Eastern Europeans charged in payment processor hack

(Credit: U.S. Department of Justice)

A group of Eastern Europeans was charged with hacking into the network of payment processor RBS WorldPay and using counterfeit debit cards at ATMs around the world to steal more than $9 million, the U.S. Justice Department said on Tuesday.

Four of the defendants allegedly collaborated to break into the RBS WorldPay network on November 4, 2008, where they got access to the account numbers for prepaid payroll cards used by employees to withdraw salaries from ATMs, according to the indictment from a federal grand jury in Atlanta. The defendants allegedly reverse-engineered the PINs associated with the accounts from the encrypted data on the network.

The defendants then allegedly raised the account limits on the compromised accounts and provided a network of "cashers" with 44 fake debit cards, according to the Justice Department. The cards allegedly were used November 8, 2008, to withdraw money from more than 2,100 ATMs in at least 280 cities, including in North America, Russia, Ukraine, Estonia, Italy, Hong Kong and Japan, in less than 12 hours.

"This investigation has broken the back of one of the most sophisticated computer hacking rings in the world."

--U.S. Attorney Sally Quillian Yates

The cashers were allegedly allowed to keep 30 percent to 50 percent of the stolen money and sent the remainder back to the hackers, according to the 16-count indictment.

"Last November, in just one day, an American credit card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted," acting U.S. Attorney Sally Quillian Yates of the Northern District of Georgia said in a statement. "Today, almost exactly one year later, the leaders of this attack have been charged. This investigation has broken the back of one of the most sophisticated computer hacking rings in the world."

Indicted on charges of conspiracy, wire fraud, computer fraud, access device fraud, and identity theft charges were: Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and an unidentified defendant known only as "Hacker 3."

The alleged cashers, indicted for access device fraud, are all from Tallinn, Estonia. They are: Igor Grudijev, 31, Ronald Tsoi, 31, Evelin Tsoi, 20, and Mihhail Jevgenov, 33.

Tsurikov, the Tsois and Jevgenov were arrested earlier this year and Tsurikov faces extradition to the U.S., officials said. Two people in Hong Kong have been arrested for allegedly withdrawing funds from ATMs there.

RBS WorldPay, part of Royal Bank of Scotland, is based in Atlanta.

[leedix8420]

This article brings to light some interesting introspective questions for the US: 1. Will the new bills passed by the Senate Judiciary Committee concerning data breaches be effective? and 2. Did we really break the back of one of the most sophisticated hacker rings ever seen? In response to the first question, according to SC Magazine, the bill states "Entities do not have to report the incident if the exposed data was encrypted or somehow rendered useless." So what will happen if that data is first encrypted and then reverse engineered to become useful data. The bill fails to address this loophole and implies that data breaches may yet still go unnoticed to the consumer if the hackers are clever enough and the institution just follows the "rules". Encrypting data is a must and stating institutions don't have to report because they encrypted is misleading and hard to comprehend. In response the second question, does the Attorney General really believe that they have busted the most sophisticated hacking ring? I find this hard to believe because the underground cybercriminal economy has become a virtual network of cybercriminals and inefficient government entities can only hope to capture a tiny slice of them (e.g. this case points to only 4 being apprehended). I hope to point the flaws and misconceptions in response to statements and underlying legislation.