Highlights
– Hackers penetrated a server at payment processor RBS WorldPay in November 2008 and stole personal information of customers
– A highly coordinated ring of criminals used fake ATM cards to withdraw cash from 130 ATMs in 49 cities around the globe
– Many similar breaches of financial data systems and ATM fraud schemes in the past several years highlight the need from a new approach to securing financial data systems
A news report released on February 4, 2009 detailed a global automatic teller machine (ATM) scam that netted the scam’s leaders and low-level participants over US$9 million. On December 23, 2009, Atlanta, Georgia based payment processor RBS WorldPay announced that in November 2008, a hacker had penetrated a server at the company and stolen personal information of approximately 1.5 million of its customers along with approximately 1.1 million Social Security numbers. The hackers then used this information to clone 100 payroll debit cards – which companies use to pay employees wages – and then were able to get these card into the hands of an unknown number of low level “cashiers” – individuals who visit the ATMs to withdrawal the cash – all over the world. Just after midnight on November 8, 2009, the “cashiers” went to work, and over a 10-hour period withdrew over US$9 million from 130 ATMs in 49 cities around the globe. ATM machines were struck in Atlanta, Chicago, New York, Montreal, Moscow and Hong Kong. The hackers were able to byass the withdrawal limits on the cloned cards which allowed the “cashiers” to withdrawal $500 during each transaction.
An FBI spokesman at the Chicago field office stated that six to eight individuals were participants in the crime spree in the Chicago area. The spokesman also stated that level of coordination and the high degree of sophistication made this particular scam unlike any other he had seen. An assistant computer science professor at the University of Illinois at Chicago who specializes in computer security stated that, “there is a huge economy of attackers that are planning these.”
The news of successful data breaches which result in several million dollar losses to financial sector companies is likely to spur more skilled hackers into attempting similar crimes. In addition, as the financial crisis takes a toll on the budgets of financial sector companies, the likely result will be cutbacks in spending on information technology (IT) security that is paramount for companies who need to improve their cyber defenses to fend off hackers. In the near to mid-term, we expect to see more headlines detailing multimillion dollar digital heists by hackers, which will result in customers feeling vulnerable and angry, and politicians calling for more regulations and accountability.
Many Financial Data Systems Have Recently Been Breached
Over the past several years, computer systems and networks at financial companies have been the target of some widespread and successful breaches by hackers that have caused the companies multimillion-dollar losses.
• In January 2009, Heartland Payment Systems, the fifth largest payment processor in the United States, disclosed it had fallen victim to hackers in December 2008, exposing an undetermined number of consumers to potential fraud. The hackers were able to gain access to customers’ personal information and credit card numbers.
• In January 2008, a criminal ATM scam started to unravel after two alleged “cashiers” were arrested following a lucky traffic stop, which caught them with blank cards and a mag-stripe writer in their car. The two men were among a total of five individuals arrested in connection with a successful breach of an ATM processing server at Citibank. Subsequent scams of ATM machines resulted in approximately US $2 million in fraudulent withdrawals over the course of the year.
• In September 2008, Calgary-based financial services company Direct Cash Management fell victim to a US$1.7 million scheme that was effected by hackers who penetrated the company’s computer systems and increased the cash limits on prepaid debit cards that two co-conspirators had legitimately purchased.
• In late 2007, payment card company iWire lost over US$5 million in a two day time period, after four iWire payroll cards were hit with more than 9,000 actual and attempted withdrawals from ATM machines around the world.
A New Approach Is Needed
With the potential for hackers and their criminal associates to make several million dollars in ATM scams, financial companies must start taking a new approach to securing their financial data systems lest they lose more money and their customer’s personal information in the near future. Not only do these companies stand to lose the trust and business of their customers if their information is stolen and bank accounts drained, they also stand to lose millions more in lawsuits like the recently filed class action suit against RBS Worldpay.
The rash of ATM schemes highlights how big a target ATM machines have become as more of these machines are deployed around the world to make banking more convenient for consumers. In the near to medium-term, we expect more banks to fall victim to hackers who will use stolen information about banking customers for financial gain because the software and hardware designed to operate and protect the banks’ data systems are either poorly designed or not proactively audited and updated for security flaws.