Thursday, November 12, 2009

$9 Million ATM heist

Hackers from Eastern Europe were indicted for allegedly breaking into the computer network of RBS WorldPay, an Atlanta-based credit card processing subsidiary of the Royal Bank of Scotland (RBS), and withdrawing $9.4 million dollars within 12 hours from 2,100 ATMS in 280 cities around the world.

According to the indictment, a pair of hackers identified vulnerabilities that let them break into RBS WorldPay’s system. The company manages payroll operations for dozens of banks and companies across the United States, and specializes in prepaid payroll cards -- a type of debit card that employers pay employees. Once into the system, the hackers stole card numbers and PIN codes. Using a method they devised to reverse-engineer the encrypted PINs, the hackers created 44 prepaid payroll cards with inflated limits and usable PIN codes.

The cards were distributed to a network of "cashers." On Nov. 8, 2008, the cashers started withdrawing money from ATMs in the United States, Canada, Russia, Estonia, Italy, Hong Kong, Japan and Ukraine. The cashers were paid with 30% to 50% of the proceeds.

RBS WorldPay later announced that financial account information of 1.5 million customers and the social security numbers of 1.1 million individuals may have been accessed by the ring.

See, “Four hackers indicted in $9.4 million ATM heist,” Christian Science Monitor, November 10, 2009, at; “ATM hacking ring garnered millions,” Globe and Mail, November 11, 2009, at; B. Sterling, “The bank-card hackers and their army of cashers,” Wired, November 10, 2009, at; "RBS credit card fraud gang 'stole $9m in 12 hours'," Telegraph, November 11, 2009, at

Friday, October 16, 2009

Sidekick falls through the Cloud

In what is being described as the largest failing of "cloud computing" to date, about 1 million US owners of the T-Mobile Sidekick lost data stored on their mobile phones due to a back-up failure. A Microsoft subsidiary, Danger, operates the Sidekick data service.

T-Mobile and Microsoft announced that customers whose data could not be recovered will receive a $100 gift card in addition to one month data service credit. T-Mobile also temporarily halted sales of the Sidekick.

Microsoft later announced that all data will be restored, beginning with personal contacts. According to the company, the utage was caused by a system failure that created data loss in the core database and the back up. Microsoft says it has installed a "more resilient back-up process" to safeguard against a repeat incident.

See, "Phone sales hit by Sidekick loss," BBC News, October 12, 2009, at; "T-Mobile to Update Sidekick Users on Data Loss," San Francisco Chronicle, October 12, 2009, at; "T-Mobile, Microsoft Promise $100 Gift Card For Lost Data," Information Week, October 13, 2009, at; "Microsoft recovers Sidekick data ," BBC News, October 15, 2009, at; "Danger Debacle Highlights Microsoft's Dilemma With Mobile ," Wall St. Journal, October 15, 2009, at

Wednesday, August 26, 2009

Model Outs Blogger

In an online defamation case, a Manhattan supreme court judge allowed Vogue cover girl Liskula Cohen to compel Google to identify an anonymous blogger who called her a “psychotic, lying, whoring ... skank." The judge rejected the blogger’s claim that the blogs “serve as a modern-day forum for conveying personal opinions, including invective and ranting,” and should not be treated as factual assertions.

Rosemary Port, who was then outed, sued Google -- which operates the blog, "Skanks in NYC" -- for failing to protect her right to privacy.

“Vogue model Liskula Cohen wins right to unmask offensive blogger,” Times, August 19, 2009, at;
“Google lawsuit dispels the Web’s oldest tradition: anonymity,” Christian Science Monitor, August 20, 2009, at; “Unmasked Google blogger to sue over privacy breach,” Times, August 24, 2009, at; “Model Liksula Cohen still not getting apology from blogger Rosemary Port,” New York Daily News, August 26, 2009, at;
“Stung by the Perfect Sting, New York Times, August 25, 2009, at

Monday, August 17, 2009

Charges brought in largest hacking and identity theft case

Three men were indicted on federal charges in the largest computer hacking and identity theft case ever charged in the U.S. The defendants allegedly hacked into computer networks of major U.S. retail and financial organizations -- using a standard (and preventable) SQL injection attack that exploits a database when user input is not properly filtered -- and stole data related to more than 130 million credit and debit cards.

Albert Gonzalez, of Miami, along with two unnamed Russians, stands accused of hacking into Heartland Payment Systems, 7-Eleven, and Hannaford Bros. The stolen data was sent to computer servers that Gonzalez and his co-conspirators operated in California, Illinois, Latvia, the Netherlands, and Ukraine.

