Cyber Crimes

A brazen gang of cyber criminals, who stole $45 million from bank ATMs in 27 countries, exposes an Achilles heel in the global financial industry: prepaid debit cards.

Cyber security experts and industry analysts say the burgeoning use of prepaid debit cards for everything from gift certificates to disaster relief handouts is making it easier for hackers to withdraw large amounts of money before detection.

Prepaid cards have fewer controls on them than on regular credit and debit cards issued by banks. Each prepaid card issued is like a blank slate: anonymous, new, and lacking any credit history or individual behavior pattern against which bankers and payment processors can measure activity to look for red flags.

They are also easier to hack. Raising a withdrawal limit on a prepaid card involves hacking into a system at a third-party payment processor, a company that is generally smaller than a bank and, if based outside the United States, potentially subject to looser cyber security standards.

"It's usually prepaid debit cards. That's the card of choice in this. The bad guys know the system and they have been able to exploit it," said Joe Petro, a managing director at Promontory Financial Group, who worked for 20 years as the head of fraud prevention and investigations for Citigroup Inc.
"The vulnerability stems from third-party processors, who may not have the same level of security systems that banks are able to have," he added. Petro was speaking generally and said he did not have direct knowledge of the $45 million heist.
In a globally coordinated campaign, hackers broke into two unidentified payment processing companies that handled the prepaid debit cards for two Middle Eastern banks, U.S. prosecutors said on Thursday.

Once inside the computer networks, they increased the available balance and withdrawal limits on prepaid MasterCard debit cards issued by Bank of Muscat of Oman and National Bank of Ras Al Khaimah PSC of the United Arab Emirates.

The criminal ring's operatives then fanned out around the world and used fraudulent prepaid cards to withdraw money from thousands of ATMs. The global scope and speed of the theft was unprecedented, cyber investigators said. In the case of Bank of Muscat, $40 million was stolen in just over 10 hours.

Experts said the use of prepaid debit cards, instead of credit cards, was not accidental. Credit cards are attached to individuals whose spending habits over time give banks and credit card companies clear patterns they can use when trying to identify unusual or illicit activity.