Sunday, February 8, 2009

Data Breach Led to Multi-Million Dollar ATM Heists - - 05 Feb 09

A nationwide ATM heist late last year netted thieves $9 million in cash in one day, according to published reports. The coordinated attack stemmed from a computer intrusion at payment processor RBS WorldPay.

Atlanta-based RBS WorldPay announced on Dec. 23 that hackers had broken into its database and made off with personal and financial data on 1.5 million customers of its payroll cards business. Some companies use payroll cards in lieu of paychecks by depositing employee salaries or hourly wages directly into payroll card accounts, which can then be used as debit cards at ATMs. RBS said that thieves also might also have accessed Social Security numbers of 1.1 million customers.

New York's Fox 5 cites FBI sources as saying that thieves used the stolen payroll cards recently to withdraw $9 million from ATMs from 49 cities, including Atlanta, Chicago, New York, Montreal, Moscow, and Hong Kong.

Steve Lazarus, a spokesman for the FBI's Atlanta field office, said the withdrawals were carried out by a small army of so-called "cashers," or people who work with cyber thieves and fabricated cards to pull money out of compromised accounts.

From the Fox piece:

"Shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack of ATM machines around the world."

"This was a well-coordinated attack by some pretty computer and network savvy people, even at the lowest levels of cashers taking cloned cards to ATMs," Lazarus said.

Lazarus declined to confirm the $9 million figure, but said the amount stolen was indeed "a very substantial amount" over a short period of time in early November.

"This was a nationwide coordinated effort, and there were certain aspects of it that were international as well," Lazarus said. "People are out there attacking computers every day. But what sets this one apart is the scope, timing and coordination of the attack."

One interesting aspect of this attack is that while the attackers evidently had access to more than a million RBS customer accounts, they were able to haul the loot by repeatedly refueling only 100 payroll cards, Fox News reports.

Sources close to the investigation told Security Fix that the criminals used fake payroll deposits to artificially inflate the amount of money on the cards, money that was then drained at ATMs and subsequently replenished with additional bogus payroll deposits.

News of the complex ATM heist was little surprise to Ori Eisen, founder of 41st Parameter, a company that consults with banks and retailers to help staunch fraud losses. Eisen said he recently heard from three different clients in the banking sector who told him that some $50 million was lost to ATM fraud in New York City alone over the course of one month last year.

"ATM fraud is spiking," Eisen said. "For New York financial institutions alone to have $50 million in ATM fraud in one month...that's incredible. The thieves are getting a lot more money from the ATMs now than they used to."

By Brian Krebs

No comments: