A flurry of fraudulent ATM transactions in countries such as Russia, Ukraine, Turkey and the Czech Republic may be tied to a server intrusion at 1st Source Bank in the US state of Indianapolis.
So far, the fraud appears to have affected at least 200 consumers who belong to more than half a dozen banks and credit unions in the state, according to local media reports. Among those reportedly affected are customers of 1st Source, Teachers Credit Union (TCU) and the Farm Bureau Credit Union.
Representatives from TCU and the Farm Bureau did not immediately respond to a request for comment. Neither did the St. Joseph's County Police Department in Indiana, where a large number of affected consumers reported being victimised by fraudulent overseas ATM transactions.
James Seitz, a vice president with 1st Source, Thursday said it is "reasonable" to assume that the fraudulent transactions are linked to an intrusion into one of the banks servers on May 12.
The breached server contained debit card transaction data belonging to 1st Source's customers as well as those from other financial institutions who used 1st Source ATMs. Seitz confirmed that the information in that server was stolen by hackers, but he refused to say how many records were stolen or how many individuals may have been affected.
After the breach was discovered, the bank immediately "shut down" all of its own cards that were compromised, Seitz said. He refused to disclose how many cards 1st Source blocked and reissued.
The bank also compiled a list of all the other cards that were on the affected system and informed the major credit card companies about the breach, he said.
According to Seitz, much of the fraudulent transactions being reported appear to have taken place over the weekend. Since then, the transactions have "slowed down significantly" he said. Most of the withdrawals were for amounts of US$200 or $300 or whatever the daily limits for each card might be.
The incident highlights the international nature of cybercrime and the global market for stolen credit card and bank data. A report released Wednesday by security vendor Finjan noted that the underground market is flooded with stolen credit card and debit card data, leading to its easy availability and to commodity pricing. According to Finjan, stolen credit card and debit card data, which retailed for $100 per card a few months ago, these days costs just about $20 per card and can often be purchased after little more than a Google search