February 6, 2013

Organized cyber criminals stole almost $11 million in two highly coordinated ATM heists in the final days of 2012, KrebsOnSecurity has learned. The events prompted Visa to warn U.S. payment card issuers to be on high-alert for additional ATM cash-out fraud schemes in the New Year.

atmafterdarkAccording to sources in the financial industry and in law enforcement, the thieves first struck on Christmas Eve 2012. Using a small number of re-loadable prepaid debit cards tied to accounts that they controlled, scammers began pulling cash out of ATMs in at least a dozen countries. Within hours, the perpetrators had stolen approximately $9 million.

Then, just prior to New Year’s Eve, the fraudsters struck again, this time attacking a card network in India and making off with slightly less than $2 million, investigators say.

The accounts that the perpetrators used to withdraw money from ATMs were tied to re-loadable prepaid debit cards, which can be replenished with additional funds once depleted. Prepaid card networks generally enforce low-dollar limits that restrict the amounts customers can withdraw from associated accounts in a 24 hour period. But in both ATM heists, sources said, the crooks were able to increase or eliminate the withdrawal limits for the prepaid accounts they controlled.

Shortly after the second heist, Visa released a private alert to payment card issuers, warning them to be on the lookout for additional ATM mega-heists over the New Years holiday. Sources say Visa’s alert was indeed prompted by the multi-million dollar heists at the end of December.

The Visa alert (PDF), sent to card issuers at the beginning of January 2013, warns:

“Visa has been alerted to new cases where ATM Cash-Out frauds have been attempted and successfully completed by organized criminal groups across the globe. In a recently reported  case, criminals used a small number of cards to conduct 1000’s of ATM withdrawals in multiple  countries around the world in one weekend.”

“These attacks result from hackers gaining access to issuer authorization systems and card parameter information. Once inside, the hackers manipulate daily withdrawal amount limits, card balances and other card parameters to facilitate massive fraud on individual cards. In some instances over $500K USD has been withdrawn on a single card in less than 24 hours.”

It remains unclear who the victim prepaid card issuer is, or which organization(s) may have been hacked to supply the funds added to the counterfeit prepaid cards. But as Visa notes, the fact that the attackers were able to raise or eliminate the daily withdrawal limits on the cards means they had access to the internal systems of a prepaid card network. Such access may have allowed the attackers to in effect print their own money.

This has happened in at least two other high-dollar ATM heists over the past few years. In May 2011, Jacksonville, Fla. Based Fidelity National Information Services (FIS), the nation’s largest processor of prepaid debit card payments, disclosed that it had been the victim of a similar, $13 million coordinated ATM heist scheme earlier in the year. The company indicated in a filing with the Securities and Exchange Commission a few months after the incident that the loss was the result of an intrusion at WildCard Systems Inc., a prepaid provider it had acquired in 2007. In that scheme, the thieves cloned a handful of cards tied to reloadable prepaid cards on WildCard’s network, and were able to reload the cards with funds each time they were depleted by rapid-fire ATM withdrawals.

FIS said through a spokesperson that neither it nor any of its partners had been impacted by a recent security breach.

In December 2008, RBS Worldpay disclosed that hackers had stolen $9 million in a coordinated ATM heist involving 44 counterfeit payroll debit cards that were used to withdraw funds from at least 2,100 ATMs in at least 280 cities worldwide. In that attack, the perpetrators also used re-loadable prepaid cards, and had obtained access to RBS systems that allowed them to increase the daily withdrawal limits and reload the accounts with stolen funds.

Stay tuned for more updates as this story unfolds.

29 thoughts on “Crooks Net Millions in Coordinated ATM Heists

    1. Brett

      Hehe, I was thinking of “Oceans Fourteen” as well, but I think it would probably be the most boring movie, unless one considers scenes of hackers just sitting in front of computer with no actual physical adventures going on to be exciting.

  1. Manny Moyo

    Scary stuff! In all of these cases, it would appear that the criminals leveraged the lax security around the prepaid cards product. This should be lesson learned for issuers and processors alike.
    Granted that the issuers were caught with their pants down, what happened to the fraud monitoring systems of the acquirers/processors? Shouldn’t there be a referral system in place for high-dollar authorisation requests that keep coming from a handful of account numbers? It wouldn’t surprise me if the breached parties were PCI DSS compliant at the time of the breach. This is something to think about for the payment cards industry.

  2. Richard Steven Hack

    What do you do with a debit card with $500K on it?

    Is there no way to detect that this is a suspiciously high amount on a debit card when used? Aside from Bill Gates and some Russian oligarchs, how many people have that kind of money on a debit card?

    These debit cards are identifiable in the card data, are they not? Are they identified in the system logs when these withdrawals are made and can they subsequently be flagged when they are used to make purchases?

    I realize debit cards are essentially “cash” but they can’t be as anonymous as real cash. It would seem this sort of thing would be easy to deal with if the proper infrastructure were put in place.

    What’s equally interesting is how these hackers manage to get in the system and override the account limits. Are we dealing with bank insiders here or are these systems really that porous?

