robberies.
Preparation for the heist began November 4, 2008, when the four hacker ring leaders broke into RBS WorldPay's computer network from a location outside the United States. The article states that "the alleged hackers targeted payrolls debit cards that companies issue employees for withdrawing their salaries," and then tried to destroy the data on the systems in order to cover up the break-in. Once the hackers were in the system, they boosted the maximum allowed withdrawal. The thieves distributed approximately 44 prepaid payroll card numbers and personal identification numbers to their network of "cashers". On November 8, 2008, they signaled to their "cashers" to begin withdrawing money and over the next 12 hours more than $9 million disappeared from accounts in 280 cities from Atlanta to Hong Kong. "Cashers" kept half the cash and sent the rest back to their ring leaders. RBS detected the breach on Nov. 10, 2008, and disclosed it publicly on Dec. 23, acknowledging that the data of 1.5 million cardholders was compromised and that also 1.1 million social security numbers may have been compromised. Although, the indictment makes no mention of the social security numbers possibly compromised. Currently, only one of the men accused was arrested and is awaiting trial, while the others are thought to be at large. Prosecutors in Atlanta announced indictments Tuesday, November 10, 2009. Four conspirators were charged with 16-counts that ranged from fraud to aggravated identity theft. The Royal Bank of Scotland ensured that its customers were reimbursed for stolen funds. The losses could have been much greater if a larger network was assembled by the accomplices, but some of the ATMs ran out of money.
The RBS hackers are one of two major cyber gangs law enforcement officials have been targeting in recent years because of their secular capabilities. The second is the group responsible for the online attacks on TJX. A United States Attorney states the RBS hackers to be "one of the most sophisticated computer hacking rings in the world." As evidence to this, the RBS group was working together from different parts of the country, sharing expertise and techniques even though they had never met each other. Another example of their highly intellectual ability is shown by one of the RBS hackers Russian ring leaders, who used a technique which manipulated the data and "developed a method used to reverse-engineer personal identification numbers from encrypted data on the network of RBS WorldPay." Today, a lawsuit against RBS WorldPay is still pending, alleging that the company failed to adequately protect customer data. But how can companies "adequately" protect data and prevent this from happening? It seems to be extremely difficult and almost impossible to avoid these highly intelligent and well organized hacking crimes.
Posts
I think the most intelligent part of this was how they coordinated everyone to start withdrawing money at the same time and got huge amounts quickly from many different cities. That way, they already had a ton of money when the breach was discovered.
ReplyDeleteI agree that it is so difficult to adequately protect against such intelligent and well organized world crime rings. It will be interesting to see the results of the lawsuit to find out whether to courts agree that the company is trying hard but that sometimes breaches do occur.
Did the article say how many individuals are believed to be involved in this heist? I realize that law enforcement prosecutes a group of hackers cumulatively known as RBS, but do they actually know the individuals who make up that group? In the TJX case it seemed like these "rings" of hackers wouuld not have to even necessarily meet in order to share information and coordinate efforts to hack into a system.
ReplyDeleteReading articles such as this makes me wonder what the future holds. As time progresses, people lean further and further toward technology. The more technology advances, the weaker our security becomes. If someone from a country on the other side of the world can hit millions of accounts in a matter of hours, what is preventing them from hitting every bank in the world and ending every account? My answer is time.
ReplyDelete