Crooks Net $11m in Coordinated ATM Heists (re-loadable prepaid debit cards used)

[menotu]

Brian Krebs 6 February 2013 (krebsonsecurity)

Crooks Net Millions in Coordinated ATM Heists

Organized cyber criminals stole almost $11 million in two highly coordinated ATM heists in the final days of 2012, KrebsOnSecurity has learned. The events prompted Visa to warn U.S. payment card issuers to be on high-alert for additional ATM cash-out fraud schemes in the New Year.

According to sources in the financial industry and in law enforcement, the thieves first struck on Christmas Eve 2012. Using a small number of re-loadable prepaid debit cards tied to accounts that they controlled, scammers began pulling cash out of ATMs in at least a dozen countries. Within hours, the perpetrators had stolen approximately $9 million.

Then, just prior to New Year’s Eve, the fraudsters struck again, this time attacking a card network in India and making off with slightly less than $2 million, investigators say.

The accounts that the perpetrators used to withdraw money from ATMs were tied to re-loadable prepaid debit cards, which can be replenished with additional funds once depleted. Prepaid card networks generally enforce low-dollar limits that restrict the amounts customers can withdraw from associated accounts in a 24 hour period. But in both ATM heists, sources said, the crooks were able to increase or eliminate the withdrawal limits for the prepaid accounts they controlled.

Shortly after the second heist, Visa released a private alert to payment card issuers, warning them to be on the lookout for additional ATM mega-heists over the New Years holiday. Sources say Visa’s alert was indeed prompted by the multi-million dollar heists at the end of December.

The Visa alert  sent to card issuers at the beginning of January 2013, warns:

    “Visa has been alerted to new cases where ATM Cash-Out frauds have been attempted and successfully completed by organized criminal groups across the globe. In a recently reported  case, criminals used a small number of cards to conduct 1000’s of ATM withdrawals in multiple  countries around the world in one weekend.”

    “These attacks result from hackers gaining access to issuer authorization systems and card parameter information. Once inside, the hackers manipulate daily withdrawal amount limits, card balances and other card parameters to facilitate massive fraud on individual cards. In some instances over $500K USD has been withdrawn on a single card in less than 24 hours.”

Visa Alert PDF

Blog

[jaydot]

how much is any one person allowed to withdraw from an atm in any one day?  i'm allowed £300.  in order to withdraw a million pounds, i would need to visit the atm no less than 3333.3 times.  this suggests that in order to withdraw such huge amounts as mentioned in the article, the crooks need a veritable army of minions willing to visit these machines.

there's made up codswallop and there's horse pucky.  this article seems to belong in both camps.

[menotu]

how much is any one person allowed to withdraw from an atm in any one day?  i'm allowed £300.  in order to withdraw a million pounds, i would need to visit the atm no less than 3333.3 times.  this suggests that in order to withdraw such huge amounts as mentioned in the article, the crooks need a veritable army of minions willing to visit these machines.

there's made up codswallop and there's horse pucky.  this article seems to belong in both camps.

I've always considered Brian Krebs to be sound in the security blogs he posts, but I guess others may know differently

[Just17]

how much is any one person allowed to withdraw from an atm in any one day?  i'm allowed £300.  in order to withdraw a million pounds, i would need to visit the atm no less than 3333.3 times.  this suggests that in order to withdraw such huge amounts as mentioned in the article, the crooks need a veritable army of minions willing to visit these machines.

there's made up codswallop and there's horse pucky.  this article seems to belong in both camps.

Once inside, the hackers manipulate daily withdrawal amount limits, card balances and other card parameters to facilitate massive fraud on individual cards.

If you could find an ATM with $500K in it then one visit would be enough ......  but I expect it would cause a lot of annoyance for those lined up behind!   

[menotu]

Another Brian Krebs blog from August 2011

Coordinated ATM Heist Nets Thieves $13M

Fidelity National Information Services Inc. (FIS) bills itself as the world’s largest processor of prepaid debit cards; FIS claims to process more than 775 million transactions annually. The company disclosed the breach in its first quarter earnings statement issued May 3, 2011. But details of the attack remained shrouded in secrecy as the FBI and forensic investigators probed one of the biggest and most complex banking heists of its kind.

FIS said it had incurred a loss of approximately $13 million related to unauthorized activities involving one client and 22 prepaid cards on its Sunrise, Fla. based eFunds Prepaid Solutions, formerly WildCard Systems Inc., which was acquired by FIS

FIS stated: “The Company has identified that 7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities. FIS worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter.” The disclosure was scarcely noted by news media.

According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform’s “open-loop” prepaid debit cards. The balances on these prepaid cards aren’t stored on the cards themselves; rather, the card numbers correspond to records in a central database, where the balances are recorded. Some prepaid cards cannot be used once their balance has been exhausted, but the prepaid cards used in this attack can be replenished by adding funds. Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period. Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained.

The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.

Sources say the thieves waited until the close of business in the United States on Saturday, March 5, 2011, to launch their attack. Working into Sunday evening, conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.

https://krebsonsecurity.com/2011/08/coordinated-atm-heist-nets-thieves-13m/

=============================================
And a FIS Earnings statement confirms the info from Brian Krebs blog

FIS Announces First Quarter Results

FIS incurred a loss of approximately $13.0 million, or $0.03 per share, during the first quarter of 2011 related to unauthorized activities involving one client and 22 prepaid card accounts on its Sunrise platform. The Company has identified that 7,170 prepaid accounts may have been at risk and that three individual cardholders' non-public information may have been disclosed as a result of the unauthorized activities. FIS worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter.

http://www.investor.fisglobal.com/phoenix.zhtml?c=180304&p=irol-newsArticle&ID=1558344&highlight=

[and then..]

there's made up codswallop and there's horse pucky.  this article seems to belong in both camps.

That was a brave statement Jaydot!   
Cages.