The US payment processing arm of the Royal Bank of Scotland (RBS), RBS WorldPay, announced a data breach on 23 December 2008 which sent jitters across the banking world. The bank revealed that a co-ordinated attack had occurred on 130 of its ATM machines in 49 cities across the world, which netted a criminal gang a staggering $9 million.
RBS WorldPay identified the heist two days after the event on 10 November, but waited before it made formal announcements. It says that internal security experts, computer security firms and the Federal Bureau of Investigation (FBI) are now working together on catching those involved in the crime.
It was revealed that the withdrawals had taken place within a 30-minute period using approximately 100 cloned prepaid payroll cards. RBS WorldPay admits that 1.5 million cardholders may have had their information (including PINs) stolen, and that social security numbers of 1.1 million US citizens may also have been compromised. RBS WorldPay is offering those affected by the breach a year’s free subscription to a credit monitoring service to help them keep an eye on any unauthorised activity on their accounts.
To mitigate the risk, affected customers are being informed of the break-in and told to change their PINs. Unsold gift cards at shops which may also have been cloned are being deactivated – although those that have already been purchased by customers will remain valid, say bank sources.
Angry customers file lawsuit
Meanwhile, RBS WorldPay is being sued in a multi-million dollar class action lawsuit by angry customers who are claiming negligence because RBS WorldPay waited 43 days to tell them about the breach, saying it put their money at further risk. Officials have said that the liability for any fraudulent activity will lie with the bank and customers will be fully reimbursed.
Experts say that the damage caused could have potentially been a lot greater, had more of the infringed accounts been exploited. It seems that the hackers not only stole sensitive data from the RBS WorldPay’s computer system to manufacture cloned cards with valid magnetic stripe information, but they were also able to manipulate the withdrawal limits on each abused card. Low-level gang members were then mobilised to withdraw the cash.
Given the amount of money stolen in the relatively limited time period, it is also being considered that the same cards were cloned several times over and simultaneously used at multiple locations.
Experts also fear that criminals may have temporarily overtaken control of the authorisation of the transactions. It is not clear whether the fraudsters were able to raise transaction limits during the usage of the cloned cards, or if the removal of the maximum withdrawal limits was prearranged.
Scale and sophistication of breach
This is a significant security breach because of its scale and sophistication, say experts who think that the amount stolen is rarely even seen in computer-based frauds. The incident shows that organised crime rings are prepared to invest a tremendous amount of time and effort thinking up new attack techniques to overcome what are very advanced banking defence and detection systems.
Douglas Russell, head of DFR Risk Management, a UK-based ATM security consultancy, told CI: “If reports of the losses being in the region of $9 million are correct, it is a very significant blitz of the financial system.
“In this particular attack, the ATM was not the actual point of compromise but rather the channel by which the criminals were able to convert their theft of data into hard cash. Unlikely many types of online fraud where credit and debit cards are compromised, this gang was able to obtain both card and PIN information from the system. Without the PIN, the criminals would have had to somehow convert goods and services purchased with the cloned card data into cash. In this case they were able to skip the conversion phase and directly obtain untraceable cash.
“What is critical in preventing future attacks is to first fully understand why this attack was successful. Once this is known the details and related intelligence should be shared in a confidential way with other system operators so that their systems can be checked and tested for vulnerabilities.
Collaborative fraud management must take precedence in future prevention strategies, he added, saying: “Assessing current and emerging threats in the real world, in real time, must be made a priority and ongoing process.”