How To Steal $13 Million Dollars In A Single Day!

Credit Card Theft

Every time I buy a lottery ticket, one of my friends reminds me that the lottery is a tax on stupidity. When I win, he will not be on my ‘generous to friends’ list. I know he’s right, just unfeeling.

Though I find the $1 investment to be a short-lived dream, I also feel like it’s worth every penny. After all, life as in instant multi-millionaire – what could be better? My small investment means that, though the possibility is slight, I could someday live out that dream. However, as some cyber criminals have discovered, the lotto isn’t the only way to become an instant multi-millionaire…

Stealing millions

Even as a security guy (perhaps especially because I am a security guy), I find the skills and audacity of some hacker scams to be nothing short of inspirational. Earlier this year, a gang of cyber criminals managed to steal over $13 million dollars in a single day! You might be wondering: how did they do it?

The initial attack and subsequent breach was superbly orchestrated and could only have been pulled off by a large and well-organized group – solid indication of the heist’s roots in Eastern European organized cyber crime.

The start of the attack was an unrecognized breach of Fidelity National Information Services Inc. (FIS), a Jacksonville, Fla.-based firm that processes prepaid debit cards. The attackers gained access to FIS servers where debit card information and balances are stored.

FIS internal systems are set up such that debit cards have fixed limits on ATM withdraws and can only be used up to the amount actually in the individual account. The cyber gang modified the limitations on 22 of these debit cards, cloned the cards and distributed copies throughout Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom.

On Saturday, March 5, 2011, the cyber game began coordinated withdraws across the world, replenishing balances as needed using their breached access to the FIC servers, without actually adding money to the accounts. By the end of the next day Sunday, March 6, over $13 million in cash had been extracted from targeted ATMs.

I’ll do the math for you – this was an average of $60,000 per card. In a similar 2008 attack that netted $9 million, the thieves hit least 2,100 ATM terminals in 280 cities worldwide. Imagine the coordination needed to pull off these attacks!

Factors that made this heist possible

After I get over my admiration, a few more practical thoughts come to mind. The keys to this attack were:

  • The fact that FIC, a company with substantial monetary responsibilities, did not have sufficient security policies in place to stave off the cyber attack and
  • After the breach occurred, the attack remained undetected. The time between the initial breach and the actual ATM withdraws had to be lengthy; one does not set up operations in hundreds of cities overnight. FIC, like many organizations, did not implement access-monitoring processes.

In a “who are these clowns’ reflection moment, I did a little research on FIC which and discovered that they were the target of a breach of 8.5 million identity records in July of 2007. A former employee, William Sullivan, stole these records for the sole purpose of selling them to a direct marketing company.

Unfortunately, the identities sold by Sullivan for marketing reasons were also used in identity theft scams. As a result, Sullivan was convicted of fraud and is currently serving a 57-month sentence in federal prison. In other words, Bill is not a good role model.

FIC is a publically traded company with over a billion dollars in annual revenue. While the two breaches, one a server attack the other a data dump to a flash drive, are very different, they do make one wonder about the insufficient level of security provided, even by large companies under federal scrutiny.

One last math factoid: If I can get my bank to ignore the fact that I only have $87 in by debit card account, I only need to make 300 ATM withdraws of $200 (my limit) in order to get to the $60,000 per card average achieved by the Russian cyber mafia. I’ll keep my day job.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure Web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Alan is an expert in Web security - from evaluation to Web development and remediation.