August 26, 2011

An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards, KrebsOnSecurity has learned.

Jacksonville based Fidelity National Information Services Inc. (FIS) bills itself as the world’s largest processor of prepaid debit cards; FIS claims to process more than 775 million transactions annually. The company disclosed the breach in its first quarter earnings statement issued May 3, 2011. But details of the attack remained shrouded in secrecy as the FBI and forensic investigators probed one of the biggest and most complex banking heists of its kind.

FIS said it had incurred a loss of approximately $13 million related to unauthorized activities involving one client and 22 prepaid cards on its Sunrise, Fla. based eFunds Prepaid Solutions, formerly WildCard Systems Inc., which was acquired by FIS in 2007.

FIS stated: “The Company has identified that 7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities. FIS worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter.” The disclosure was scarcely noted by news media.

KrebsOnSecurity recently discovered previously undisclosed details of the successful escapade. According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform’s “open-loop” prepaid debit cards. The balances on these prepaid cards aren’t stored on the cards themselves; rather, the card numbers correspond to records in a central database, where the balances are recorded. Some prepaid cards cannot be used once their balance has been exhausted, but the prepaid cards used in this attack can be replenished by adding funds. Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period.

Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.

Sources say the thieves waited until the close of business in the United States on Saturday, March 5, 2011, to launch their attack. Working into Sunday evening, conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.

It’s still not clear who was responsible for this attack on FIS. The company declined comment. The FBI would neither confirm nor deny that it is investigating. But the breach is eerily similar to an intricate 2008 attack against RBS WorldPay, an Atlanta-based unit of the Royal Bank of Scotland. In that heist, crooks obtained remote access to RBS’s systems and used 44 counterfeit prepaid cards to withdraw more than $9 million from at least 2,100 ATM terminals in 280 cities worldwide. The attack was so sophisticated and alarming that President Obama referred to it in a landmark cybersecurity speech.

Federal prosecutors alleged that the 2008 RBS theft was orchestrated by at least eight men from Estonia and Russia — the alleged ringleader was extradited to face charges in the United States.

Another key figure in that case was Viktor Pleschuk of St. Petersburg, Russia, who monitored the fraudulent ATM withdrawals remotely and in real-time using compromised systems within the payment card network. Pleschuk and Russian accomplice Eugene Anikin were arrested and charged in Russia. Prosecutors asked the court for five- and six-year sentences, but those requests were ignored. Pleschuk and Anikin agreed to plead guilty for their roles in the RBS heist in exchange for suspended sentences (probation, but no jail time).

37 thoughts on “Coordinated ATM Heist Nets Thieves $13M

  1. Mark in Columbus

    “The attack was so sophisticated and alarming that President Obama referred to it in a landmark cybersecurity speech.”

    “Landmark…speech”? Oh, please! Our fearless leader is so perspicacious. Thus, we have nothing to fear.

    The major truth here is that, as long as the federal government is in complete statutory and regulatory (note I did not write “constitutional”) control over all things banking, there is no significant incentive for the banking industry to exercise “due diligence,” nor for its customers to exercise prudence. A few gazillion cyber-bucks stolen? What the hey? Just print, er, input more.

    Like the poor, the crooks “you will have always with you.” And as long as money is nothing more than ones and zeroes created arbitrarily out of thin air by omnipotent governmental agencies, we will continue to have the chaos of perennial monetary crime as a daily fact of life: committed “legally” by governments, and illegally by criminals. It is a difference without distinction.

    1. RC on West Coast

      Mark, your ignorance and extreme right wing completely tilted view are very apparent. Unfortunately you completely fail to understand the monetary system and I’m very sure many other things. TOTALLY. Funny how people like you are so vocal, just like the ignorants from the extreme left. You should run for political office, all of your friends are there.

    2. Ray Butlers

      What should the banks and the government do about this?

