IMGCAP(1)]
This article appears in the Nov. 19, 2009, edition of ISO&Agent Weekly.
Details in the federal grand-jury indictment of four members of an international fraud ring accused of hacking into RBS WorldPay Inc.'s computer network could help increase security at other payment companies, some observers contend.
"Anything that is made available to the industry" will help secure other
businesses, says Kate Monahan, an analyst at Aite Group LLC, a Boston-based consulting firm. "Any time you hear anything about a data breach, it draws attention to the fact most banks are susceptible to them," she says.
Although any data breach is damaging for a business, making an effort to strengthen the industry against fraud by sharing indictment and investigation details is a positive outcome of the fraud for RBS WorldPay, Monahan says.
"Criminals keep getting more sophisticated and smarter. They are on top of [the latest] technology," which means payments companies must keep their security systems up to date, she says.
Indeed, the recent indictments "highlight the fact that criminals continue to attempt to compromise systems," says Bob Russo, general manager of the Payment Card Industry Security Standards Council, a Wakefield, Mass.-based group that develops and maintains the Payment Card Industry data-security standards. The indictment also "underscores the necessity for organizations to take rigorous action to protect payment data to prevent future fraud," he says.
Indictment Details
A federal grand jury in Atlanta has indicted four alleged members of an international fraud ring on charges of hacking into RBS WorldPay's computer network last November and fraudulently obtaining roughly $9 million from payroll debit card accounts, according to the indictment filed Nov. 10.
RBS WorldPay disclosed in December that hackers had compromised the personal information of potentially 1.5 million prepaid cardholders and the Social Security numbers of 1.1 million individuals.
Between Nov. 4 and Nov. 8, 2008, defendants Sergei Tsurikov of Tallinn, Estonia; Viktor Pleshchuk of St. Petersburg, Russia; Oleg Covelin of Chisinau, Moldova; and a person known as "Hacker 3" allegedly hacked into the processor's system and accessed payroll debit card account numbers and personal identification numbers, according to the indictment.
The defendants then raised the funds limits on the compromised accounts and provided a network of "cashers" with 44 counterfeit cards and PINs, prosecutors say.
Cashers are individuals who obtain funds for the hackers using the fraudulent cards.
Of the 44 prepaid card numbers distributed to the cashers, 42 were tied to Palm Desert (Calif.) National Bank accounts, according to the indictment.
The cashers used the cards to withdraw more than $9 million in less than 12 hours from more than 2,100 ATMs in at least 280 cities worldwide, authorities say. The cashers got to keep between 30% and 50% of the funds they obtained, with the balance of the funds going to the hackers.
After the cashers completed the withdrawals, the hackers allegedly attempted to destroy data on RBS WorldPay's computer network to conceal their fraud, according to the indictment.
Assistant U.S. attorneys Lawrence R. Sommerfeld and Gerald Sachs of the U.S. Attorneys Office for the Northern District of Georgia and senior counsel Kimberly Kiefer Peretti of the U.S. Department of Justice Criminal Division's Computer Crime and Intellectual Property section are prosecuting the case.
The defendants are facing 16 counts of indictment charges. They each face a maximum sentence of up to 20 years in prison for conspiracy to commit wire fraud and each wire fraud count, up to five years in prison for conspiracy to commit computer fraud, up to 10 years in prison for each count of computer fraud, a two-year mandatory minimum sentence for aggravated identity theft, and fines up to $3.5 million.
"Last November, in just one day, an American credit card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted," Sally Quillian Yates, acting U.S. attorney of the Northern District of Georgia, said in a release. "This investigation has broken the back of one of the most sophisticated computer hacking rings in the world."
Atlanta-based RBS WorldPay, formerly RBS Lynk, is the U.S. payment-processing arm of the Royal Bank of Scotland Group.
An RBS WorldPay representative did not return a request for comment.
