Organized cyber criminals stole almost $11 million in two highly coordinated ATM heists in the final days of 2012, KrebsOnSecurity has learned. The events prompted Visa to warn U.S. payment card issuers to be on high-alert for additional ATM cash-out fraud schemes in the New Year.

According to sources in the financial industry and in law enforcement, the thieves first struck on Christmas Eve 2012. Using a small number of re-loadable prepaid debit cards tied to accounts that they controlled, scammers began pulling cash out of ATMs in at least a dozen countries. Within hours, the perpetrators had stolen approximately $9 million.

Then, just prior to New Year’s Eve, the fraudsters struck again, this time attacking a card network in India and making off with slightly less than $2 million, investigators say.

The accounts that the perpetrators used to withdraw money from ATMs were tied to re-loadable prepaid debit cards, which can be replenished with additional funds once depleted. Prepaid card networks generally enforce low-dollar limits that restrict the amounts customers can withdraw from associated accounts in a 24 hour period. But in both ATM heists, sources said, the crooks were able to increase or eliminate the withdrawal limits for the prepaid accounts they controlled.

Shortly after the second heist, Visa released a private alert to payment card issuers, warning them to be on the lookout for additional ATM mega-heists over the New Years holiday. Sources say Visa’s alert was indeed prompted by the multi-million dollar heists at the end of December.

The Visa alert (PDF), sent to card issuers at the beginning of January 2013, warns:

“Visa has been alerted to new cases where ATM Cash-Out frauds have been attempted and successfully completed by organized criminal groups across the globe. In a recently reported case, criminals used a small number of cards to conduct 1000’s of ATM withdrawals in multiple countries around the world in one weekend.” “These attacks result from hackers gaining access to issuer authorization systems and card parameter information. Once inside, the hackers manipulate daily withdrawal amount limits, card balances and other card parameters to facilitate massive fraud on individual cards. In some instances over $500K USD has been withdrawn on a single card in less than 24 hours.”

It remains unclear who the victim prepaid card issuer is, or which organization(s) may have been hacked to supply the funds added to the counterfeit prepaid cards. But as Visa notes, the fact that the attackers were able to raise or eliminate the daily withdrawal limits on the cards means they had access to the internal systems of a prepaid card network. Such access may have allowed the attackers to in effect print their own money.

This has happened in at least two other high-dollar ATM heists over the past few years. In May 2011, Jacksonville, Fla. Based Fidelity National Information Services (FIS), the nation’s largest processor of prepaid debit card payments, disclosed that it had been the victim of a similar, $13 million coordinated ATM heist scheme earlier in the year. The company indicated in a filing with the Securities and Exchange Commission a few months after the incident that the loss was the result of an intrusion at WildCard Systems Inc., a prepaid provider it had acquired in 2007. In that scheme, the thieves cloned a handful of cards tied to reloadable prepaid cards on WildCard’s network, and were able to reload the cards with funds each time they were depleted by rapid-fire ATM withdrawals.

FIS said through a spokesperson that neither it nor any of its partners had been impacted by a recent security breach.

In December 2008, RBS Worldpay disclosed that hackers had stolen $9 million in a coordinated ATM heist involving 44 counterfeit payroll debit cards that were used to withdraw funds from at least 2,100 ATMs in at least 280 cities worldwide. In that attack, the perpetrators also used re-loadable prepaid cards, and had obtained access to RBS systems that allowed them to increase the daily withdrawal limits and reload the accounts with stolen funds.

Stay tuned for more updates as this story unfolds.

Tags: ATM bust out, atm heist, ATM skimming, bankinfosecurity.com, Fidelity National Information Services, FIS, RBS Worldpay, reloadable pre-paid debit card, Securities and Exchange Commission, Visa