Mysterious Florida ATM heist nets cybercriminals $13 million

According to security researcher Brian Krebs, the hackers gained unauthorised access to the card issuer's computer systems and, after altering the maximum daily cash withdrawal limits, they cloned the cards and staged a large-scale ATM withdrawal programme that netted them $13 million.

Florida-based Fidelity National Information Services bills itself as the world’s largest processor of prepaid debit cards and claims to process more than 775 million transactions annually, says Krebs.

“The company disclosed the breach in its first quarter earnings statement issued May 3, 2011. But details of the attack remained shrouded in secrecy as the FBI and forensic investigators probed one of the biggest and most complex banking heists of its kind”, he says in his security blog on the saga.

Commenting on the crime, Phil Lieberman, president of Lieberman Software, said it highlights the increasingly complex world of cybercrime and the multi-faceted layers of security needed to defend against it.

“You don't need to be a maths genius to realise that each of the pre-paid cards – and their clones – were used to withdraw an average of around $590,000 per card. Assuming an average ATM transaction limit of $400, that's around 1,500 individual ATM sessions per card account”, he said.

Lieberman – whose company supplies multi-faceted security technologies to large companies seeking to simplify their complex IT security, reporting and auditing systems – went on to say that, given that the fraud must have taken place over a few days – possibly a holiday weekend – the scale of the ATM withdrawal project must have been immense.

Had the fraudsters staged their cash withdrawal scam over a longer period, he explained, then the bank's fraud analysis systems would have kicked in and the card cash withdrawal facility been locked down pending a full-scale investigation.

The Lieberman Software president says that the simple act of the hackers gaining access to the card database system and manipulating the cash withdrawal limits for the 22 cards has had immense consequences for the bank concerned, although the fact that in-bank ATMs typically hold around $80,000 – and smaller machines hold around $30,000 – probably saved the bank from losing more than $13 million.

In fact, when you crunch the numbers, he says, you come up with the interesting analysis that, assuming an average ATM cash capacity of $50,000, the fraudsters must have drained the cash from around 260 ATMs in total, suggesting that they probably targeted the machines with several hundred mules on the ground drawing the cash.

“This raises the interesting question as to how much more the fraudsters could have withdrawn if they had more mules on the ground, and more cloned cards in their possession. It also begs the question why the bank's own anti-fraud pattern analysis systems didn't spot what was going on before they did”, he said.

Over a LogRhythm, meanwhile, Ross Brewer, the audit and logging company's vice president and managing director for international markets, said that this was a particularly audacious cyber attack, and a stark reminder of the enormous risks organisations face if hackers are able to infiltrate their IT systems undetected.

“In FIS’ case, it looks as if hackers were able to continually drain and then replenish accounts, overriding fraud prevention measures designed to limit the amount of cash cardholders can withdraw within a 24 hour period”, he said.

“Few details have been released by FIS about the breach, but it boggles the mind that $13 million could be taken from accounts unnoticed in such a short space of time. If organisations are to protect themselves from these increasingly sophisticated and meticulously planned cyber attacks, it is clear that they need far greater visibility into what is happening across their networks at any one given time”, he added.

Brewer went on to say that it is absolutely critical that organisations continually monitor the log data generated by all of their IT assets in real time, to detect and respond to suspicious or unauthorised behaviour the instant it takes place.

“Not only does this log data help firms identify hacks before any lasting damage can be done, it also provides vital forensic evidence about how and why these attacks evolve”, he explained.

What’s Hot on Infosecurity Magazine?