A Chicago woman was sentenced last Tuesday to 2.5 years in federal prison for managing a gang of money mules who used bogus accounts, PINs and ATM cards to drain more than $9 million from WorldPay US in 2008.
WorldPay (formerly RBS WorldPay) is a payment processor that handles transactions for mail order and Internet retailers, as well as point of sale transactions.
Beyond the prison term, Sonya Martin – who is a Nigerian citizen – is also looking at five years of probation and will be ponying up restitution of $89,120.25 for her part in the hacking of WorldPay data encryption and the subsequent draining of funds.
Any breach is of course a punch below the belt. This one cost WorldPay its PCI compliance, as Visa stripped away its PCI certification within months of the crime.
Heartland Payment Systems, which worked with WorldPay, also got kicked in its soft parts, losing its PCI-DSS compliance certification after admitting that the same group of hackers had snuck malware onto its systems months before it was breached.
In a statement from the FBI, United States Attorney Sally Quillian Yates described Martin’s gang as “an elite group of hackers” who in November 2008 obtained unauthorized access to WorldPay US Inc.’s network.
The gang broke the encryption used to protect customer data on payroll debit cards, which some companies use to pay employees.
The debit cards enable employees to make purchases or withdraw salaries from an ATM.
After they broke the encryption, the criminals jacked up account balances and ATM withdrawal limits on the compromised accounts.
They then made up 44 debit card account numbers and associated PINs that they passed out to a network of “cashers.”
With the bogus accounts in place and ATM cards in hand, the mules lickety-split withdrew over $9 million from more than 2,100 ATMS in at least 280 cities, including in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan, and Canada.
Within less than 12 hours on 8th November 2008, WorldPay was $9 million lighter.
The FBI quoted Brian D. Lamkin, Special Agent in Charge from the FBI Atlanta Field Office, as saying that the siphoning action couldn’t have been done without a lot of help from people willing to use the phony ATM cards:
While this was a complex, internationally coordinated crime with many different players and components, it would not have gotten very far without the cashing crews.
According to the FBI, the gang monitored the ATM withdrawals in real-time from within WorldPay’s own computer systems.
Once they got what they were after, the crooks tried to erase their tracks.
But in spite of the criminals’ efforts, WorldPay still managed to discover the breach and immediately reported it, the FBI said.
45-year-old Martin was in charge of a cashing crew in Chicago. With one of the cooked-up payroll card number and PIN codes, she manufactured counterfeit debit cards.
She then handed out the counterfeit cards to underlings whom she recruited and supervised.
Martin and her workers withdrew about $80,000 from Chicago ATMs during the early morning hours of November 8th.
The authorities nabbed Martin, whose primary residence is in Nigeria, in March last year while she was preparing to hop on a plane from New York to London.
Is Sonya Martin’s 2.5 years in prison too light a punishment?
It’s roughly 1/10th of the sentence that the group’s alleged ringleader, Albert Gonzalez, got.
Gonzalez was put away in the spring of 2010 and is now serving a 20-year prison sentence for his part in stealing over 40 million credit and debit card numbers from retailers including TJ Maxx, Barnes & Noble and BJ’s Wholesale Club.
Meanwhile, a Turkish court slapped one of Gonzalez’s accomplices an eye-watering 30 year prison sentence.
Regardless of whether one’s inclination is to consider 2.5 years too light a sentence or 20-30 years too extreme, would-be money mules and cybercriminals should pay heed that the-powers-that-be aren’t taking these crimes lightly.
ATM image from Shutterstock.