Digital Transactions Authoritative, insightful and timely information for payments professionals
Three recent breaches at payment card processors show just how much damage such breaches can do, and provide reminders about how hacked companies do their best to say as little as they can about them publicly.
Federal authorities say the latest two breaches, which garnered worldwide headlines in recent days, resulted in $45 million in fraudulent ATM withdrawals in 26 countries through the use of stolen prepaid card data. The third involves the breach merchant acquirer Global Payments Inc. reported last year, which Javelin Strategy & Research estimates may have led to 428,000 incidents of fraud generating $708 million in losses, according to a recent Javelin report.
The U.S. Attorney’s office in Brooklyn, N.Y., on Thursday announced the unsealing of indictments against seven people, all of Yonkers, N.Y., and their leader, who reportedly was murdered April 27 in the Dominican Republic. Prosecutors say the defendants were part of a worldwide fraud ring that broke into the computer systems of two unidentified processors—one based in the U.S. and the other in India—and stole data about prepaid cards issued by two Middle Eastern banks. All of the living U.S. defendants have been arrested on fraud-related charges.
The hackers raised the reported balances on the cards and eliminated their cash-withdrawal limits. Then they distributed the manipulated data to trusted associates around the world who encoded the information on magnetic-stripe cards, including PINs, and went to ATMs to make thousands of illicit cash withdrawals in two attacks that authorities are calling “Unlimited Operation.”
Reuters identified the Indian processor as ElectraCard Services and the other as EnStage, which while incorporated in Cupertino, Calif., has its operations facility in Bangalore, India. ElectraCard’s chief executive later said there had been a breach that resulted in prepaid card limits being raised, but he claimed no card data actually had been stolen from his company.
The first attack, on Dec. 22, involved prepaid MasterCard cards issued by the National Bank of Ras Al-Khaimah PSC, or RakBank, which is based in the United Arab Emirates, and processed by ElectraCard. Using cards encoded with the stolen RakBank data, thieves made more than 4,500 withdrawals in about 20 countries resulting in about $5 million in losses. In the New York City area, the ring members allegedly conducted 750 fraudulent transactions in just two hours and 25 minutes at 140 ATM locations and took nearly $383,000.
A second, larger attack involving prepaid MasterCard cards issued by Bank of Muscat in Oman and reportedly processed by EnStage happened Feb. 19-20. Over the course of 10 hours, cells in 24 countries made about 36,000 ATM withdrawals using Bank of Muscat’s card data to steal $40 million. The New York defendants allegedly withdrew $2.4 million in almost 3,000 transactions during that attack.
A spokesperson for the U.S. Attorney’s office in Brooklyn did not return a Digital Transactions News call seeking more information about the processors.
While prepaid cards often draw fire for their fees, regulators sometimes unfairly criticize them as tools for fraud when a processor breach shows balance and withdrawal limits were manipulated, says Ben Jackson, a senior analyst at Maynard, Mass.-based Mercator Advisory Group Inc. who studies the prepaid industry. “What happened here was not a prepaid hacking, it was a processor hacking,” Jackson says. “They [the hackers] were able to break in and change things that have nothing to do with the product. They could have have hacked credit cards, they could have hacked debit cards.”
Meanwhile, Javelin’s new analysis doesn’t break any new ground on how Global Payments’ breach happened, but instead makes estimates of the breach’s impact based on findings from its other research, particularly its annual identity-fraud study.
The analysis also criticizes the company for the tight control it kept on information about the breach after reporting it in March 2012. While Global said it voluntarily disclosed the breach, Al Pascual, Javelin’s industry analyst for security, risk and fraud, says the processor was forced to make the disclosure because word of the breach was spreading rapidly through the payments industry.
“Transparency is the last word that anyone would use to describe this massive breach, and for good reason,” Pascual wrote on the research firm’s blog. “While MasterCard and Visa alerted issuers of the processor breach, asserting that it began in 2011 and involved the potential compromise of 10 million payment cards, official details of the event have been heavily obfuscated—it’s as though George Orwell had coached their PR firm.”
Atlanta-based Global declined to comment on the Javelin report. The company earlier said data about no more than 1.5 million card accounts stored in one of its North American processing systems were exposed, in addition to some personal information about applicants for merchant accounts.
Pascual tells Digital Transactions News that, based on what Global said in the breach’s aftermath, the exposed data probably either were unencrypted or poorly encrypted, though he says he can’t prove that. “It’s basically gleaning from what we know of it.” he says. “I wouldn’t imagine they would have made such a stink about it if their data were encrypted. Or, it could have been that the encryption was very weak.”
The breach raises questions about how well Global’s Qualified Security Assessor, or QSA, did in checking the company’s security system for compliance with the Payment Card Industry data-security standard (PCI), Pascual says. Merchants and processors that handle general-purpose payment cards are supposed to annually validate compliance with PCI.
If the data weren’t encrypted, “I’d be concerned with that,” Pascual says. “Did their QSA overlook it? It would be good if they were a little more transparent about the issue.” Global has not disclosed the identity of its QSA at the time of the breach.
Based on findings from its previous studies and assuming 1.5 million card numbers actually were exposed, Javelin estimates fraudsters eventually used 28% of them, or 428,000. Javelin estimates fraud totaled $708 million, an average of $1,654 per card.
