Russian Hackers Make Millions Breaching 7/11 and ATMs

Robert Siciliano Identity Theft Expert

It started simply by hacking 7-Elevens public website using a SQL injection.  SQL is abbreviation of Structured Query Language.  Pronounced  ”Ess Que El” or ”Sequel” depending on who you ask.  This led to 7 elevens main servers compromised which led to ATMs within 7-Eleven hacked.

Wired reports

““The Russians, evidently using an SQL injection vulnerability,  “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Eleven’s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.””

The investigation began with noticeable fraud at a Citibank followed by a stakeout and arrest. From there a traffic stop connected a mule to the rest and the name dropping began.

This is brilliant:

“Federal prosecutors in New York had by then charged three more people in the ATM-cashing conspiracy, including 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, and 30-year-old Ivan Biltse.

In addition to looting Citibank accounts, Ryabinin had participated in a global cybercrime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts, issued by St. Louis–based First Bank,  in the fall of 2007. On Sept. 30 and Oct. 1 — just two days — the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines around the world, resulting in $5 million in losses.

At the time of the ATM capers, FBI and U.S. Secret Service agents had been investigating Ryabinin for his activities on Eastern European carder forums. Ryabinin used the same ICQ chat account to conduct criminal business, and to participate in amateur-radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by New York ATM cameras in the Citibank and iWire withdrawals, and determined it was the same man — right down to the tan jacket with dark-blue trim.

When they raided Ryabinin’s home, agents found his computer logged into a carding forum. They also found a magstripe writer and $800,000 in cash — including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe-deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.

Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.”

This is all “account takeover”. All this money comes from consumer accounts who used ATMs at a convenient store and sometimes at a bank. Once the criminal gets your account data and PIN via the processors server they then burn the data to a white card. There’s no way to protect yourself from this crime when the data is breached at the processor level.

Check your statements frequently, at least every week online. Some banks give less than a week to refute unauthorized charges. Check with your bank to find out exactly what their time frame is if your account is compromised. Call the “claims” department and ask them “what’s the cut off date when making a claim?” My bank told me I can make a claim up to a year, but after 60 days there are federal regulations the limit their liability.

I asked my bank what their thoughts were on using a debit card and they said:

  1. Not to use it at a gas pump or a convenient store ATM where you enter your PIN
  2. They suggested using it as a credit card and not as a debit card
  3. Not to use at their own branch after hours to withdraw cash due toi skimming, which wasn’t new information to me but I didn’t expect my bank to say that.

Unfortunately your security, or lack thereof, is in the hands of others. Take control. Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano, identity theft speaker, discusses ATM skimming on NBC Boston