Why Prepaid Cards Appeal to Hackers
The DDoS threat has eased, if only for a few days, and security officers have a new/old worry to focus on.May 13
The identities of the card processing companies targeted in a massive cyber offensive have surfaced.May 13
Better security deployed by the card processors, the banks and the ATM operators could have detected and thwarted the complex scheme in which millions were stolen from two Middle Eastern banks.May 10
Prepaid cards have been at the heart of several data breaches in recent years because their traits make them more appealing to fraudsters.
But overall, prepaid cards are as safe as any other payment instrument available to consumers, industry experts say.
Last week's arrests in a $45 million ATM cash-out scheme involved prepaid card accounts handled by two processors later identified as enStage and ElectraCard. A breach at Fidelity National Information Services in 2011 and one at WorldPay in 2009 also involved prepaid cards.
"The difference with prepaid cards [from other payment cards] is they can be bought anonymously, and are not necessarily registered with a bank," says Madeline K. Aufseeser, senior analyst with Boston-based Aite Group.
A consumer can buy a prepaid card, load money onto it and then use it for a short period of time to take money from it, all before being required to register the card, Aufseeser says.
"So, it's not the card itself, but the way it can be used as a tool to get money," she says.
The recent incident involved withdrawals from ATMs in as many as 27 countries, but according to the Brooklyn Federal Court indictment, only the scheme involved only 12 prepaid card accounts at one bank and one account at the other bank.
Each country has different guidelines for prepaid accounts, and the banks targeted in this particular incident were from Oman and the United Arab Emirates.
In the U.S., banks set limits on the amount of money a prepaid account can hold, as well as how many withdrawals a customer can make per day at an ATM based on the customer's credit rating and past history with the bank, Aufseeser says.
In the most recent incident, hackers are suspected of accessing the processors' databases to eliminate those limitations on the compromised accounts. The individuals arrested are accused of cashing out the compromised accounts.
Because prepaid accounts are more popular with consumers, the cards represent a "new player" in the payments field, says Aleia Van Dyke, a payments analyst for Javelin Strategy and Research.
As such, security "growing pains" with prepaid cards will exist, Van Dyke says. "There are numerous cards out there that may not have the safeguards of others."
However, fraudsters still pay more attention to credit and debit cards, she says.
"Current fraud reports show that prepaid cards still trail behind the fraud rates of debit and credit cards because there are not as many prepaid cards issued, and credit cards have higher limits on money available," Van Dyke says.
With strong network security in place, prepaid cards accounts should not be any more vulnerable than any other account, says Mark Putman, senior vice president for First Data Prepaid Solutions, in an e-mail.
"Processors for prepaid versus debit or credit quite often are the same, so being prepaid really should not drive more risk at a processor level," Putman says. "Security and controls in place are equally relevant."
Elavon, a payment processor owned by U.S. Bancorp, invests more than $1 million a year in security, CEO Simon Haslam told PaymentsSource in a recent interview.
The "main take-away" from the multiple data breaches over the years is that processors should not consider themselves impervious even if they meet the rules for compliance with the Payment Card Industry data security standard, says Ted Eull, vice president of technology for Oak Park, Ill.-based data security vendor Via Forensics.
After disclosing a breach in 2009, "the Heartland CEO said that PCI is a minimum standard and not entirely sufficient on its own," Eull says.
Processors or other entities handling sensitive data should hire security experts to "try to break into their databases and find the weaknesses in security, before the guys who want to steal money do it," Eull adds.
Fidelity National Information Services, which disclosed a prepaid card data breach in 2011, declined to comment about the arrests last week. It also would not elaborate on how the company addressed security in the aftermath of its own breach.