Crooks Net $11m in Coordinated ATM Heists (re-loadable prepaid debit cards used)

[menotu]

Brian Krebs 6 February 2013 (krebsonsecurity)

Crooks Net Millions in Coordinated ATM Heists

Organized cyber criminals stole almost $11 million in two highly coordinated ATM heists in the final days of 2012, KrebsOnSecurity has learned. The events prompted Visa to warn U.S. payment card issuers to be on high-alert for additional ATM cash-out fraud schemes in the New Year.

According to sources in the financial industry and in law enforcement, the thieves first struck on Christmas Eve 2012. Using a small number of re-loadable prepaid debit cards tied to accounts that they controlled, scammers began pulling cash out of ATMs in at least a dozen countries. Within hours, the perpetrators had stolen approximately $9 million.

Then, just prior to New Year’s Eve, the fraudsters struck again, this time attacking a card network in India and making off with slightly less than $2 million, investigators say.

The accounts that the perpetrators used to withdraw money from ATMs were tied to re-loadable prepaid debit cards, which can be replenished with additional funds once depleted. Prepaid card networks generally enforce low-dollar limits that restrict the amounts customers can withdraw from associated accounts in a 24 hour period. But in both ATM heists, sources said, the crooks were able to increase or eliminate the withdrawal limits for the prepaid accounts they controlled.

Shortly after the second heist, Visa released a private alert to payment card issuers, warning them to be on the lookout for additional ATM mega-heists over the New Years holiday. Sources say Visa’s alert was indeed prompted by the multi-million dollar heists at the end of December.

The Visa alert  sent to card issuers at the beginning of January 2013, warns:

    “Visa has been alerted to new cases where ATM Cash-Out frauds have been attempted and successfully completed by organized criminal groups across the globe. In a recently reported  case, criminals used a small number of cards to conduct 1000’s of ATM withdrawals in multiple  countries around the world in one weekend.”

    “These attacks result from hackers gaining access to issuer authorization systems and card parameter information. Once inside, the hackers manipulate daily withdrawal amount limits, card balances and other card parameters to facilitate massive fraud on individual cards. In some instances over $500K USD has been withdrawn on a single card in less than 24 hours.”

Visa Alert PDF

Blog

[jaydot]

how much is any one person allowed to withdraw from an atm in any one day?  i'm allowed £300.  in order to withdraw a million pounds, i would need to visit the atm no less than 3333.3 times.  this suggests that in order to withdraw such huge amounts as mentioned in the article, the crooks need a veritable army of minions willing to visit these machines.

there's made up codswallop and there's horse pucky.  this article seems to belong in both camps.

[menotu]

how much is any one person allowed to withdraw from an atm in any one day?  i'm allowed £300.  in order to withdraw a million pounds, i would need to visit the atm no less than 3333.3 times.  this suggests that in order to withdraw such huge amounts as mentioned in the article, the crooks need a veritable army of minions willing to visit these machines.

there's made up codswallop and there's horse pucky.  this article seems to belong in both camps.

I've always considered Brian Krebs to be sound in the security blogs he posts, but I guess others may know differently

[Just17]

how much is any one person allowed to withdraw from an atm in any one day?  i'm allowed £300.  in order to withdraw a million pounds, i would need to visit the atm no less than 3333.3 times.  this suggests that in order to withdraw such huge amounts as mentioned in the article, the crooks need a veritable army of minions willing to visit these machines.

there's made up codswallop and there's horse pucky.  this article seems to belong in both camps.

Once inside, the hackers manipulate daily withdrawal amount limits, card balances and other card parameters to facilitate massive fraud on individual cards.

If you could find an ATM with $500K in it then one visit would be enough ......  but I expect it would cause a lot of annoyance for those lined up behind!   

[menotu]

Another Brian Krebs blog from August 2011

Coordinated ATM Heist Nets Thieves $13M

Fidelity National Information Services Inc. (FIS) bills itself as the world’s largest processor of prepaid debit cards; FIS claims to process more than 775 million transactions annually. The company disclosed the breach in its first quarter earnings statement issued May 3, 2011. But details of the attack remained shrouded in secrecy as the FBI and forensic investigators probed one of the biggest and most complex banking heists of its kind.

FIS said it had incurred a loss of approximately $13 million related to unauthorized activities involving one client and 22 prepaid cards on its Sunrise, Fla. based eFunds Prepaid Solutions, formerly WildCard Systems Inc., which was acquired by FIS

FIS stated: “The Company has identified that 7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities. FIS worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter.” The disclosure was scarcely noted by news media.

According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform’s “open-loop” prepaid debit cards. The balances on these prepaid cards aren’t stored on the cards themselves; rather, the card numbers correspond to records in a central database, where the balances are recorded. Some prepaid cards cannot be used once their balance has been exhausted, but the prepaid cards used in this attack can be replenished by adding funds. Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period. Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained.