  2. LC

    Wow. It seems like almost any forum or site I visit that even only in passing mentions Obama, you get these kinds of rant comments.

  3. Mark in Columbus

    LC, note: Brian’s post cited the president and his “landmark” speech in re the topic. Hence, my citing of the president. He is, as you might not realize, the most powerful individual when it comes to US monetary policy. The ipso facto “first responder” for such occurrences.

    My post was far less of a “rant” than yours. Because mine clearly involves thought and analysis. Yours is nothing more than a knee-jerk political reaction.

    1. Neej

      No, your post reads like the rantings of many other ill-informed and possibly non-educated speakers talking on the subject of money and finance these days who also can’t seem to control themselves as they parrot others of the same ilk. You likely have a few pet conspiracy theories that you like to bring up from time to time as well I imagine.

      Please keep your comments on-topic and don’t refer to your own posts as being the result of your own extensive thought and analysis, it just makes you look foolish at best.

  4. Kfritz

    Evidently large thefts directly from banks are are NOT acceptable to Russia’s powers that be. People who do it get, like, arrested!

    Smaller raids on customers of banks are another matter.

  5. Jim J.

    There are times when only a big bite in the azz of financial institutions will get their attention toward securing privileged data. I see a 13 mil bite will do it….

  6. emv x man

    It’s time J Paul Getty’s famous quote is reworded to apply to the banks current view of security, something along the lines of:
    “If someone defrauds $1,000 from your bank account that’s your problem. If they defraud $10 million, that’s the bank’s problem.”

    1. Nick P

      I like the quote. The problem is the courts may disagree. Krebs has reported on two court cases with opposing views on the liability. Pick the wrong court & the $10 million might be on you instead of the bank.

  7. rick

    Oh look, another breach within a company that was certified PCI compliant by Trustwave.

    “Fidelity Information Services – Issuing Solutions, Debit Account, Healthcare Payment Card and Prepaid Card Solutions” was certified as PCI compliant by Trustwave on April 30, 2011 (from Visa’s list of PCI DSS validated service providers). Given the dates I would bet the assessment was going on at the same time as the crime itself!

    Nothing to see here folks, move along.

    1. Bodine Wilson

      FIS has a lot of components under the Visa list, I’m not sure which one got hacked. It could’ve been the one you mentioned or it could’ve been “Fidelity Information
      Services – Prepaid Solutions – South”, assessed by ISS July, 2011.

  8. Bob

    If you read the last sentence of Brian’s article, it seems that Russia seem to want to punish their lawbreakers. Suspended sentences with probation instead of five or six years in jail.

    Wow, what a deterrent…..

    1. Bob

      Correction: Russia doesn’t seem to want to punish lawbreakers

      1. Chris

        Actually, sounds more like corruption in the judicary. Good work on the prosecutors part for at least managing to track them down and get them into the courtroom.

  9. Nick P

    What I find interesting is how they withdrew the cash from ATM’s in 280 cities. It sounds like a lot of traveling for just 8 guys. If anything, these guys had to put in more work for their stolen cash than any casher I know of. Most just steal or purchase some CC’s with PINS, cash a bunch out of an ATM, and repeat the process on a new ATM. You can go through quite a few ATM’s and hundreds of thousands of dollars with little risk before having to move to city No. 2. Not necessarily even the city you live in 😉 These guys went through 280. Sounds inefficient. (And for carders, efficiency + revenues = profit.)

  10. oper207

    Prepaid debit card are being used more and more by the miscreants. Brian has reported just and good heist but in my view there’s more out here that being kept top secret from the people of how the prepaid debit cards are used in crimes.

  11. ChrisZ

    …RBS WorldPay, an Atlanta-based unit of the Royal Bank of Scotland…

    WorldPay.US is no longer owned by RBS. It was acquired by a private equity firm in 2011.

  12. Andrew Brown

    Easier ways to do a heist:

    Step 1: Work in the IT department for a couple of months of any bank or credit union.

