The US payment processing arm of the Royal
Bank of Scotland (RBS), RBS WorldPay, announced a data breach on 23
December 2008 which sent jitters across the banking world. The bank
revealed that a co-ordinated attack had occurred on 130 of its ATM
machines in 49 cities across the world, which netted a criminal
gang a staggering $9 million.

RBS WorldPay identified the heist two days
after the event on 10 November, but waited before it made formal
announcements. It says that internal security experts, computer
security firms and the Federal Bureau of Investigation (FBI) are
now working together on catching those involved in the crime.

It was revealed that the withdrawals had taken
place within a 30-minute period using approximately 100 cloned
prepaid payroll cards. RBS WorldPay admits that 1.5 million
cardholders may have had their information (including PINs) stolen,
and that social security numbers of 1.1 million US citizens may
also have been compromised. RBS WorldPay is offering those affected
by the breach a year’s free subscription to a credit monitoring
service to help them keep an eye on any unauthorised activity on
their accounts.

To mitigate the risk, affected customers are
being informed of the break-in and told to change their PINs.
Unsold gift cards at shops which may also have been cloned are
being deactivated – although those that have already been purchased
by customers will remain valid, say bank sources.

Angry customers file

Meanwhile, RBS WorldPay is being
sued in a multi-million dollar class action lawsuit by angry
customers who are claiming negligence because RBS WorldPay waited
43 days to tell them about the breach, saying it put their money at
further risk. Officials have said that the liability for any
fraudulent activity will lie with the bank and customers will be
fully reimbursed.

Experts say that the damage caused could have
potentially been a lot greater, had more of the infringed accounts
been exploited. It seems that the hackers not only stole sensitive
data from the RBS WorldPay’s computer system to manufacture cloned
cards with valid magnetic stripe information, but they were also
able to manipulate the withdrawal limits on each abused card.
Low-level gang members were then mobilised to withdraw the

Given the amount of money stolen in the
relatively limited time period, it is also being considered that
the same cards were cloned several times over and simultaneously
used at multiple locations.

Experts also fear that criminals may have
temporarily overtaken control of the authorisation of the
transactions. It is not clear whether the fraudsters were able to
raise transaction limits during the usage of the cloned cards, or
if the removal of the maximum withdrawal limits was

Scale and sophistication of

This is a significant security
breach because of its scale and sophistication, say experts who
think that the amount stolen is rarely even seen in computer-based
frauds. The incident shows that organised crime rings are prepared
to invest a tremendous amount of time and effort thinking up new
attack techniques to overcome what are very advanced banking
defence and detection systems.

Douglas Russell, head of DFR Risk Management,
a UK-based ATM security consultancy, told CI: “If reports
of the losses being in the region of $9 million are correct, it is
a very significant blitz of the financial system.

“In this particular attack, the ATM was not
the actual point of compromise but rather the channel by which the
criminals were able to convert their theft of data into hard cash.
Unlikely many types of online fraud where credit and debit cards
are compromised, this gang was able to obtain both card and PIN
information from the system. Without the PIN, the criminals would
have had to somehow convert goods and services purchased with the
cloned card data into cash. In this case they were able to skip the
conversion phase and directly obtain untraceable cash.

“What is critical in preventing future attacks
is to first fully understand why this attack was successful. Once
this is known the details and related intelligence should be shared
in a confidential way with other system operators so that their
systems can be checked and tested for vulnerabilities.

Collaborative fraud management must take
precedence in future prevention strategies, he added, saying:
“Assessing current and emerging threats in the real world, in real
time, must be made a priority and ongoing process.”