Thursday, November 12, 2009

$9 Million ATM heist

Hackers from Eastern Europe were indicted for allegedly breaking into the computer network of RBS WorldPay, an Atlanta-based credit card processing subsidiary of the Royal Bank of Scotland (RBS), and withdrawing $9.4 million dollars within 12 hours from 2,100 ATMS in 280 cities around the world.

According to the indictment, a pair of hackers identified vulnerabilities that let them break into RBS WorldPay’s system. The company manages payroll operations for dozens of banks and companies across the United States, and specializes in prepaid payroll cards -- a type of debit card that employers pay employees. Once into the system, the hackers stole card numbers and PIN codes. Using a method they devised to reverse-engineer the encrypted PINs, the hackers created 44 prepaid payroll cards with inflated limits and usable PIN codes.

The cards were distributed to a network of "cashers." On Nov. 8, 2008, the cashers started withdrawing money from ATMs in the United States, Canada, Russia, Estonia, Italy, Hong Kong, Japan and Ukraine. The cashers were paid with 30% to 50% of the proceeds.

RBS WorldPay later announced that financial account information of 1.5 million customers and the social security numbers of 1.1 million individuals may have been accessed by the ring.

See, “Four hackers indicted in $9.4 million ATM heist,” Christian Science Monitor, November 10, 2009, at; “ATM hacking ring garnered millions,” Globe and Mail, November 11, 2009, at; B. Sterling, “The bank-card hackers and their army of cashers,” Wired, November 10, 2009, at; "RBS credit card fraud gang 'stole $9m in 12 hours'," Telegraph, November 11, 2009, at