Network News

X My Profile
View More Activity

Data Breach Led to Multi-Million Dollar ATM Heists

A nationwide ATM heist late last year netted thieves $9 million in cash in one day, according to published reports. The coordinated attack stemmed from a computer intrusion at payment processor RBS WorldPay.

Atlanta-based RBS WorldPay announced on Dec. 23 that hackers had broken into its database and made off with personal and financial data on 1.5 million customers of its payroll cards business. Some companies use payroll cards in lieu of paychecks by depositing employee salaries or hourly wages directly into payroll card accounts, which can then be used as debit cards at ATMs. RBS said that thieves also might also have accessed Social Security numbers of 1.1 million customers.

New York's Fox 5 cites FBI sources as saying that thieves used the stolen payroll cards recently to withdraw $9 million from ATMs from 49 cities, including Atlanta, Chicago, New York, Montreal, Moscow, and Hong Kong.

Steve Lazarus, a spokesman for the FBI's Atlanta field office, said the withdrawals were carried out by a small army of so-called "cashers," or people who work with cyber thieves and fabricated cards to pull money out of compromised accounts.

From the Fox piece:

"Shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack of ATM machines around the world."

"This was a well-coordinated attack by some pretty computer and network savvy people, even at the lowest levels of cashers taking cloned cards to ATMs," Lazarus said.

Lazarus declined to confirm the $9 million figure, but said the amount stolen was indeed "a very substantial amount" over a short period of time in early November.

"This was a nationwide coordinated effort, and there were certain aspects of it that were international as well," Lazarus said. "People are out there attacking computers every day. But what sets this one apart is the scope, timing and coordination of the attack."

One interesting aspect of this attack is that while the attackers evidently had access to more than a million RBS customer accounts, they were able to haul the loot by repeatedly refueling only 100 payroll cards, Fox News reports.

Sources close to the investigation told Security Fix that the criminals used fake payroll deposits to artificially inflate the amount of money on the cards, money that was then drained at ATMs and subsequently replenished with additional bogus payroll deposits.

News of the complex ATM heist was little surprise to Ori Eisen, founder of 41st Parameter, a company that consults with banks and retailers to help staunch fraud losses. Eisen said he recently heard from three different clients in the banking sector who told him that some $50 million was lost to ATM fraud in New York City alone over the course of one month last year.

"ATM fraud is spiking," Eisen said. "For New York financial institutions alone to have $50 million in ATM fraud in one month...that's incredible. The thieves are getting a lot more money from the ATMs now than they used to."

By Brian Krebs  |  February 5, 2009; 3:45 PM ET
Categories:  Fraud , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: OpenOffice Installs Insecure Java Version
Next: Quick Poll: Many Smaller Banks Hit By Heartland Breach


Someone managed to steal from the banks? Great. Now the banks know how we feel about their stealing from us.

Posted by: hairguy01 | February 5, 2009 4:51 PM | Report abuse

With all the guards in place to protect against an "external" attack...makes me wonder how many companies would be willing to report losses due to "internal" attacks. The recent internal attack on Fannie Mae comes to mind (WP didn't give it much coverage):

Only the DCExaminer has followed up to report the "perp" was indeed an H1-B visa holder.

See the website I put up years ago on the issue of insider attacks:

Where DOES one recruit a "small army" of thieves?

Posted by: Sadler | February 6, 2009 7:47 AM | Report abuse

The original story has a glaring inaccuracy - the cards themselves are not "re-filled" - the ATM card is just that - an ATM card like any other ATM card. The money is in a bank account (well, okay the bank account has an electronic book entry representing money). The holder uses the ATM card and supplies a PIN to withdraw money at the ATM machine. The bank (RBS in this case) debits the account subject to withdrawl limits and credits the ownwer of the ATM machine for the cash. What the attackers did is raise those limits somehow. Given they had access to RBS WorldPay they likely had access to the bank behind it that held the accounts behind the ATM cards. It would appear they also had the ability to create counterfeit cards since an ATM card has an encrypted PIN block on it that must be sent along with the PIN input by the user at the ATM machine. Given RBS knew about the intrusion in December it boggles the mind that they did not invalidate all those cards...

Posted by: rogernebel | February 6, 2009 11:18 AM | Report abuse

rogernebel's post has glaring redundancies.

ATM = Automated Teller Machine
ATM machine means Automated Teller Machine machine.

I'm shocked PIN number wasn't used.

Remember, those in glass houses....

Posted by: r6345 | February 6, 2009 11:53 AM | Report abuse

r6345: rogernebel's post may have redundancies - but at least he seems to understand there may have been an INSIDER involved.

It sounds much better to state you have been "attacked" - than to admit you hired someone who betrayed you. Pity for the former, get fired for the latter.

Posted by: Sadler | February 6, 2009 4:43 PM | Report abuse

Posted by: Sadler | February 6, 2009 4:49 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company