Are the Dynamics of Card Fraud Changing?

In 2009, the RBS WorldPay ATM network reportedly lost $9 million to a 30 minute fraud attack across 49 cities, in different countries, using just 100 cloned cards. On the face of it, the $9 million dollar yield from the attack is a large enough figure to make headline news, but perhaps not that shocking in this day and age where the total UK card fraud exceeded £500 million in the past year, according to APACS figures. What is possibly more serious in this particular scenario is the method of attack.

As with all such serious data breaches within large financial organisations, the full details of the attack and how it was perpetrated will probably never be known to a wider audience. What has been reported is that the money was taken in cash from 130 different ATMs shortly after midnight EST on the 8th November 2008.

Let's have a look at some of these figures: firstly, let's assume that the 100 cards are cloned and each one is used in each of the 49 cities; that gives us 4,900 cards to play with. Reports also indicate that the cards were likely pre-paid cards, as RBS WorldPay had also reported the loss of some 1.5 million pre-paid cardholder details from its payroll business, sometime in November 2008 following 'improper access' to its systems.

In order to extract $9M we need to withdraw, on average, over $1836 per cloned card. That's quite a sum of money from an ATM transaction! However, if the pre-paid funds were account-based and not card-based then there were only 100 accounts that were hit to a tune of $90,000 per account. The reports have stated that the attack happened at around midnight. It could therefore be safe to assume that the cards processing platform refreshed the daily withdrawal limit at midnight every night, so the fraudsters could effectively take out two days' worth of funds in the space of only a few minutes. That would in turn mean the fraudsters managed to secure $918 per card or $45,000 per account, per processing day.

It's not certain whether the pre-paid cards are based on an account-centric or a card-centric funds system but by the figures for the attack the card-based model would seem more realistic. Either way though, the sheer amount of cash withdrawn indicates that the fraudsters managed to somehow raise the daily withdrawal limit on the cards as part of the attack. It is also likely that the processing platform may not reconcile funds in real time as the cards were used so many times within a short period without denial.

Most of this is speculation on what happened based on the reported figures that are in the public space but it's clear that this was no ordinary card cloning attack. This was organised crime at its best, or worst!

To initiate such an attack the fraudsters first managed to hack into the RBS WorldPay systems and extract the details of 1.5 million users. They then only used 100 accounts so it may be that they knew how to target specific accounts to provide the highest yield, or it may be that their attack could be implemented against any account and they just chose 100 at random. If the latter is true then it's possible the fraudsters knew the breach would be quickly detected and the vulnerability eradicated which is why RBS WorldPay experienced a single large hit and then nothing.

The timing of the attack was not random either. An attack at midnight EST on a number of US cities plus some other cities globally at the same time, would indicate that the fraudsters knew that there would be a specific vulnerability in the system at that time. Of course the timing could have just been to do with quiet periods at the ATM so the attackers were less likely to draw suspicion from passers-by, but the fact that this attack spanned time zones would suggest otherwise.

What seems very clear is that the masterminds behind the attack were very tech savvy, and more than likely had some inside knowledge of the RBS WorldPay processing platform in order to identify a vulnerability and form a viable attack. This probably came from a former employee of RBS WorldPay who was bought or had a grudge with the organisation.

They also had the presence of mind to coordinate a large scale attack against the identified vulnerability to maximise yield, rather than performing the attack on small volumes over a long period. A sustained attack would be more likely to be identified and they were more likely to be caught and they knew that.

Of course this is not the first clever organised crime attack and it won't be the last. What it might represent is another step in a growing trend of card crime moving away from the more traditional small-to-medium-sized card cloning attacks of the past. Such attacks are becoming harder to achieve as card technology advances and ever more intelligent neural network-style fraud prevention software is implemented on the back-end processing platform.

So the question is: Are the dynamics of card fraud changing? Are we seeing a growing trend towards large-scale single occurrence attacks? In reality it's hard to prove one way or the other. What we do know is that the general trend is an annual increase in card fraud. That also comes of course with an annual increase in card usage, but even the general fraud percentage trend is an increasing one. What we cannot tell from the information in the public space right now is how much of the known fraud is from large-scale, single occurrence attacks.

Some of the complexity here comes from how you define a large-scale single attack. The current trend in UK card fraud is for huge increases due to fraud carried out with UK cards overseas and is a direct result of a phased global rollout of the card chip technology - the fraudsters take the UK card and use them abroad where the more modern security features are effectively bypassed. This is certainly a large-scale attack against a single vulnerability but it is not a single instance attack.

Quantifying such attacks will only help us understand the trend, which in turn may help financial institutions decide where best to deploy their countermeasures, and what those countermeasures should be. However, the real concern from large-scale, single occurrence attacks is the mechanism - insider knowledge - and the fact that a single attack is almost impossible to predict and therefore very difficult to safeguard against. The only real protection here is through clearly defined security processes and procedures being implemented in the fundamental design and build of the financial institution's systems.

Image: "ATM keypad 2", courtesy of William Grootonk, Flickr (CC BY SA 2.0)

Previously published in Cryptomathic NewsOnInk, 2009