Online Theft That Sucked $13m from Financial Firm in Florida Unmasked

Jay Decenella, IT audit expert
August 26, 2011 /

The details of an online bank heist that siphoned $13 million from a Florida-based financial institution earlier this year have been discovered by a security researcher.

The online theft involved the coordinated use of ATMs by cyber thieves around the globe to cash out stolen prepaid debit cards from Jacksonville-based Fidelity National Information Services Inc. (FIS), branded as the world’s largest processor of prepaid debit cards.

Last July, cyber thieves from Eastern Europe also siphoned thousands of dollars from the the town of Eliot in Maine, though Eliot’s financial institution, TD Bank, found no unusual transaction.

FIS processes more than 775 million transactions every year. The breach was disclosed in the company’s first quarter earnings statement issued May 3, 2011, though the details of the attack were not released while investigations by the FBI and forensic investigators were going on.

FIS said losses were approximated at $13 million in relation to unauthorized activities that involved one client and 22 prepaid cards on its Sunrise, Fla. based eFunds Prepaid Solutions, formerly WildCard Systems Inc.

In a statement, the FIS said: “The Company has identified that 7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities.

“FIS worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter.”

According to Brian Krebs, “cyber thieves broke into the FIS network and targeted the Sunrise platform’s ‘open-loop’ prepaid debit cards.”

The prepaid cards themselves do not contain the balances. Instead, the card balances were recorded in a central database with corresponding card numbers. Although some prepaid cards cannot be used once their balances have run out, the prepaid cards used in this attack can be replenished by adding funds.

Krebs noted that prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period.

“Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine,” Krebs said.

Krebs learned that the thieves waited until the close of business in the United States on March 5, 2011, to launch their attack.

Accordingly, cyber thieves in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs.

“Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero,” Krebs said.

As to who was responsible for the online theft,  no individual could be pinpointed, while FIS refused to comment.

The online theft is not unlike a 2008 attack against RBS WorldPay, an Atlanta-based unit of the Royal Bank of Scotland, in which thieves gained access to RBS’s systems and used 44 counterfeit prepaid cards to withdraw more than $9 million from at least 2,100 ATM terminals in 280 cities worldwide.

Officials said the 2008 RBS theft was run by at least eight men from Estonia and Russia, with the alleged ringleader having been extradited to the United States for trial.

 

Share your opinion