Subscribe to RSS
Follow me on Twitter
Join me on Facebook
An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards, KrebsOnSecurity has learned.
Jacksonville based Fidelity National Information Services Inc. (FIS) bills itself as the world’s largest processor of prepaid debit cards; FIS claims to process more than 775 million transactions annually. The company disclosed the breach in its first quarter earnings statement issued May 3, 2011. But details of the attack remained shrouded in secrecy as the FBI and forensic investigators probed one of the biggest and most complex banking heists of its kind.
FIS said it had incurred a loss of approximately $13 million related to unauthorized activities involving one client and 22 prepaid cards on its Sunrise, Fla. based eFunds Prepaid Solutions, formerly WildCard Systems Inc., which was acquired by FIS in 2007.
FIS stated: “The Company has identified that 7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities. FIS worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter.” The disclosure was scarcely noted by news media.
KrebsOnSecurity recently discovered previously undisclosed details of the successful escapade. According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform’s “open-loop” prepaid debit cards. The balances on these prepaid cards aren’t stored on the cards themselves; rather, the card numbers correspond to records in a central database, where the balances are recorded. Some prepaid cards cannot be used once their balance has been exhausted, but the prepaid cards used in this attack can be replenished by adding funds. Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period.
Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.
Sources say the thieves waited until the close of business in the United States on Saturday, March 5, 2011, to launch their attack. Working into Sunday evening, conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.
It’s still not clear who was responsible for this attack on FIS. The company declined comment. The FBI would neither confirm nor deny that it is investigating. But the breach is eerily similar to an intricate 2008 attack against RBS WorldPay, an Atlanta-based unit of the Royal Bank of Scotland. In that heist, crooks obtained remote access to RBS’s systems and used 44 counterfeit prepaid cards to withdraw more than $9 million from at least 2,100 ATM terminals in 280 cities worldwide. The attack was so sophisticated and alarming that President Obama referred to it in a landmark cybersecurity speech.
Federal prosecutors alleged that the 2008 RBS theft was orchestrated by at least eight men from Estonia and Russia — the alleged ringleader was extradited to face charges in the United States.
Another key figure in that case was Viktor Pleschuk of St. Petersburg, Russia, who monitored the fraudulent ATM withdrawals remotely and in real-time using compromised systems within the payment card network. Pleschuk and Russian accomplice Eugene Anikin were arrested and charged in Russia. Prosecutors asked the court for five- and six-year sentences, but those requests were ignored. Pleschuk and Anikin agreed to plead guilty for their roles in the RBS heist in exchange for suspended sentences (probation, but no jail time).
Related posts:
- Texas Bank Sues Customer Hit by $800,000 Cyber Heist
- Cyber Thieves Rob Treasury Credit Union
- Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College
- Texas Firm Blames Bank for $50,000 Cyber Heist
- Calif. Co. Sues Bank Over $465k eBanking Heist
Tags: eFunds Prepaid Solutions, Eugene Anikin, Fidelity National Information Services Inc., FIS, RBS Worldpay, Viktor Pleschuk, WildCard Systems Inc.
Hidden due to low comment rating. Click here to see.
“The attack was so sophisticated and alarming that President Obama referred to it in a landmark cybersecurity speech.”
“Landmark…speech”? Oh, please! Our fearless leader is so perspicacious. Thus, we have nothing to fear.
The major truth here is that, as long as the federal government is in complete statutory and regulatory (note I did not write “constitutional”) control over all things banking, there is no significant incentive for the banking industry to exercise “due diligence,” nor for its customers to exercise prudence. A few gazillion cyber-bucks stolen? What the hey? Just print, er, input more.
Like the poor, the crooks “you will have always with you.” And as long as money is nothing more than ones and zeroes created arbitrarily out of thin air by omnipotent governmental agencies, we will continue to have the chaos of perennial monetary crime as a daily fact of life: committed “legally” by governments, and illegally by criminals. It is a difference without distinction.
Hidden due to low comment rating. Click here to see.
What should the banks and the government do about this?
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
There are times when only a big bite in the azz of financial institutions will get their attention toward securing privileged data. I see a 13 mil bite will do it….
It’s time J Paul Getty’s famous quote is reworded to apply to the banks current view of security, something along the lines of:
“If someone defrauds $1,000 from your bank account that’s your problem. If they defraud $10 million, that’s the bank’s problem.”
I like the quote. The problem is the courts may disagree. Krebs has reported on two court cases with opposing views on the liability. Pick the wrong court & the $10 million might be on you instead of the bank.
Oh look, another breach within a company that was certified PCI compliant by Trustwave.
“Fidelity Information Services – Issuing Solutions, Debit Account, Healthcare Payment Card and Prepaid Card Solutions” was certified as PCI compliant by Trustwave on April 30, 2011 (from Visa’s list of PCI DSS validated service providers). Given the dates I would bet the assessment was going on at the same time as the crime itself!
Nothing to see here folks, move along.
FIS has a lot of components under the Visa list, I’m not sure which one got hacked. It could’ve been the one you mentioned or it could’ve been “Fidelity Information
Services – Prepaid Solutions – South”, assessed by ISS July, 2011.
If you read the last sentence of Brian’s article, it seems that Russia seem to want to punish their lawbreakers. Suspended sentences with probation instead of five or six years in jail.
Wow, what a deterrent…..
Correction: Russia doesn’t seem to want to punish lawbreakers
Actually, sounds more like corruption in the judicary. Good work on the prosecutors part for at least managing to track them down and get them into the courtroom.
