It would appear that a Florida bank has been the victim of a $13 million ATM heist, but just how did the cyber-robbers pull it off?

Although the security breach which led to the ATM fraud itself seems to have taken place in March, and was disclosed in the first quarter earnings statement for Fidelity National Information Services Inc (FIS) back in May, details of exactly what happened are only just starting to leak from the FBI probe that followed.

FIS, based in Jacksonville, is one of the world's biggest processors of prepaid debit cards with more than 775 million transactions every year. These cards, preloaded with a cash value, can be used at ATMs to withdraw that cash until the preloaded balance is exhausted. You might have thought that a company at the very top of the prepaid debit card business would also be at the very top of the security business as it applies to those cards, but as information leaks from the investigation it would appear that wasn't necessarily the case.

If it was, then how could a total of just 22 of these prepaid debit cards, issued by Efunds Sunrise in Florida, be used to perpetrate a staggeringly simple yet ingenious $13 million robbery? FIS, as is common practise in the financial sector, has issued a statement assuring customers that it has "taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter" but that's pretty much as far as the official word goes.

So what actually happened?

According to former Washington Post staffer Brian Krebs who now runs the KrebsOnSecurity site sources "close to the investigation" are saying that the robbers hacked into the FIS network and managed to compromise the open-loop prepaid debit cards on the Sunrise platform. Which is where things get interesting. The cash balances of the cards in question are not actually stored physically on the cards, but instead are stored within a central database in records that are associated with the prepaid card account number. Unlike many such cards which automatically expire and turn into handy windscreen ice scrapers after the balance has been exhausted, these particular cards can be topped-up by the account holder by a simple transfer of funds.

Krebs reports that "the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained" and then cloned these cards which were distributed "to co-conspirators in several major cities across Europe, Russia and Ukraine". Waiting until the end of the business on Saturday March 5th, the robbers then sprang into action across Europe to withdraw cash from ATMs using those cloned cards which were replenished with additional funds, courtesy of access to the central database, as soon as the balances got anywhere near zero.

Philip Lieberman, President and CEO of security management specialists Lieberman Software, says that you "don't need to be a math genius to realise that each of the pre-paid cards - and their clones - were used to withdraw an average of around $590,000 per card" adding "assuming an average ATM transaction limit of $400, that's around 1,500 individual ATM sessions per card account". This suggests that while the actual concept of hacking the central database and topping up the cards was simple enough, the heist planning itself was anything but. The sheer scale of organising this crime, which took place over a weekend and across a continent, was mind-boggling to be honest. The robbers knew, for example, that to run the heist for any longer than they did would have triggered the sophisticated anti-fraud analysis systems that all banks have running behind the scenes to protect against just such unusual withdrawal activity.

Lieberman points out that assuming an average ATM cash capapcity of $50,000 then the robbers must have had a small army of several hundred 'mules' on the ground in order to target something like 260 ATMs in total. "This raises the interesting question as to how much more the fraudsters could have withdrawn if they had more mules on the ground, and more cloned cards in their possession" Lieberman concludes "it also begs the question why the bank's own anti-fraud pattern analysis systems didn't spot what was going on before they did".

__avd commented: very good article! +0
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Blimey, 32K views in less than 24 hours!

Looks like Reddit was our friend. The story hit the front page for a while...

Happygeek, I just wanna share this story and ask few questions.

One day, I was with my friend withdrawing some money from the ATM. And then on the screen I found a connection icon of Windows XP on the right bottom of the screen. From that day I was really thinking that it's possible to hack the ATMs since they were using Windows XP as their OS. I'm pretty sure it's connected to the internet and it might be possible to deploy a program to do a command to flush all the money

The question is: Do you agree?

Some years ago it was fairly commonplace to find ATMs running on XP or Windows Pro 2000, and that had crashed and that were vulnerable to a number of hacking techniques. However, banks tend to be pretty on the ball these days when it comes to ATM security - although obviously not infallible as the news story itself proves.

So... It's possible eh.... hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.... He he he...

Oh well then it's still possible :)

...or own a bank ?

Very interesting...)

It is very rare to find atm's running windows where the user can see it at least. I've done some troubleshooting for bb&t on atm's.. Are they vulnerable yes, but it would take an extensive amount of time and dedication. At the blackhat gathering this year I believe it was there was an atm hack exploited.

Making money legitimately is a much better route ;)

Making money legitimately is a much better route ;)

Totally agree with you.

I live my days now 100% legit. I no longer hold a black, white, or grey hat. I have stay as far away as possible. I used to live not so legit. It caused problems. I avoided the GBI Georgia Bureau of Investigation for a very very very long time. It was part of my absence from the internet. I avoided something I didn't do for fear that during the investigation they may find something I actually did as a minor. Though the statute of limitations may have expired it wasn't something willing to risk. So if you desire to live a life in hiding and holding your breath every time you see a law enforcement officer heading your direction. Then by all means feel free to try and do something stupid like this.

I personally am glad I do not have to look over my shoulder every waking moment anymore. I was cleared of all charges, and intend not to be put in a bad situation again. Remember yes these people have gotten away with it SO FAR. But also remember you are talking about banks. There are two entities in the world that control money. Banks and Oil companies. Not governments. I have worked for the US Government, Banks and for an Oil company. The odds are not in the favor of the people who took the money. They will be found eventually.