A brazen gang of cyber criminals, who stole $45 million from bank ATMs in 27 countries, exposes an Achilles heel in the global financial industry: prepaid debit cards.
Cyber security experts and industry analysts say the burgeoning use of prepaid debit cards for everything from gift certificates to disaster relief handouts is making it easier for hackers to withdraw large amounts of money before detection.
Prepaid cards have fewer controls on them than on regular credit and debit cards issued by banks. Each prepaid card issued is like a blank slate: anonymous, new, and lacking any credit history or individual behavior pattern against which bankers and payment processors can measure activity to look for red flags.
They are also easier to hack. Raising a withdrawal limit on a prepaid card involves hacking into a system at a third-party payment processor, a company that is generally smaller than a bank and, if based outside the United States, potentially subject to looser cyber security standards.
"It's usually prepaid debit cards. That's the card of choice in this. The bad guys know the system and they have been able to exploit it," said Joe Petro, a managing director at Promontory Financial Group, who worked for 20 years as the head of fraud prevention and investigations for Citigroup Inc.
"The vulnerability stems from third-party processors, who may not have the same level of security systems that banks are able to have," he added. Petro was speaking generally and said he did not have direct knowledge of the $45 million heist.
In a globally coordinated campaign, hackers broke into two unidentified payment processing companies that handled the prepaid debit cards for two Middle Eastern banks, U.S. prosecutors said on Thursday.
Once inside the computer networks, they increased the available balance and withdrawal limits on prepaid MasterCard debit cards issued by Bank of Muscat of Oman and National Bank of Ras Al Khaimah PSC of the United Arab Emirates.
The criminal ring's operatives then fanned out around the world and used fraudulent prepaid cards to withdraw money from thousands of ATMs. The global scope and speed of the theft was unprecedented, cyber investigators said. In the case of Bank of Muscat, $40 million was stolen in just over 10 hours.
Experts said the use of prepaid debit cards, instead of credit cards, was not accidental. Credit cards are attached to individuals whose spending habits over time give banks and credit card companies clear patterns they can use when trying to identify unusual or illicit activity.
A thief moving from ATM to ATM with a personal credit card would likely quickly raise alarms, because his or her behavior would look out of place compared to the credit card user's normal activity.
"The banks are using state-of-the art defenses, but the more sophisticated actors are able to breach their networks," said Shawn Henry, the former head of cyber crime investigations at the FBI, now president of professional services at security firm CrowdStrike.
While the $45 million swindle is one of the largest ever, security experts say banks deal with similar, albeit smaller, thefts regularly - they are just rarely disclosed.
By 2013, the amount of money that was placed onto reloadable prepaid cards reached about $201.9 billion from $28.6 billion in 2009, according to a report published by Mercator Advisory Group.
"Of all the types of cards that are there, prepaid cards is the fastest growing category," said Scott Valentin, analyst with FBR Capital Markets & Co.
"With cash payments slowing and an increase in mobile payment and online commerce, the importance of these cards is only going to increase," Valentin said. "With credit cards you need to be credit worthy and with debit cards you need a bank account. Prepaid cards gets you past these two issues and as a result are extremely popular."
That has raised concerns about the need for better security around prepaid cards, and the card processing companies that service them.
For more than a decade, banks have been required by U.S. law to ensure their electronic systems and those used by their outside contractors meet certain safety requirement. U.S. banks using payment processors must have a contractual agreement that states the payment processor is meeting the same security standards the bank does.
The problem, said Doug Johnson, vice president for risk management policy at the American Bankers Association in Washington, is that U.S.-based banks, don't always find it easy to ensure that what is agreed in the contract with an overseas payment processor is really being implemented.
"I fully anticipate that regulatory agencies are going to spend increased time looking at third-party providers," Johnson said.
In the case of the two Middle Eastern banks, one used a U.S.-based credit card processor, while the other used one in India. The U.S.-based company's breach shows even third-party processors close to home can make banks vulnerable.
William B. Nelson, chief executive of a nonprofit security group advising the banking industry, said the case reminded him of the RBS WorldPay breach in 2008. In that attack, intruders into the arm of Royal Bank of Scotland took data on customers, created new cards, and then raised the daily withdrawal limits. They stole $9 million in a day.
The accused Russian mastermind of the scheme was convicted but received a suspended sentence. "It's a cash-out scheme, where they've been able to find a vulnerability in the card system," said Nelson, CEO of FS-ISAC, of the current case. "They are not really hitting bank accounts."