Last week the blog 'KrebsOnSecurity' reported that U.S. based Fidelity National Information Services Inc. (FIS) had incurred a loss of of approximately US$13 million related to unauthorised activities involving one client and 22 prepaid cards. While the attack took place in March, it has been largely unreported in the media and full details of the resultant investigation have not yet been released.
Apparently the balances on these prepaid cards aren’t stored on the cards themselves; rather the card numbers correspond to records in a central database, where the balances are recorded. Some prepaid cards cannot be used once their balance has been exhausted, but the prepaid cards used in this attack could be replenished by adding funds.
According to Brian Krebs the fraudsters were able to drastically increase or eliminate the withdrawal limits for the 22 prepaid cards that they had obtained. They then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine, who waited until the close of business in the United States on Saturday, 5th March 2011, to launch their attack.
Working into the Sunday evening, fraudsters in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.
This attack is similar to the 2008 attack against RBS WorldPay, an Atlanta-based unit of the Royal Bank of Scotland. In that operation the fraudsters obtained remote access to RBS’s systems and used 44 counterfeit prepaid cards to withdraw more than $9 million from at least 2,100 ATM terminals in 280 cities worldwide.