What I find interesting is how they withdrew the cash from ATM’s in 280 cities. It sounds like a lot of traveling for just 8 guys. If anything, these guys had to put in more work for their stolen cash than any casher I know of. Most just steal or purchase some CC’s with PINS, cash a bunch out of an ATM, and repeat the process on a new ATM. You can go through quite a few ATM’s and hundreds of thousands of dollars with little risk before having to move to city No. 2. Not necessarily even the city you live in
These guys went through 280. Sounds inefficient. (And for carders, efficiency + revenues = profit.)
Prepaid debit card are being used more and more by the miscreants. Brian has reported just and good heist but in my view there’s more out here that being kept top secret from the people of how the prepaid debit cards are used in crimes.
…RBS WorldPay, an Atlanta-based unit of the Royal Bank of Scotland…
WorldPay.US is no longer owned by RBS. It was acquired by a private equity firm in 2011.
Hidden due to low comment rating. Click here to see.
Maybe and maybe not. If the bank is of any size it’s running a mainframe and “inserting a record” is limited to just a few, very few methods. In addition many mainframes limit what their administrators can do. None of the ones I’m familiar with allow a mainframe adminstrator to have actual access to the data. In addition virtually every activity by an administrator is logged somewhere so it might not get noticed immediately but it certainly will get noticed eventually.
Many of the smaller banks and credit unions use a third-party “service bureau” to actually house and manage their banking systems. Working for the bank or CU isn’t going to get you any access at ll.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
Whoa – the fifth data loss for this company in recent history. It looks like they are driving drunk on the information super highway.
Don’t worry, though – the executives will receive their bonuses for a ‘job well done’; and the losses will be passed on to share holders.
http://datalossdb.org/search?utf8=%E2%9C%93&query=Fidelity+National+Information+Services&show_fringe=no&commit=SEARCH
Andrew, what are you smoking.
Hacking into a bank is not that easy. And NO you cannot just ask customer service for that extra persmission.
Create and Account and then delete it?
What if they are reprots that show new accounts created?
What if they are reports that show deleted accounts? (Remember banks don’t delete accounts, they inactivate them).
Your little plan is so full of holes and make believe.
Hidden due to low comment rating. Click here to see.
Sorry, too me, those are details. Stuff I’ve learned over 25 years of analyzing the system.
Hidden due to low comment rating. Click here to see.
I don’t know. I’m bored. Anyone need any money laundering advice? I can do it for less and more efficiently.
I could probably also help with “merchandise” delivery and logistics with fewer payoffs at the borders.
Let’s discuss central banking.
The Treasury creates a piece of paper (t-bond) that you might call an IOU. $100k at 5% interest for example. They walk that over to the Fed and ask for money. The Fed says, “how are you going to pay that loan back?” The Treasury answers, “well, we have census records and population growth rates that show an IRS’ tax revenue of X.” The Fed hems and haws and says, “ok, I guess we can lend you $100k, but you better make those interest payments on time. So, the Fed writes a check, the Treasury says, “thank you” and deposits the check into the Treasury’s bank account. Then Congress spends it.
So, where did the money come from? Well… any accountants out there? What is the offsetting liability or asset account that is hit when the Fed books the asset? That’s accountant talk. For the layperson, where did that money come from? Nowhere. The Fed just wrote a piece of paper called a check for $100k. Digits were added to the Treasury’s bank account when they deposited the check. So it came from out of thin air. Is that inflation you might ask? Well, yes, that is correct.
For extra bonus points: What does the phrase “debt ceiling” really mean? Inflation of course, on a yearly basis.
So… while we’re tax revenue… a couple of points:
1. the US is a corporation (for-profit of course).
2. tax revenue is the revenue of that corporation.
3. entitlements are the expenses of that corporation.
So, like any other corporation, their goal is to maximize profits. Reduce entitlements or increase revenue.
But, I digress, any lawyers out there? What is the legal definition of “includes” in Title 26? Hmm… even non-lawyers can look that up. Try Cornell’s online law library. Now, questions to ask yourself while reading that legal definition:
- why was that word defined?
- does includes mean inclusive or expansive?
- why are there so many double-negatives in that sentence?
- why is it so hard to read?
- why is it that it sounds like “expansive” if you gloss over it, but if you remove the double-negatives, it actually means “inclusive”.
So, while we’re looking at the legal definitions in Title 26, what is the definition of the legal term “employee”? Does that mean the same thing as the dictionary, every-day usage? Well, of course not.
Remember, in law, if a legal term is defined the common-usage has no bearing.
Promise Language fixes all the above.
All transactions are promises to deliver value. Two promises = One transaction. What value was promised? Up to the persons involved.
Promise Language is a standardized protocol (like HTML) for describing promises between people, but it also unleashes creativity.
For example, you could have a Diamond Card with a physical diamond in a wealth storage facility. The card would be Visa, MC, Amex, Discover, etc. So you could purchase groceries with your Diamond Card. A wealth translation would occur behind the scenes to give the grocery cash. The above idea works with wheat silos (farmers), land, or anything else of value.
This reminds me of the scene in Ghostbusters where everything was going fine until ‘somone’ shut down the containment grid.
FIS was doing well with Risk and Governance until they merged with Metavante who took it over after booting out FIS personnel.
Some follow up on some of the above commentary…
Have you heard that the IRS filed a $14 trillion dollar lien against the Fed and the US Treasury? Basically they are foreclosing on all Federal land and other assets for unpaid back taxes. The IRS has the legal authority to do so and will almost certainly prevail.
Some scanned copies of the lien:
http://hypertiger.blogspot.com/2011/09/why-does-irs-have-14-trillion-dollar.html
Done it again .. XA- XA- XA ..
Encryption sucks ..Not even FBI knows about this hole in the wall ..))))
Viva
By the way, this discussion leads to the bond market and the Federal Reserve.
See here for more info. Perhaps the FBI or Justice Department might be interested in the discussion:
http://www.elitetrader.com/vb/showthread.php?threadid=227439