It would appear that a Florida bank has been the victim of a $13 million ATM heist, but just how did the cyber-robbers pull it off?
Although the security breach which led to the ATM fraud itself seems to have taken place in March, and was disclosed in the first quarter earnings statement for Fidelity National Information Services Inc (FIS) back in May, details of exactly what happened are only just starting to leak from the FBI probe that followed.
FIS, based in Jacksonville, is one of the world's biggest processors of prepaid debit cards with more than 775 million transactions every year. These cards, preloaded with a cash value, can be used at ATMs to withdraw that cash until the preloaded balance is exhausted. You might have thought that a company at the very top of the prepaid debit card business would also be at the very top of the security business as it applies to those cards, but as information leaks from the investigation it would appear that wasn't necessarily the case.
If it was, then how could a total of just 22 of these prepaid debit cards, issued by Efunds Sunrise in Florida, be used to perpetrate a staggeringly simple yet ingenious $13 million robbery? FIS, as is common practise in the financial sector, has issued a statement assuring customers that it has "taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter" but that's pretty much as far as the official word goes.
So what actually happened?
According to former Washington Post staffer Brian Krebs who now runs the KrebsOnSecurity site sources "close to the investigation" are saying that the robbers hacked into the FIS network and managed to compromise the open-loop prepaid debit cards on the Sunrise platform. Which is where things get interesting. The cash balances of the cards in question are not actually stored physically on the cards, but instead are stored within a central database in records that are associated with the prepaid card account number. Unlike many such cards which automatically expire and turn into handy windscreen ice scrapers after the balance has been exhausted, these particular cards can be topped-up by the account holder by a simple transfer of funds.
Krebs reports that "the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained" and then cloned these cards which were distributed "to co-conspirators in several major cities across Europe, Russia and Ukraine". Waiting until the end of the business on Saturday March 5th, the robbers then sprang into action across Europe to withdraw cash from ATMs using those cloned cards which were replenished with additional funds, courtesy of access to the central database, as soon as the balances got anywhere near zero.
Philip Lieberman, President and CEO of security management specialists Lieberman Software, says that you "don't need to be a math genius to realise that each of the pre-paid cards - and their clones - were used to withdraw an average of around $590,000 per card" adding "assuming an average ATM transaction limit of $400, that's around 1,500 individual ATM sessions per card account". This suggests that while the actual concept of hacking the central database and topping up the cards was simple enough, the heist planning itself was anything but. The sheer scale of organising this crime, which took place over a weekend and across a continent, was mind-boggling to be honest. The robbers knew, for example, that to run the heist for any longer than they did would have triggered the sophisticated anti-fraud analysis systems that all banks have running behind the scenes to protect against just such unusual withdrawal activity.
Lieberman points out that assuming an average ATM cash capapcity of $50,000 then the robbers must have had a small army of several hundred 'mules' on the ground in order to target something like 260 ATMs in total. "This raises the interesting question as to how much more the fraudsters could have withdrawn if they had more mules on the ground, and more cloned cards in their possession" Lieberman concludes "it also begs the question why the bank's own anti-fraud pattern analysis systems didn't spot what was going on before they did".