Hacker steals tens of thousands of pounds from travel companies

Fraud: Failure to set up basic security procedures has left travel firms out of pocket. Bill Goodwin reports

Fraud: Failure to set up basic security procedures has left travel firms out of pocket. Bill Goodwin reports

A computer hacker has fraudulently transferred tens of thousands of pounds to his credit cards after breaking into the computer systems of large travel operators, in one of the most audacious attacks to have come to light in the UK.

The hacker is believed to have exploited an in-depth knowledge of industry computer systems to tunnel through X.25 networks into the Unix servers at Sea France, Wightlink, Holiday Places and at least two other firms.

The companies were systems customers of Anite Travel, one of the world's largest travel software suppliers. Each firm had been using Anite's Travellog Res2000 to manage its bookings.

Investigators believe the hacker either knew or was able to guess the passwords which gave him access to the inner workings of the IBM AIX operating system in each company's servers.

Once inside, it was a simple matter to install a trojan from the Internet which provided the intruder with guaranteed access on demand.

The IBM RS6000 Unix machines run a programme from Racal, known as RSL 280, which converts credit card transactions into digital instructions for the credit card processing service, NatWest Streamline, which is now part of Royal Bank of Scotland.

The hacker instructed the programme to issue refunds worth up to £5,000 a time to credit cards he and his accomplices had taken out in false names through US banks.

To NatWest Streamline the transactions would have been indistinguishable from genuine credit card refunds.

The gang quickly retrieved the refunded money from US cash point machines during a series of raids between May and July this year. The hacker covered his tracks electronically by using tools downloaded from the Internet to erase records from computer systems logs.

Investigators have only been able to recover fragments of deleted evidence, Computer Weekly has learned. The hacker made off with tens of thousands of pounds, but the total could have been much higher, had he not made some elementary blunders which drew attention to his activities.

The extent of the fraud only came to light because the hacker applied for unusually high credit-card refunds for suspiciously round amounts. "The hacker might not have been noticed if he had gone for smaller amounts and more unusual amounts, rather than choosing nice round sums," said one source close to the investigation. "He was pulling down £3,000 and £4,000. Why didn't he do £2,873.86?"

With the investigation continuing, NatWest and software supplier Anite are believed to have gathered little hard information that could identify the perpetrator of the fraud.

Read more on IT risk management