Friday, January 24, 2014

RBS World Pay Compromise - One of the more sophisticated hacks of our time

The RBS World Pay compromise is a great example for applying to the Criminal Cost-Benefit Model. If you aren't familiar with this attack, it is worth studying. It shows you just how far a criminal with computer hacking skills is willing to go to steal a few million bucks.

On November 8, 2008, an army of cashers armed with compromised pre-paid payroll cards descended on ATMs located in over 280 cities around the world and withdrew $9.5 million in cash in a twelve-hour period. The cashers kept their commission, 30-50% of the take, and wired the remainder to the scheme masterminds. The four leaders of the heist had previously broken in to the Royal Bank of Scotland WorldPay network and stolen data for 44 pre-paid payroll cards, cracked the payroll card PIN encryption, raised the funds available on each account up to as high as $500,000, and changed the daily ATM withdraw limit allowed. The timing of the change of the funds available and daily withdraw limits was done just before the cashers were to begin their global withdraw. During the heist the hackers monitored the withdraw transactions remotely from the RBS WorldPay systems and, once the heist was finished, they attempted to cover their tracks on the RBS network.[1]

This was a well-thought out attack – perhaps one of the most sophisticated financial system hacks to date. I think these guys were well aware of the risks as they planned out this attack.
·      Monetary Benefit (Mb) – Very High. Assuming that the hackers collected 50% of the $9.5 million, they each stood to make $1.125 million .
·      Psychological Benefit (Pb) – Low.
·      Cost of Crime Perpetration (Ocp) – Moderate. Their primary cost in perpetrating the attack was the opportunity cost of their time spent in planning and execution. 
·      Cost of Legal Defense and Incarceration – Moderate. Speaking on the indictment of the criminals, even the attorney responsible for prosecution was impressed they were able to solve the case. “The charges brought against this highly sophisticated international hacking ring were possible only because of unprecedented international cooperation with our law enforcement partners.”[2]




[1] http://www.wired.com/threatlevel/2009/11/rbs-worldpay/
[2] http://www.justice.gov/opa/pr/2009/November/09-crm-1212.html