With the Heartland Data Breach still fresh in the news, word of a $9 million heist using data from another payment card processor (RBS WorldPay) has hit the air waves. RBS WorldPay reported in December that their payroll card system was hacked and 1.5 million financial and 1.1 million personal records were compromised. Payroll cards are used by employers to pay their employees by loading their pay onto a debit card.
A Fox News investigation has now revealed that on November 8th, a coordinated attack netted $9 million using cloned cards in 49 cities, worldwide. The attack occurred all over the United States, Montreal, Moscow, and Hong Kong in about 30 minutes.
Another scary aspect to this attack was that the hacker was able to remove the daily withdrawal limits of the cloned cards. According to the Washington Post, 100 cards were used and fake deposits were used to refuel the balance on the cards. Large withdrawals were then made again and again on the cloned cards. Please note this represents that a very small percentage of the total cards compromised were used in scheme. No information was available on how they refueled the accounts.
I've seen accounts refueled using bogus checks, however in this instance, I would suspect it occurred in a more electronic manner. This leads me to believe we will see more disclosures regarding this case as time goes on.
According to official reports, there are no primary suspects in the case. Photographs of some of "lower level soldiers" used to withdraw the money have been released in the hope that (if caught) they will provide information on the people, who provided them with the cloned cards. Unfortunately, with the anonymous nature of the Internet, coupled with the fact that chat-rooms are often used to facilitate the distribution of stolen data, the lower level soldiers might not know the identities of the main players, themselves.
In the recent Heartland breach, it was disclosed that they met PCI DSS (Payment Card Industry Data Security Standards). According to Visa's list of PCI DSS certified vendors, "RBS Lynk" (Royal Bank of Scotland) is certified. PCI DSS standards are the payment card industry's solution to protecting their data from being misused.
Article comments