The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.

Sources say the thieves waited until the close of business in the United States on Saturday, March 5, 2011, to launch their attack. Working into Sunday evening, conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.

https://krebsonsecurity.com/2011/08/coordinated-atm-heist-nets-thieves-13m/

=============================================
And a FIS Earnings statement confirms the info from Brian Krebs blog

FIS Announces First Quarter Results

FIS incurred a loss of approximately $13.0 million, or $0.03 per share, during the first quarter of 2011 related to unauthorized activities involving one client and 22 prepaid card accounts on its Sunrise platform. The Company has identified that 7,170 prepaid accounts may have been at risk and that three individual cardholders' non-public information may have been disclosed as a result of the unauthorized activities. FIS worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter.

http://www.investor.fisglobal.com/phoenix.zhtml?c=180304&p=irol-newsArticle&ID=1558344&highlight=

[and then..]

there's made up codswallop and there's horse pucky.  this article seems to belong in both camps.

That was a brave statement Jaydot!   
Cages.

[menotu]

there's made up codswallop and there's horse pucky.  this article seems to belong in both camps.

That was a brave statement Jaydot!   
Cages.

Brave, possibly, but not in any way accurate.

===========================

Brian Krebs - 4 June 2013 (krebsonsecurity)

FDIC: 2011 FIS Breach Worse Than Reported

A 2011 hacker break-in at banking industry behemoth Fidelity National Information Services (FIS) was far more extensive and serious than the company disclosed in public reports, banking regulators warned FIS customers last month. The disclosure highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers

Jacksonville, Fla. based FIS is one of the largest information processors for the banking industry today, handling a range of services from check and credit card processing to core banking functions for more than 14,000 financial institutions in over 100 countries.

The company came under heavy scrutiny from banking industry regulators in the first quarter of 2011, when hackers who had broken into its networks used that access to orchestrate a carefully-timed, multi-million dollar ATM heist. In that attack, the hackers raised or eliminated the daily withdrawal limits for 22 debit cards they’d obtained from FIS’s prepaid card network. The fraudsters then cloned the cards and distributed them to co-conspirators who used them to pull $13 million in cash from FIS via ATMs in several major cities across Europe, Russia and Ukraine.

FIS first publicly reported broad outlines of the breach in a May 3, 2011 filing with the Securities and Exchange Commission (SEC), stating that it had identified “7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities.” FIS told the SEC it worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. “The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter,” it declared in its filing.

FIS’s disclosure to investors cast the breach as limited in scope, saying the break-in was restricted to unauthorized activity at a portion of its network belonging to a small prepaid debit card provider that it acquired in 2007.  But bank examiners at the Federal Deposit Insurance Corp. (FDIC) who audited FIS’s operations in the months following the 2011 breach and again in October 2012 came to a very different conclusion: According to a report that the FDIC sent May 24, 2013 to hundreds of FIS’s customer banks and obtained by KrebsOnSecurity, the 2011 breach was much larger than previously reported.

“The initial findings have identified many additional servers exposed by the attackers; and many more instances of the malware exploits utilized in the network intrusions of 2011, which were never properly identified or assessed,”  the FDIC examiners wrote in a report from October 2012. “As a result, FIS management now recognizes that the security breach events of 2011 were not just a pre-paid card fraud event, as originally maintained, but rather are that of a broader network intrusion.”

Indeed, the FDIC’s examiners found that there was scarcely a portion of the FIS network that the hackers did not touch.

...........................................

The FIS breach and the two separate incidents encompassed by the New York case are eerily similar to an intricate 2008 attack against RBS WorldPay. In that heist, crooks obtained remote access to RBS’s systems, raised the daily withdrawal limit and used 44 counterfeit prepaid cards to suck more than $9 million from at least 2,100 ATM terminals in 280 cities worldwide.

Federal prosecutors alleged that the 2008 RBS theft was orchestrated by at least eight men from Estonia and Russia — the alleged ringleader, Sergei Tsurikov,  was extradited to face charges in the United States. His trial is pending and much of his case remains sealed.

Another key figure in that case was Viktor Pleschuk of St. Petersburg, Russia, who monitored the fraudulent ATM withdrawals remotely and in real-time using compromised systems within the payment card network. Pleschuk and Russian accomplice Eugene Anikin were arrested and charged in Russia. Prosecutors asked the court for five- and six-year sentences, but those requests were ignored. In February 2011 (around the time of the FIS breach) Pleschuk and Anikin agreed to plead guilty for their roles in the RBS heist in exchange for suspended sentences  — probation, but no jail time.

Full blog below

https://krebsonsecurity.com/2013/06/fdic-2011-fis-breach-worse-than-reported/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29