Reports are coming in that in the final days of 2012 hackers were able to pull off a major scam using ATM machines and prepaid credit cards. The attack was so successful, that Visa warned all US payment card issuers to be on high alert for additional ATM cash-out fraud schemes in 2013. Sources in the financial industry and law enforcement cited by Krebsonsecurity.com say that thieves made off with approximately $9 million in the scam.
The sources claim that the attackers used a small number of reloadable prepaid debit cards to pull cash out of ATMs in at least a dozen countries. According, to the sources the crooks took approximately $9 million in only a few hours. The sources also claim that around New Year's Eve the group struck again.
The second attack occurred on ATM networks in India and resulted in the thieves making off with a little less than $2 million according to investigators. This sort of attack is typically avoided because the reloadable, prepaid debit cards are limited to low dollar amounts being withdrawn within a 24-hour period. However, the criminals were somehow able to increase or completely eliminate those withdrawal limits for the accounts they control.
Visa says that the attacks were made possible because the hackers were able to gain access to issuer authorization systems and card parameter information. Once the hackers had access to that information, they were able to manipulate daily withdrawal amount limits, card balances, and other parameters. Visa says that in some instances over $500,000 was withdrawn from a single card within 24 hours.