According to Brian Krebs organised cyber criminals stole almost $11 million in two highly coordinated ATM heists in the final days of 2012. They used re-loadable prepaid debit cards and apparently were able to increase or eliminate the daily withdrawal limits for the prepaid accounts they controlled. The fact that the attackers were able to do this means they had access to the internal systems of a prepaid card network.
Krebs states that, according to his sources, the first incidents took place on 24th December 2012. Using a small number of re-loadable prepaid debit cards tied to accounts that they controlled, fraudsters began withdrawing cash from ATMs in several countries at once. Within hours, they had stolen approximately $9 million. A few days later just before New Year's Eve, they struck again, this time attacking a card network in India and making off with slightly less than $2 million.
This is another jolt for the payment card industry. Krebs reports that in May 2011 Fidelity National Information Services (FIS), the nation’s largest processor of prepaid debit card payments, disclosed that it had been the victim of a similar, $13 million coordinated ATM heist scheme earlier in the year.
Prior to that was the RBS Worldpay case in December 2008 when cash was fraudulently withdrawn from at least 2,100 ATMs in at least 280 cities worldwide.
In 2011 a Russian hacker managed to avoid jail after his arrest in connection with the RBS Worldpay case. To date we do not know which criminal groupings were behind these recent attacks, nor which prepaid card network was compromised. Read the full article on KrebsonSecurity.