The hackers were also allegedly involved in the cracking of a Citibank-branded ATM network lcoated in 7-Eleven stores. The group penetrated a network linking 2,200 ATMs (by breaching a back-end system that had been outsourced by 7-Eleven) and stole card and PIN codes, using them to steal about $2 million in cash from Citibank ATMs. They also compromised prepaid iWire cards and withdrew about $5 million, which was sent to Russia.

Gonzalez is currently awaiting trial on charges that he and others allegedly also stole more than 40 million credit-card numbers from TJX and others, costing TJX $200 million.

According to the Justice Department, Gonzalez had been arrested in 2003, but not charged because he agreed to become an informant for the Secret Service.

See, "Three Indicted in Major Hacking Case," Wall St. Journal, August 17, 2009, at; "U.S. Indicts 3 in Theft of 130 Million Bank Cards," New York Times, August 17, 2009, at; "Arrest in Epic Cyber Swindle," Wall St. Journal, August 18, 2009, at; "Hacker Indictments Highlight Application Security," InformationWeek, August 18, 2009, at;jsessionid=2IV31GYNRMD3RQE1GHOSKHWATMY32JVN; "Cyber-thieves linked to Citibank ATM breach," Financial Times, August 24, 2009, at

Saturday, August 1, 2009

Most damaging hacker to be extradited to the US

A UK court has approved the extradition to the US of Gary McKinnon, who admits hacking into 97 computers belonging to the US Defence Department, Navy, Army, Air Force and after September 11, 2001. McKinnon is claimed to be most prolific and damaging computer hacker in US military history. One message he allegedly left on a Pentagon computer stated, “U.S. foreign policy is akin to government-sponsored terrorism. I will continue to disrupt at the highest possible level.”

McKinnon and family say his actions were influenced by Asperger’s syndrome, a form of autism. McKinnon, admitting the charges, says that rather than harming the United States, his goal was to expose evidence that "secretive parts of the American government intelligence agencies did have access to crashed extra terrestrial technology which could… save us as a form of free, clean, pollution-free energy." But prosecutors seeking his extradition have said his actions were not benign and the diagnosis was made long after the computer hacking occurred and the case against him was under way.

See, "Hacker’s Extradition to U.S. More Likely," New York Times, July 31, 2009, at; "Autistic Genius Hacked Military Computers in Search of Alien Eco Tech," CBS News, July 31, 2009, at; "New legal blow for hacker fighting extradition to US," Independent, August 1, 2009, at ;

Friday, July 17, 2009

Stolen Goldman Sachs code could be used to manipulate markets unfairly

A former Goldman Sachs computer programmer, Sergey Aleynikov, was arrested and charged with stealing computer code related to the firm's high-speed stock and commodities trading platform. Federal prosecutors allege Aleynikov downloaded the code and then uploaded it to a computer server in Germany. Aleynikov claims he "only intended to collect 'open source' files on which he had worked, but later realized that he had obtained more files than he intended."

Aleynikov was part of a team responsible for developing and improving Goldman Sachs's trading platform. He was required to sign a confidentiality agreement when first employed there. He resigned from the firm to work for a new company that also planned to engage in high-volume automated trading.

Assistant U.S. Attorney Joseph Facciponti told a federal magistrate judge at a bail hearing that, Goldman Sachs "has raised the possibility that there is a danger that somebody who knew how to use this program could use it to manipulate markets in unfair ways.”

See, "Ex-Goldman Employee Charged With Code Theft ," Wall St. Journal, July 6, 2009, at; "Goldman Sachs Loses Grip on Its Doomsday Machine," Bloomberg, July 9, 2009, at; "Steal this code," New York Times, July 16, 2009, at

Quadrillion dollar glitches hit Visa debit card users

A New Hampshire man using his Visa debit card at a gas station to buy a pack of cigarettes found that his account was charged $23,148,855,308,184,500 for the transaction. Bank of America also added a $15 overdraft charge.

A North Texas man was charged the same when he charged a slice of pizza and a Coke to his Visa card.

Visa Debit Processing Services acknowledged that a programming error impacted about 13,000 transactions.

See, "US shopper charged $23 quadrillion for cigarettes," Guardian, July 16, 2009, at; "The $23 Quadrillion Pack Of Cigarettes," DigitalTrends, July 16, 2009, at; "Pizza And Soda? That'll Be $23 Quadrillion, Please," NPR, July 15, 2009,