$45M Hack Holds Lessons to Prevent Prepaid Card Fraud

Hackers have developed sophisticated schemes to funnel money from banks and payment processors into their own pockets. The more processors know about their tactics, the more they can prevent these heists in the future. Earlier this year, U.S. prosecutors unveiled a coordinated “Ocean’s Eleven”-type scheme in which hackers stole $45 million. They hacked into two processors of prepaid card accounts and compromised 17 accounts from two banks. “These cybercriminals increased the account balances and removed withdrawal limits for these accounts, essentially creating prepaid cards with infinite value. They then transmitted the card account numbers to groups of ‘cashers’ around the world through carder forums, emails or chat sessions. Then, at a specified time, they disseminated the PIN for each of these accounts to the ‘casher’ groups, who then made the ATM withdrawals within a 24 hour period,” Bank Systems & Technology reported this week. The hackers gained access to the databases that stored account level information, along with authorization rules, such as daily limits. Bank Systems & Technology surmises that the hackers could have accomplished this by downloading malware onto the processors’ systems, or they could have obtained legitimate cards from the banks involved. They would have distributed the magnetic stripe information and the PIN to the carder groups to manufacture duplicate cards. It is also possible that the hacker groups collected magnetic stripe information associated with legitimate customers as they had access to the customer databases. Or, they could have changed the authorization rules in the system so as to not validate the card parameters of the stolen accounts at the time of the transaction, and only needed the account number and the PIN to complete the transaction. If the latter is true, then chip cards are vulnerable as well. “For the hackers have modified the logic in the issuers’ authorization system, which now allows any card with a magnetic stripe to go through. The presence of a magnetic stripe on any chip card to allow for fallback transactions makes issuers of chip cards vulnerable to this type of attack,” Bank Systems & Technology reported. Exploring all the various causes simply helps retailers, banks, and others step up their security measures in the future. To prevent sophisticated hacks like this one, Bank Systems & Technology recommends:
  1. Authentication controls for employees with access to sensitive information are essential to preventing an intrusion. At a minimum, two-factor authentication is necessary to thwart sophisticated malware from compromising employee login credentials.
  2. Real-time alerts must be signaled when there is an intrusion, to avoid take-over of employee accounts even with two factor authentication. “Risk-based scoring is capable of evaluating each login attempt based on a multitude of parameters, such as geographic location, IP address, time of day, and device profile to determine the riskiness of a login attempt,” Bank Systems & Technology recommends.
  3. Organizations must integrate disparate databases or mainframe files and customer account level and transactional data with unstructured web session logs, emails and network data to monitor abnormal activity effectively. “It is imperative that fraud groups not focus their fraud detection only on customer account level or transactional activity, but do a comprehensive analysis, including employee activity, internal and external network activity on a real-time or near-real-time basis,” Bank Systems & Technology wrote.