Flaw in Revolut payment systems exploited to steal $20 million

Organized criminal groups exploited a flaw in Revolut’s payment systems and made off with $20+ million of the company’s money, the Financial Times reported on Sunday, citing people with knowledge of the situation.

Revolut’s cybersecurity troubles

Revolut is a privately held financial technology company that offers a variety of services to over 30 million customers around the globe. It is headquartered in London and licensed and regulated by the Bank of Lithuania (within the EU).

In September 2022, the company suffered a data breach that affected 50,150 customers worldwide: the attackers grabbed those customers’ names, addresses, email addresses, telephone numbers, part of the payment card data, and account details.

A few days later, some Revolut users complained online that they started receiving SMS phishing messages aimed at stealing personal and financial information.

According to Financial Times’ unnamed sources, the newly revealed cash grab happened before that, in early 2022.

Flaw in Revolut payment systems created a loophole

“The problem stemmed from differences between European and US payment systems, which meant that when certain transactions were declined Revolut would erroneously refund accounts, handing them its own money,” the business publication explained.

The criminals “encouraged” individuals to make expensive purchases that would end up being declined, but the flaw made it so that Revolut would erroneously make refunds to accounts.

This concentrated fraudulent effort apparently went on for several months before the company realized it was happening and closed the loopohole.

FT says that the discovery happened after “a partner bank in the US notified the fintech that it was holding less cash than expected,” and the failure to unearth the ongoing fraudulent scheme in time ended up costing Revolut over $20 million. (The money was stolen from the company, not from customers’ accounts.)

“Financial organisations tend to be mature when it comes to security. However, as this incident shows, vulnerabilities or gaps in controls and processes can still occur,” Dr Suleyman Ozarslan, security researcher and co-founder of Picus Security, told Help Net Security.

“It may be the case that no single department bears ultimate responsibility for the financial loss. The IT and cybersecurity department might have prevented this by regularly checking for logical vulnerabilities in its system. The Finance department could have identified the discrepancy in the transactions sooner. The Risk and Compliance department may also have identified such irregularity during regular auditing.”

“There are preventive measures that companies can take. Regular audits and system checks will quickly identify any flaws or discrepancies. Proper synchronization and communication between different systems of the company is also vital,” he added.

“This is not a typical cybercrime story of a data breach or ransomware campaign, but strengthening security systems and implementing advanced fraud detection techniques can prevent these incidents. Likewise, in case the worst does happen, all businesses should create an efficient incident response plan for timely discovery and reaction to such incidents.”

Revolut has yet to publicly comment on the report.