Ryanair finds fraudulent transaction – for $5M!

A recent report in the Irish Times describes a rather dramatic cybercrime.

Ryanair, the budget airline that operates out of Dublin, Ireland, was going through its bank statements and noticed an unauthorised transfer.

To the tune of $5,000,000.

If that sounds a lot for a one-off payment, think of what airlines have to spend money on.

Where you and I might spend $50 topping up a car, or $5 on bicycle fuel (coffee), airlines have altogether weightier energy concerns.

Let’s try a quick back-of-the-envelope calculation for Ryanair.

The airline has about 300 Boeing 737-800s, each of which can hold about 25,000 litres of Jet A-1 fuel, good for up to 5000km.

Sticking with nice round numbers, now assume that Ryanair goes through 200 full tanks each day at about $1/litre, and you have a daily bill to match that $5M figure, and that’s just for fuel.

Add in the cost of landing fees, maintenance, salaries for crew and ground staff, ticket sales, advertising and tens of thousands of tiny little pre-packed sandwiches, and it’s clear that individual transactions for millions of dollars are not exactly unusual for an airline.

The bad news, of course, is that it sounds as though crooks were able to insert fraudulent requests into Ryanair’s payment system.

That suggests some sort of compromise or hack.

The good news is that it sounds as though the crooks weren’t able to cash out any of the ill-gotten gains.

Reports say that the funds have been frozen, and that the transaction will be reversed.

The trouble with cashing out

Cashing out is actually a non-trivial problem for crooks, not least because withdrawing a large amount of cash usually has to be done in person, and involves some kind of formal identity check.

The best place to get wedges of cash without being asked any questions face-to-face is an ATM, where all you need is a valid bank card and a short password in the form of a PIN (personal identification number).

But most ATMs have a limit imposed on how much you can take out in each transaction, if not for security reasons, at least to ensure that some money gets left behind for the next guy.

Even if you could get Ryanair’s $5M into bank accounts that you controlled and for which you had bank cards, you’d still have to contend with those withdrawal limits.

Returning to the back of our envelope, and guessing at a withdrawal limit of $500, you’d need 10,000 withdrawals for $5M.

Even if you could complete one withdrawal every 60 seconds, you’d still be looking at a minimum of seven days of non-stop withdrawals to get your hands on all the loot, working single-handedly.

Never say never

It sounds impossible, but as we often remark on Naked Security, “Never say never” when it comes to cybersecurity.

Yesterday, for example, we wrote about a carder gang bust in Romania, whose members are alleged to have withdrawn a total of $5M within one day by co-ordinating 4200 withdrawals across 15 cities.

In 2013, we wrote about a “casher crew,” as they’re known in cybercriminal argot, who withdrew their way down Broadway in Manhattan, New York.

In one outing, eight crooks managed 3000 withdrawals of about $800 each in just under ten hours.

Thanks to the high density of ATMs on Broadway, they were able to manage transactions at an average of about 90 seconds each, getting out $2.4M in that time.

What to do?

Watch your statements. Whether it’s $5 or $5M that you didn’t spend, the sooner you notice, the better for you and the worse for the crooks,

Never say never. You may think there’s no way to cash out $5M, but the crooks know that there is, and some of them are willing to take the risk.