    Step 2: Create a tiny program that triggers at a certain time every day. That program inserts a record into the database of a customer account with a balance. This could be a small balance or it could be a giant one for a one time transfer (if you have an overseas account and can launder that money safely). If not, you can simply do ATM transactions that would never hit the bank’s auditors. Allow the record to exist for 10-15 minutes and then delete it. This gives you time to hit ATM or perhaps a large wire transfer (or series of).

    That’s about it. You can think creatively from there. Why does this work? Well, cash in banks are simply digits. As long as those digits are less than any audited amount or within the margin of round off error, no one will ever see it.

    There are other ways, however that little hidden program… tough to find. Run it in the middle of the night or whenever batch processes on reporting are not run and your account will never show up. This won’t last forever, but might give you time to arrange money laundering opportunity overseas for one big pay off. Then you can retire.

    PS. Each bank has its own security policies, but the above plan will work if you take a look around for a couple months while in the IT department.

  13. JJ

    Maybe and maybe not. If the bank is of any size it’s running a mainframe and “inserting a record” is limited to just a few, very few methods. In addition many mainframes limit what their administrators can do. None of the ones I’m familiar with allow a mainframe adminstrator to have actual access to the data. In addition virtually every activity by an administrator is logged somewhere so it might not get noticed immediately but it certainly will get noticed eventually.

    Many of the smaller banks and credit unions use a third-party “service bureau” to actually house and manage their banking systems. Working for the bank or CU isn’t going to get you any access at ll.

  14. Andrew Brown

    You could do it remotely through hacking.

    You could even do it through customer service. You know… just ask for that ‘little’ extra permission. Then comblammo. Pretty easy from there.

  15. Andrew Brown

    So now… to review. How does this work?

    Well. Two main reasons:
    1. the bank is not losing any actual money. You must understand monetary science and fractional reserve banking to really get that. So, they have very little concern about any so-called “loss”. And any that hits their income statement will be considered a tax loss which will of course increase their cash flow.
    2. you must remember that reports that managers see and make decisions upon are in thousands and millions of dollars. So, it is pretty easy to keep the amounts small enough that no auditor or manager would ever raise an eyebrow. Kind of like the cashier at McDonalds at the end of the night being $5 off. Who would care?

    The one-time hit. Now. That is a more interesting question. Who can figure out how to wire transer, keep the money, without anyone being the wiser?

  16. Keith

    Andrew, what are you smoking.

    Hacking into a bank is not that easy. And NO you cannot just ask customer service for that extra persmission.

    Create and Account and then delete it?

    What if they are reprots that show new accounts created?
    What if they are reports that show deleted accounts? (Remember banks don’t delete accounts, they inactivate them).

    Your little plan is so full of holes and make believe.

  17. Andrew Brown

    I didn’t list all the details, but it’s not too difficult.

    To address your questions specifically:
    – open an account at the bank with a debit card
    – the program would then activate or deactivate or add a balance for 15-20 minutes in the middle of the night

    No reports run at that time. If the balance is small, the discrepancy will be too small for anyone to chase. Any reports run the next day will balance. The only problem might be a reconciliation report with external vendors through the ach debit system. However, if you do the ATM method out of the country, the discrepancy will be under any round-off error. And if you do the one-time hit, you’d just drop your old identity.

    Various countries offer legal, legit passports with different names. You could also open the account in the name of a trust or corporation, then drop the trust/corporation. Various states have pretty good secrecy on the owner of the trust. Paperwork games.

  18. Andrew Brown

    So that’s an easy one at a bank. Easily doable solo with no assistance, but a couple months work.

    What are other good ways?

    – sacrifice your credit score. Would you pay $150,000 for a 720 FICO? I wouldn’t. So, if your score is 700+, take out a bunch of loans and default. Your credit will be decent inside 3 years. Plan accordingly. And everything falls off after 7 years anyway.
    – I haven’t done the medical claims thing, but tons of money there. You can easily hide a false claim and the claims processor will likely pay the bill. Haven’t thought that one through, but I have seen it in action.

