A vast debit card fraud scheme that allegedly netted $US45 million has been linked to the hacking of credit card processors in the US and India.
Federal prosecutors in New York indicted eight men on Thursday whom they accuse of a scheme centered on raising the limit on prepaid debit cards and then withdrawing the cash from ATMs.
"In such operations, hackers manipulate account balances and in some cases security protocols to effectively eliminate any withdrawal limits on individual accounts," the indictment reads.
"As a result, even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution," it said.
Payment card processors are typically expected to comply with the Payment Card Industry Data Security Standard (PCI-DSS), a code of best practices created by the card industry designed to prevent hackers from obtaining card details.
In one example, the hackers raised the limit on 12 accounts at the Bank of Muscat, based in Oman. The account details were obtained through a U.S. credit card processor, which handles Visa and MasterCard prepaid debit cards. It was not identified in the indictment.
The account numbers were distributed to people in 24 countries, who encoded the account details onto dummy payment cards that could then be used in ATMs. Around Feb. 19, the Bank of Muscat lost $40 million in less than 24 hours as the people made withdrawals.
A single card's details was used around New York City for an astounding 2,904 withdrawals, amounting to $2.4 million, according to the indictment. The same number was used in other withdrawals worldwide for another $6.5 million.
The Indian credit card processor, which was also not identified, held the details for prepaid Visa and MasterCard debit accounts with the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates.
The limits for five of those accounts were increased, and the card details send to people in 20 countries. More than 4,500 ATM withdrawals were made, causing $5 million in losses, the indictment said.
The defendants are charged in U.S. District Court for the Eastern District of New York with conspiracy to commit access device fraud, money laundering conspiracy and two counts of money laundering.
Those arrested are Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Pena, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin.
An eighth defendant, Alberto Yusi Lajud-Pena, is believed to have been murdered in the Dominican Republic on April 27.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.