A highly coordinated ATM scam that took place in the last week of 2012 and spanned at least 12 countries netted criminals nearly $11 million in ill-gotten gains.
The criminals apparently broke into the data network of a company that issues prepaid debit cards, probably to raise withdrawal limits and balances on certain accounts, unnamed sources told security blogger Brian Krebs.
Krebs' sources told him that reloadable prepaid debit cards linked to those accounts were used to make nearly simultaneous withdrawals from multiple locations across different countries.
The first time the thieves struck, on Christmas Eve, they stole roughly $9 million in a matter of hours. In a second incident the week after Christmas, the same gang took $2 million from a card network in India.
The money never existed electronically, but became cold hard cash at ATMs. Because the thieves were able to raise the prepaid debit cards' account balances, the ATMs had no reason to refuse withdrawal requests that were less than those balances.
The operation was basically electronic check-kiting on a large scale. As in that old-time financial fraud, it authorized payment of money that wasn't there, but did it so quickly that banks didn't catch on until it was too late.
A private security-alert letter sent by Visa to card issuers in January, and posted by Krebs, confirmed that a big heist took place.
"Visa has been alerted to new cases where ATM Cash-Out frauds have been attempted and successfully completed by organized criminal groups across the globe," the letter said.
"In a recently reported case, criminals used a small number of cards to conduct 1000’s of ATM withdrawals in multiple countries around the world in one weekend."
The Visa letter didn't mention how much money was stolen overall, but did say that "in some instances, over $500K USD has been withdrawn on a single card in less than 24 hours."
Neither Visa nor Krebs named the company whose payment network the crooks attacked, or the exact methods used.
However, Visa did remind its clients to both "ensure the Cardholder Data Environment is segregated from the corporate network" and to make sure their websites were secure against SQL-injection attacks, in which malformed URLs can open doors into a database.