back to article Alleged ring leader extradited in $9.4m RBS WorldPay heist

Federal prosecutors say they have have extradited one of the leaders of an international crime ring accused of hacking in to bank card processor RBS WorldPay and stealing more than $9.4m in a 12-hour period. Sergei Tsurikov, 26, of Tallinn, Estonia, was recently brought to the US, after being arrested in Russia in March. On …

COMMENTS

This topic is closed for new posts.
  1. proto-robbie
    Paris Hilton

    So, can we extradite Litvinenko's "alleged" killer now?

    No - thought not.

    Paris, 'cos she's never played Polonium 210.

  2. RJ
    Grenade

    He isn't russian

    Looks like he is Estonian, therefore not a Russian national and not covered by their constitution.

    The polonium jockey on the other hand is almost certainly Russian

  3. John Tserkezis

    Seeking forfeiture?!

    "Prosecutors are also seeking forfeiture of the $9.4 million in proceeds from the alleged crimes."

    Good luck to them.

    1. Hoe
      FAIL

      They have more chance of Watford winning this years premiership...

      As the article stated they allowed people to keep between 30% and 50% when cashing it so the chances of there being any real money left are next to none!

  4. Anonymous Coward
    Joke

    Errrr.

    $9.4 million from 44 accounts? making it ~$200,000 per account on average? They're Robin Hood's of today then...

  5. j33zO

    eh??

    "They allegedly exploited a vulnerability to break into the company's network, where they retrieved payment card data as it was being processed." --- 2 issues with this, firstly how did they break in? Surely RBS Worldpay are PCI compliant so they should have adequate security controls in place to protect against these kind of attacks. If RBS Worldpay were PCI compliant and still got hacked, this places a big question mark over the worth and effectiveness of PCI compliance. Secondly, how did the intruders get the PIN numbers? PIN numbers are never (or at least should not be) stored or transmitted in clear text anywhere on a Banks network. So how did they obtain them?? All sounds a bit hazy on the details to me...

    1. TeeCee Gold badge
      Stop

      "All sounds a bit hazy on the details to me..."

      You were expecting a detailed description of a workable technique for siphoning 9 million out of a bank?

      I can't say that I am entirely surprised to find a few of the more important pieces of the puzzle missing from the publicly released version of what happened.

      1. j33zO

        still hazy

        Not necessarily low level technical detail, just "they used SQL injection" or "they exploited a vulnerability in an unpatched web service" or some other high level explanation. The reason this would have been beneficial is it would have highlighted that RBS Worldpay were PCI compliant and still got hacked, hence industry standards such as PCI do not provide adequate security against intruders. But we cannot make that statement because all the articles say are "they exploited a vulnerability" which is like saying "the hackers hacked it". Also, the PIN numbers point does not add up either. How did they get the PIN numbers?? No one seems to be able to explain this one. If they did get them from the inside the Banks network then either RBS worldpay has broken every rule for storing or transmitting PIN numbers or the hackers worked out a way to break the encryption. Neither sounds all that likely.

      2. Payment Monkey
        Badgers

        Detailed - why? It just needs to make logical sense.

        No one is expecting a detailed description of the so-called hack and the fraud process. What one would expect, though, is for the sketchy details to make sense in the context of the banking operation. The problem is that they don't! The PIN question is an interesting on, even if you think it's unimportant because the details are hazy. Banks don't store PINs, they store PIN Offsets, so even if the crims got hold of the "PIN database" as you guys like to call it, and were able to decrypt it and extract the numbers, they wouldn't have the PINs.

        The question is a sensible one. It's standard banking policy to store PIN offsets, not PINs. So, the question remains, where did the PINs come from?

  6. This post has been deleted by its author

This topic is closed for new posts.