A prepaid card breach disclosed in May was accomplished by hackers who turned off the withdrawal limits on multiple card accounts, according to a new report.
The attack was originally disclosed by the vendor Fidelity National Information Services Inc. in May. The Jacksonville, Fla., company said in an earnings statement that it lost $13 million to the scheme, which affected up to 7,170 prepaid accounts. It said little else about the incident, but security writer Brian Krebs reported Friday that he has learned how the hackers pulled it off.
"Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained," Krebs wrote on his Krebs on Security website, citing sources close to the investigation. The cards were cloned and distributed to conspirators in several countries.
The conspirators then spent the evening of March 5 using the cards to make fraudulent cash withdrawals, Krebs wrote.
"Armed with unauthorized access to FIS' card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero," he wrote.
FIS would not comment for Krebs' story, and the Federal Bureau of Investigation would not confirm or deny that it is investigating the incident, he wrote.
An FIS spokeswoman told American Banker in an email Aug. 27 that the company "now considers this a closed matter," though it "continues to work with federal law enforcement as appropriate" and has improved its security.
Krebs likened the tactics used in the FIS incident to those used against RBS WorldPay in a 2008 incident.