    This is exactly the type of high-profit, low-risk crime that would attract gobs of hackers. Just run around with a bunch of cards and extract money to the tune of half a million at once, then retire? It’s like winning the one-armed bandits in Vegas!

    Something is very seriously wrong with bank security if this sort of thing is this easy. Not that something being seriously wrong with bank security would surprise me in the least.

    1. Tomputer

      Dear Richard,

      Please understand that there is no card with 500K on it.
      The database record which states the amount of how much is on the card is under control of the malicious group and updated / augmented as the cash out continues.
      It is not important if it’s a debit or credit card, IMHO.
      The amount of control over the database is.
      You don’t need gobs of hackers; 4 to 5 would be more then enough. You need gobs of cashers that push money back up the chain.
      It’s becoming a tried and tested routine AFAIK.
      Who needs skimming when you have access to unlimited accounts?

      1. Richard Steven Hack

        OK, so the account the card is attached to is being continually refreshed so that there is never a huge amount on the card at any one time.

        Where is the money going? Are they just transferring it out of the account via wire transfer to some other non-card account?

        I thought the point of using debit cards was the ability to use them as cash and also withdraw the real cash from ATMs. For these sums, that wouldn’t be feasible, would it? It would have to be some sort of account to account transfer, right? But that’s trackable.

        Anyone have a link to a more detailed explanation of how this works?

        1. Marty K

          As others mentioned:
          There is no account tied to these prepaid cards – the issuer loses the money.

          In regards to transfer: there is no transfer – it is cashed out at the ATM. the card is simply cloned and sent to different countries. There each card withdraws cash at various ATM’s until the limit is reached.
          And yes – amazing that no transaction monitoring system caught this!

          1. Richard Steven Hack

            Ah, I see now. The card is continually refreshed or its balance is continually renewed due to the hackers controlling the database record amount, and then the card is cloned and money is withdrawn multiple times from multiple locations by multiple people.

            So the card is just an access mechanism and there is no $500K on one card per se at any one time. That would be the total over a given set of refreshes.

            Most likely while the card limit is frequently increased they stay below a limit that would be detected even if that limit is higher than normal withdrawal limits. By continually refreshing the card balance to that higher limit they can keep withdrawing until someone spots it presumably by the excessive number of withdrawal transactions.

            1. DeborahS

              Sorry to be so late to the party, but I really must protest.

              There may not be (and is not) a customer account associated with each card, but each card does have a unique number, I’m assuming. And there is nothing preventing the processors from creating a separate database that tracks the history of each numbered card. Well, nothing but their not having thought of it and done it.

              And it would be a simple matter to set up triggers to issue alerts to the appropriate person for review when the activity on that cardnumber goes outside the parameters considered normal. Granted, the hackers could endeavor to find out what the trigger parameters are and attempt to stay inside of them, but this would significantly cramp their style and speed. They might also attempt to disable or rewrite the triggers if they have full access to the database, but it is possible to have triggers (as well as the cardnumber database itself) reside and execute from outside the database, preferably on a machine that either can’t be reached from the machine the compromised database is being hacked from, or it’s name/location can be made to appear unknown to the compromised machine. Probably you’d want to make it completely unknown, so that only the trigger machine could initiate and validate the connection. If done correctly, the hackers would have no way to dodge the triggers short of full access to the entire network and the means to find and hack the triggers themselves. Sure, eventually they might do that, but some ingenuity in hiding the triggers and cardnumber database would stall them for a good long while. And through the wonders of mirrored and replicated databases that don’t have to even be on the same local network, it should be possible to detect when the triggers are hacked. By detecting mismatching data if nothing else, and many more clever tricks are pretty easily possible with no changes to standard database languages needed.

              So the technology does exist to monitor these cards (I could do it), it’s just that no one has chosen to and done it.

  3. george

    With the amounts involved in those heists, their frequency, the chance to recover something virtually nil, and considering many other heists, skimming, identity stealing, etc. is the present financial system sustainable ? How long until all “plastic” industry will collapse and we’ll all revert to using cash ? How can those institutions involved able to keep such loss under cover for almost 50 days, such that even a reporter well connected as Brian just heard recently about it ?

    1. BrianKrebs Post author

      George, this is not something that a lot of folks outside the affected companies would notice. It’s not like a ton of consumers had money missing from their accounts as a result of this fraud. So, as long as it takes for the various parties who were victims of the fraud to hash out who’s legally responsible for the loss, it can stay under wraps.

      FYI, I found out about this breach at the very beginning of the year, but held off writing about it because I wanted to discover which network was hit. I decided to run the piece after not getting very far on that because I figured it might shake the tree a bit 🙂

      1. DeborahS

        But George asked another very interesting question, and that is how long the system of “plastic” money can survive this level of attack.

        To some extent we’ll all just have to wait and see how this pans out. But I’m thinking that when there was only cash (or gold or kewpie beads or whatever the physical means of exchange was), banks never did and still haven’t made themselves invulnerable to bank robbers. They learned how to better protect themselves, which minimizes their losses, but to a certain extent they just have to accept it as a cost of doing business. And then either do it or give up, and let somebody else take their lumps at it.

