Visa reveals $11 million ATM heist

Perpetrators used re-loadable prepaid debit cards to withdraw money from ATMs globally, increasing or eliminating the withdrawal limits for the prepaid accounts they controlled. It’s a technique that Visa doesn’t think we’ll see the last of. It has sent a private warning (obtained by Brian Krebs at to payment card issuers to be vigilant about additional campaigns.

“Visa has been alerted to new cases where ATM Cash-Out frauds have been attempted and successfully completed by organized criminal groups across the globe,” Visa said in the alert. “In a recently reported case, criminals used a small number of cards to conduct 1000’s of ATM withdrawals in multiple countries around the world in one weekend.”

Krebs said that the thieves first struck on Christmas Eve 2012.

“Using a small number of re-loadable prepaid debit cards tied to accounts that they controlled, scammers began pulling cash out of ATMs in at least a dozen countries,” Krebs noted. “Within hours, the perpetrators had stolen approximately $9 million.”

Then, just under $2 million was taken from a card network in India just prior to New Year’s Eve.

“These attacks result from hackers gaining access to issuer authorization systems and card parameter information,” Visa said. “Once inside, the hackers manipulate daily withdrawal amount limits, card balances and other card parameters to facilitate massive fraud on individual cards. In some instances over $500K USD has been withdrawn on a single card in less than 24 hours.”

Other details – such as which card issuers were compromised – have not been made public.

This is not the first time an ATM heist has hit the headlines. In August 2011, a theft involving 22 prepaid debit cards netted thieves around $13 million. The hackers allegedly altered the maximum daily withdrawal limits in that case as well.

The victim was Florida-based Fidelity National Information Services, which bills itself as the world’s largest processor of prepaid debit cards and claims to process more than 775 million transactions annually.

What’s hot on Infosecurity Magazine?