Krebs on Security's Brian Krebs reports that cybercriminals used prepaid debit cards to steal approximately $9 million from ATMs on Christmas Eve 2012, then stole another $2 million just before New Year's Eve.
Soon after, Krebs reports, Visa sent an alert [PDF file] to payment card issuers, warning, "Visa has been alerted to new cases where ATM Cash-Out frauds have been attempted and successfully completed by organized criminal group across the globe. ... These attacks result from hackers gaining access to issuer authorization systems and card parameter information. Once inside, the hackers manipulate daily withdrawal amount limits, card balances and other card parameters to facilitate massive fraud on individual cards."
"It remains unclear who the victim prepaid card issuer is, or which organization(s) may have been hacked to supply the funds added to the counterfeit prepaid cards," Krebs writes. "But as Visa notes, the fact that the attackers were able to raise or eliminate the daily withdrawal limits on the cards means they had access to the internal systems of a prepaid card network. Such access may have allowed the attackers to in effect print their own money."
"This is not the first time an ATM heist has hit the headlines," Infosecurity reports. "In August 2011, a theft involving 22 prepaid debit cards netted thieves around $13 million. The hackers allegedly altered the maximum daily withdrawal limits in that case as well. The victim was Florida-based Fidelity National Information Services, which bills itself as the world’s largest processor of prepaid debit cards and claims to process more than 775 million transactions annually."