    As an aside, you know one time I was working for a medical claims processor that was closing up shop due to gross fraud. They were ripping off millions. I just worked there on the legit and up and up. So, the place closed up and I had a small retirement account that I wanted to cash out. Lo and behold $2 million was added to my bank account. Unfortunately they yanked it the same day. Hmm… think that was an accident? I think not. How many state employees have $2 million retirement accounts?

  19. Andrew Brown

    I don’t know. I’m bored. Anyone need any money laundering advice? I can do it for less and more efficiently.

    I could probably also help with “merchandise” delivery and logistics with fewer payoffs at the borders.

  20. Andrew Brown

    Let’s discuss central banking.

    The Treasury creates a piece of paper (t-bond) that you might call an IOU. $100k at 5% interest for example. They walk that over to the Fed and ask for money. The Fed says, “how are you going to pay that loan back?” The Treasury answers, “well, we have census records and population growth rates that show an IRS’ tax revenue of X.” The Fed hems and haws and says, “ok, I guess we can lend you $100k, but you better make those interest payments on time. So, the Fed writes a check, the Treasury says, “thank you” and deposits the check into the Treasury’s bank account. Then Congress spends it.

    So, where did the money come from? Well… any accountants out there? What is the offsetting liability or asset account that is hit when the Fed books the asset? That’s accountant talk. For the layperson, where did that money come from? Nowhere. The Fed just wrote a piece of paper called a check for $100k. Digits were added to the Treasury’s bank account when they deposited the check. So it came from out of thin air. Is that inflation you might ask? Well, yes, that is correct.

    For extra bonus points: What does the phrase “debt ceiling” really mean? Inflation of course, on a yearly basis.

  21. Andrew Brown

    So… while we’re tax revenue… a couple of points:
    1. the US is a corporation (for-profit of course).
    2. tax revenue is the revenue of that corporation.
    3. entitlements are the expenses of that corporation.

    So, like any other corporation, their goal is to maximize profits. Reduce entitlements or increase revenue.

    But, I digress, any lawyers out there? What is the legal definition of “includes” in Title 26? Hmm… even non-lawyers can look that up. Try Cornell’s online law library. Now, questions to ask yourself while reading that legal definition:
    – why was that word defined?
    – does includes mean inclusive or expansive?
    – why are there so many double-negatives in that sentence?
    – why is it so hard to read?
    – why is it that it sounds like “expansive” if you gloss over it, but if you remove the double-negatives, it actually means “inclusive”.

    So, while we’re looking at the legal definitions in Title 26, what is the definition of the legal term “employee”? Does that mean the same thing as the dictionary, every-day usage? Well, of course not.

    Remember, in law, if a legal term is defined the common-usage has no bearing.

  22. Andrew Brown

    Promise Language fixes all the above.

    All transactions are promises to deliver value. Two promises = One transaction. What value was promised? Up to the persons involved.

    Promise Language is a standardized protocol (like HTML) for describing promises between people, but it also unleashes creativity.

    For example, you could have a Diamond Card with a physical diamond in a wealth storage facility. The card would be Visa, MC, Amex, Discover, etc. So you could purchase groceries with your Diamond Card. A wealth translation would occur behind the scenes to give the grocery cash. The above idea works with wheat silos (farmers), land, or anything else of value.

  23. Ivan Mosovitz

    This reminds me of the scene in Ghostbusters where everything was going fine until ‘somone’ shut down the containment grid.

    FIS was doing well with Risk and Governance until they merged with Metavante who took it over after booting out FIS personnel.

  24. Russian Freedom Fighter

    Done it again .. XA- XA- XA ..

    Encryption sucks ..Not even FBI knows about this hole in the wall ..))))


Comments are closed.