Coordinated multinational ATM fraud nets $13M in one night

Crooks who compromised Fidelity National Information Services's prepaid debit card database were able to draw out $13 million in one night, working with co-conspirators in several countries in one weekend night, after the banks had closed:
Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.

Sources say the thieves waited until the close of business in the United States on Saturday, March 5, 2011, to launch their attack. Working into Sunday evening, conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.

Coordinated ATM Heist Nets Thieves $13M

(Image: ATM in a cage, a Creative Commons Attribution Share-Alike (2.0) image from yuval_y's photostream)



  1. The fact that they didn’t have any auditing/flagging software in place, and/or they have no one watching things closely on the weekend is shameful. Why not just leave the vault open over lunch hour?

    1. I suspect it’s coding hell if you want to implement something like that.  I don’t know much about multinational ATM networks, but I’ve seen coding for credit card networks.  

      You have to jump through a lot of hoops just to do something simple as in check if this credit card has sufficient funds, validate card(no not just validate the number!).  It’s all propriety libraries and different hell pending on which network you choose.  Reason for that is security and instruction build up over the years.

      1. Wouldn’t it be easy enough to keep local information on how much the last card number has withdrawn, and keep a limit on payouts? They won’t have to dial out, just know the number.

  2. I wonder if that network is still using triple-DES encryption?  That’s getting kind of old and there are probably a lot of custom DES cracking chips out on the Black Market now.

  3. I wonder why it doesn’t check location. I mean, there’s no way you could make a withdrawal on two sides of the planet in a few minutes.

  4. scary thought, but does anyone know if atm machines record the serial number (or whatever it is called) of bills they dispense linked to the accounts they came from?  that would be a real eye opener for thieves and people that use cash for other less then legal transactions…

  5. This reminds me of when ATMs were first introduced in England, around 1977 or 78. The way they worked (at first) was: you put your card in the machine and it spit out 10 pounds. Then you could do it again. And again. And again. Until the machine ran out. Only lasted a very short time…

  6. Scary thing is that a scam like this involved possibly a hundred people. That will be its undoing. The more people involved the more likely people get caught.

    That’s one way to know the moon landings were real.

Comments are closed.