A large cyber criminal network managed to steal $13 million in one day from ATMs in six countries.
The robbers used a security breach in Fidelity National Information Services which processes prepaid debit cards.
FIS admitted that there had been a breach in May 5, but security researcher Brian Krebs said that he found evidence that the crime might have been a lot more complex and costly.
According to his KrebsonSecurity bog the attackers first broke into FIS’ network and gained unauthorised access to the company’s database.
In the database they found each debit card customer’s balances.
FIS has some fairly good fraud protection policies that limit the amount cardholders can withdraw from an ATM with a 24-hour period. Once the balance on the cards is reached, the cards cannot be used until their owners put more money back onto the cards.
To get around this problem the criminals used 22 legitimate cards. They went into the database and eliminated each card’s withdrawal limit, and cloned them. Copies of the cards were sent to conspirators in Greece, Russia, Spain, Sweden, Ukraine and the Blighty.
When the prepaid limit on each card got too low, the hackers simply reloaded the fraudulent cards remotely.
On Saturday, March 5, the criminals began taking out money from ATMs. By Sunday evening, the scam was over, and the attackers had stolen $13 million.
Krebs said it is not clear who is behind the attack on FIS, although the characteristics of the scheme put it in line with the 2008 attack against RBS WorldPay, which was the Atlanta-based unit of the Royal Bank of Scotland.
In that case crooks hacked into RBS’s systems and used 44 counterfeit prepaid cards to withdraw more than $9 million from at least 2,100 ATM terminals in 280 cities worldwide.
In that situation a Russian bloke called Viktor Pleschuk monitored the fraudulent ATM withdrawals remotely and in real-time using compromised systems within the payment card network.
Both he and an accomplice, Eugene Anikin, were arrested and charged in Russia. However when prosecutors asked the court for five and six-year sentences, the court said Nyet. Pleschuk and Anikin agreed to plead guilty for their roles in the RBS heist in exchange for suspended sentences.