        Interestingly, not many bankers have chosen the latter option, in the olden days or the present day.

    2. DD

      Most institutions would have insurance against fraud, correct? Has there been a reported case of an insurance provider dropping a customer because of poor security resulting in millions being taken? Could this be the first case?

    3. Neej

      I would hazard a guess that while this sort of crime is not something to take lightly the amounts involved are completely dwarfed by profits and legitimate transactions for that matter in the banking sector.

      So I doubt that we need worry about a whole system collapse for the moment.

    4. Neej

      Also I was under the impression that it’s par for the course so to speak for financial institutions to try and avoid disclosing fraud if at all possible.

    5. janis

      Plastic industry will collapse if some “poor” countries like USA continue to use ancient technologies as magnetic stripe and do not andvance in transaction security – at least VbV for issuers and acquirers and PCI DSS and so on.

  4. akrittok

    Initially I thought this attack was related to the refresh weakness many ATMs have. I remember that not so long ago a coordinated attack took advantage of that aspect – multiple redraws performed simmultaneously.

    If they actually had access to card balances and issuer authorizations then I’m not surprised we’re not hearing more about it, those companies should not be allowed to operate.

  5. JJS

    This is alot of money, but I’m afraid that for big business, fraud is something that comes with the territory and $11 million won’t hurt them. Are customers going to end up paying for this? And $11 million in 2 heists, I’m definitely in the wrong business.

  6. Angelina

    Hello Brian can you help me ? java released the new update java 7 update 13 right? i have the java 7 update 11 . i have just downloaded the new one and install it . is there a problem if i uninstall the previous one the java 7 update 11? because i deleted it

    1. BrianKrebs Post author

      There’s no problem with uninstalling the old version, but the updater for Java 7 should have removed the old version before installing the new one. If that isn’t the case, then go ahead and remove the old version through add/remove programs.

  7. Jim

    The security problem here is that these cards are not tied to any account holder. They exist as a risk to the issuer only and the issuers deserve no sympathy for being so stupid.

  8. aknowldge

    it doesnt shake any tree
    look how much bank elites steal money??
    billions and billions this money is nothing and u really guys think banks and they care about this? not couse if money missing they will prin more,dont need to be so naive and think like goverment help and banks prtoct you?? no never couse they dont care couse they have money sometimes we can see yes some theater like fbi nabbed arrested big ring and bla blaaa,,,to show people ooo care but really they dont ,couse think about if u are bank or corporation owner and u make billions with just if u want,digitally insert numbers? then u really dont care about this small pennies

  9. wrdlbrmpfts

    The issuers are most likely and often “crooks” themselves. Money transfer and e-cash companies who built their fortune on dialers, added value packets on cell phones, etc…which rip off their customers with small amounts. Its Visas greediness that allows anonymous credit cards in the first place. The money robbed in these heists is going to be moved in the same e-money infrastructure, collected and laundered by banksters it will be used to create new banks. new payment service companies, new mekash-playsafe-blingbling-companies, which again will be robbed and so on. Its a nice vicious circle and one can simply step out of it as much as possible. I pay with cash most of the time. I have ZERO empathy for these ripped off companies. The gangsters are being cradled by the banksters, who in turn lament that their clients turned sour once they became banksters themselves, learned all tricks of the trade only to go on such cyberheists and rip off their former teachers? I can only watch from a distance and laugh.

    1. fsgdfgdfg

      I 100% agree with you . Banksters rule the world . And this one sound like an inside job .

    2. voksalna

      I’m confused, are you saying that anonymous money should not be allowed? That ‘anonymous Visas’ should be non-permitted? This is very pro-Big-Brother and I am not sure how you are not seeing this. Money should not be able to be tracked. It’s not the ‘greed’ of Visa in having ‘anonymous cards’ (and actually anybody who has tried to get an American card would know the headache of doing so *legitimately*. It actually is easier to get an *illegitimate* card for many people. Why should peoples’ spending be tracked at all? Whose business is this? Surely not Visas or the governments’.

      Hacks like this have nothing to do with ‘anonymity’, anyway. Manipulating SQL on a server to raise an arbitrary field repeatedly only sounds complicated but the truth is a lot of these cards probably never existed to begin with — they were probably inserted as a line into the SQL database themselves.

      Your ‘argument’ is severely flawed, lacks logic, and speaks of listening too much to propaganda spewed by governments about what will keep you safe.

      Let’s look at 11 million dollars another way, if you want: This is maybe not even the ATM plus POS fees for a single day for many banks. While it is surely a sizeable sum of money, it is not something that happens every day. I would say a payment processor gets ‘hacked’ on this level every 2 or 3 years. In other words it happens less often than a major plane crash.

      People, stop buying into FUD just because you do not understand how such things are ‘committed’. You are only going to become more and more slaves to a world that insists on tracking your every movements. Actually, we almost all are, already — why rush it?

Comments are closed.