Five charged over $300m hacking

Read time 4min 30sec
Fraud will always find a weak spot, says BioCatch's Uri Rivner.
Fraud will always find a weak spot, says BioCatch's Uri Rivner.

One Ukranian and four Russians have been charged in what's being called the largest hacking and data breach scheme ever prosecuted in the US.

According to Reuters, the five have been charged with executing a hacking scheme that breached networks of over a dozen major US and international organisations over the past seven years. At least 160 million credit and debit card numbers were stolen and sold, resulting in losses of hundreds of millions of dollars.

The defendants have been identified as Russian nationals Vladimir Drinkman, Aleksander Kalinin, Roman Kotov and Dmitriy Smilianets, as well as Mikhail Rytikov, of the Ukraine.

Each of the alleged cyber crooks had specialised skills. Drinkman and Kalinin hacked into the networks; Kotov took care of the data mining; Rytikov provided anonymous Web hosting services; and Smilianets allegedly sold the stolen data and distributed the profits.

Prosecutors claim he charged $10 for US cards, $15 for ones from Canada, and $50 for European cards, which are more expensive because they use chip and PIN technology.

Federal prosecutors also disclosed a security breach against Nasdaq, but did not offer any details, beyond that the one suspect, Kalinin, has two other indictments against him for hacking Nasdaq servers from November 2008 through October 2010. Prosecutors claim he installed malware that enabled him and others to execute commands to delete, change or steal data. However, prosecutors said the infected servers did not include the trading platform that allows Nasdaq customers to buy and sell securities.

According to the indictment, other companies that lost out to this scam included Visa licensee, JC Penney, JetBlue Airways and French retailer, Carrefour.

Two of the suspects are in custody, while three remain at large. Prosecutors would not comment on the possible whereabouts of the missing three, but said Drinkman and Smilianets were arrested in June 2012, in the Netherlands. Smilianets was extradited in September last year and is scheduled to appear in New Jersey federal court next week. Drinkman is waiting for his extradition hearing in the Netherlands.

The indictment also cited Albert Gonzalez as a co-conspirator. Gonzalez is an American computer hacker and cyber criminal who is serving a 20-year sentence for masterminding one of the biggest hacking fraud schemes in US history. He stole and resold more than 170 million credit card and ATM numbers between 2005 and 2007. It is prosecutors' assertion that these five worked with Gonzalez prior to his arrest.

New Jersey US attorney Paul Fishman described the crime as cutting edge, and said those with the 'expertise and inclination' to break into US computer networks threaten the country's economic wellbeing, privacy and national security.

Uri Rivner, VP of business development and cyber strategy at BioCatch, says, although chip and PIN is becoming a standard in many countries, the US remains an island of magnetic strip usage, and many small countries around the world are still not using the EMV standard at the basis of chip and PIN. "It's still a credit card cloning happy hour."

However, he says the big credit card associations are imposing fraud liability shifts within the US, first in general point-of-sale terminals, then in ATMs, and finally in petrol stations, over the next few years.

"This means, for example, that if fraud happens in a point of sale not supporting chip and PIN, where the credit or debit card is supporting it, then the liability of the fraud automatically shifts to the merchant, not the card issuer. This still doesn't mean every US point of sale and credit card will be EMV-enabled, but it's a step forward."

At the same time, Rivner says card associations are looking at ways to generate dynamic magnetic strips: this means cloning a magnetic strip won't work, because the information cloned is no longer valid. "The cost of doing this is probably less than replacing every credit card and terminal in the world.

"We need to remember that fraud will always find a weak spot. When chip and PIN was introduced in the UK, fraudsters cloned UK cards and used them in the US (known as 'fraud abroad'). In the first few years, the overall card fraud levels actually increased as fraud made a dramatic shift from local use to international use, but the banks implemented various checks to see whether it's a real user - for example someone on holiday - or a fraudster. Now that sort of fraud is down."

Chip and PIN still don't solve online and mobile banking fraud, he concludes. "In the future, the vast majority of payments will be based on mobile devices. The more effort that is made in 'brick and mortar' fraud prevention, the more likely it is that digital channel fraud will skyrocket."

Login with