Payment card processors hacked in $45 million fraud
- 10 May, 2013 02:28
A vast debit card fraud scheme that allegedly netted $US45 million has been linked to the hacking of credit card processors in the US and India.
Federal prosecutors in New York indicted eight men on Thursday whom they accuse of a scheme centered on raising the limit on prepaid debit cards and then withdrawing the cash from ATMs.
"In such operations, hackers manipulate account balances and in some cases security protocols to effectively eliminate any withdrawal limits on individual accounts," the indictment reads.
"As a result, even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution," it said.
Payment card processors are typically expected to comply with the Payment Card Industry Data Security Standard (PCI-DSS), a code of best practices created by the card industry designed to prevent hackers from obtaining card details.
In one example, the hackers raised the limit on 12 accounts at the Bank of Muscat, based in Oman. The account details were obtained through a U.S. credit card processor, which handles Visa and MasterCard prepaid debit cards. It was not identified in the indictment.
The account numbers were distributed to people in 24 countries, who encoded the account details onto dummy payment cards that could then be used in ATMs. Around Feb. 19, the Bank of Muscat lost $40 million in less than 24 hours as the people made withdrawals.
A single card's details was used around New York City for an astounding 2,904 withdrawals, amounting to $2.4 million, according to the indictment. The same number was used in other withdrawals worldwide for another $6.5 million.
The Indian credit card processor, which was also not identified, held the details for prepaid Visa and MasterCard debit accounts with the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates.
The limits for five of those accounts were increased, and the card details send to people in 20 countries. More than 4,500 ATM withdrawals were made, causing $5 million in losses, the indictment said.
The defendants are charged in U.S. District Court for the Eastern District of New York with conspiracy to commit access device fraud, money laundering conspiracy and two counts of money laundering.
Those arrested are Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Pena, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin.
An eighth defendant, Alberto Yusi Lajud-Pena, is believed to have been murdered in the Dominican Republic on April 27.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Trust issue looms large for tech companies capitalizing on personal data
5 women who've made it in IT
Five trends affecting legal CIOs
CIO Roundtable: The changing face of security
Bitcoin malware count soars as cryptocurrency value climbs
Cloud-Based Mobile Device Security Streamlines Data Protection
Read this white paper to learn why cloud-based security offers superior protection that meets today’s requirements for identifying and preventing access to malicious sites and applications while reducing management complexity and IT staff time and effort. This whitepaper discusses: • Increased use of mobile devices and the associated risks • Ways to address security challenges • Benefits of cloud-based anti-malware solutions
Managing your User Environment
Business users are accessing more data, across more devices than ever before. For IT departments, this means an increasing number of problems. This whitepaper details a number of strategies to help prevent challenges in cost, efficiency and security, now and into the future.
Whitepaper: Preventing Data Loss Takes More Than MDM
You need to secure your BYOD devices—but MDM alone isn't enough to prevent data loss. Read this whitepaper—Data Loss Prevention: When MDM Is Not Enough—to learn how to combat MDM shortcomings. See how to add cross-platform security, implement protection policies, and address risks in consumer apps.