Global Payments Breach Led To Prepaid Card Fraud

← Back to Stories (view on slashdot.org)

Global Payments Breach Led To Prepaid Card Fraud

Posted by Unknown on Monday May 14, 2012 @02:08PM from the don't-copy-that-magstripe dept.

tsu doh nimh writes "Global Payments, the Atlanta-based credit card processor that disclosed a major breach of its systems last month, has said that less than 1.5 million card numbers were stolen, and that customer names and addresses weren't included in the purloined data. But security reporter Brian Krebs carries a piece today highlighting how thieves were still able to use the data to clone debit cards, which were then used in shopping sprees in and around the Las Vegas area recently."

50 comments

Min score:

Reason:

Sort:

Did I miss something here? by pla · 2012-05-14 14:25 · Score: 1

Wait... So someone hacks in and steals a million and a half valid prepaid card numbers - And they bother with resorting to identity theft based on the payment info used to purchase those cards?

That seems somehow... Inefficient. Like breaking into Fort Knox so you can steal the copper plumbing.
1. Re:Did I miss something here? by Baloroth · 2012-05-14 14:51 · Score: 4, Informative
  
  They didn't have any pre-paid card numbers, they had actual debit cards. But, they only had limited data from them (Track 2 data) which isn't enough to clone the complete card. Instead, they bought en-masse cheap prepaid cards, which could then be re-encoded with the debit-card data (and then used to buy more expensive pre-paid cards, which were used for the actual purchases). Since Track 2 doesn't include personal information, such as addresses, names, or PINs, they couldn't just clone the card directly, hence the use of the prepaid cards.
  I suspect they didn't buy off-the-shelf commercially available cards because that would look extremely suspicious, whereas pre-paid cards aren't suspicious (there is really no easy way to verify the number on the card is the same as on the stripe), and regular online purchases (customary for this kind of fraud) are impossible with no billing address/name/etc.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
2. Re:Did I miss something here? by Zero__Kelvin · 2012-05-14 14:52 · Score: 1
  
  Yes. You missed something. They bought the cheap cards solely for the magnetic strip and appearance of validity (a forged or blank card would draw attention, but one with the official logo and holographic stamp obviously wouldn't.) They then modified the mag strip data so that it had completely different information on them. They paid a small amount, and then modified the cards so that they had the account information of cardholders with significantly more value on their cards (i.e. cloned them.) It was actually pretty clever from a technological standpoint, even though it was stupid from the standpoint of someone who values their freedom.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re:Did I miss something here? by Fnord666 · 2012-05-14 14:52 · Score: 2
  
  According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.
  Yes, apparently you missed something.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
4. Re:Did I miss something here? by simcop2387 · 2012-05-14 14:54 · Score: 1
  
  I don't know. Getting a bunch of prepaid cards and then using them to get cash back at places doesn't sound like a half bad idea if you can pull it off fast enough to get some money.
5. Re:Did I miss something here? by DanTheManMS · 2012-05-14 14:58 · Score: 1
  
  Wait... So someone hacks in and steals a million and a half valid prepaid card numbers [...]
  It took a few re-readings, but to my best understanding, they stole valid debit card numbers, not prepaid ones. They only had the numbers and expiration date though, so full-on identity theft would be difficult, and this article is explaining how even having only the number was enough. They bought some cheap pre-paid cards (probably with cash), re-encoded the mag stripes with valid stolen debit card numbers, and used those to buy more higher-value prepaid cards (via a signature-based transaction so no PIN needed), which they then used to buy expensive stuff. I'm just curious why you would be able to buy a pre-paid card with another pre-paid card in the first place.
  I had forgotten about the original story on this incident, but that would explain why I got a new credit card in the mail a week or two ago...
6. Re:Did I miss something here? by Dainsanefh · 2012-05-14 15:21 · Score: 0
  
  They won't let you buy another prepaid debit card with credit cards or debit cards, but you can buy GIFT CARDS from debit cards. Retailers gift cards like Best Buy , iTunes have HIGH resell value.
  
  --
  Twitter: @dainsanefh
7. Re:Did I miss something here? by Anonymous Coward · 2012-05-14 15:48 · Score: 0
  
  Yes they will. I just did it this week.
8. Re:Did I miss something here? by CodeBuster · 2012-05-14 16:05 · Score: 4, Interesting
  
  even though it was stupid from the standpoint of someone who values their freedom.
  The people making the purchases in Vegas and the people who "cloned" the cars were not likely the same people. Did TFA say *exactly* what was purchased using these cloned cards? For example, the people who actually used the cards, aka "the mules", were probably instructed to purchase portable high value items, including fine jewelry and watches, and then to mail those items on to fences in Russia, Eastern Europe, Asia or Africa. This also explains why Vegas was chosen because there are many high end shops selling very expensive jewelery, watches and other luxury goods in high volumes on credit so a large number of transactions is less likely to be noticed. Once the goods arrive overseas, they are resold and the profits, minus cuts for middle men, are transferred back to the technically sophisticated criminals who reside in countries where it's difficult or impossible for US law enforcement to reach them. Obviously this is less desirable then simply transferring funds electronically and directly, but the limited amount of data stolen in this case, as others have already pointed out, limited the options of these thieves.
9. Re:Did I miss something here? by CodeBuster · 2012-05-14 16:24 · Score: 2
  
  I don't know. Getting a bunch of prepaid cards and then using them to get cash back at places doesn't sound like a half bad idea if you can pull it off fast enough to get some money.
  Except for the fact that every store which sells these prepaid debit cards has video surveillance of all checkout stations and it even says on the card packaging that surveillance video will be provided to law enforcement in the event of fraud or use of the card to purchase illegal goods or services. If you're considering doing something like this, I would advise against it. If you're living in the US and you're caught, you will become the newest member of that permanent underclass which is forever cut off from any meaningful employment or worthwhile future opportunities by virtue of being a convicted felon. There's now effectively zero forgiveness in American society for ex-criminals, reformed or not. One mistake and you're branded for life. Consider all of this carefully before deciding whether or not to commit a crime, especially a blue collar one like low-rent debit card fraud. No matter how desperate you are, it's almost certainly NOT worth it.
10. Re:Did I miss something here? by Anonymous Coward · 2012-05-14 20:12 · Score: 0
  
  Except for the fact that every store which sells these prepaid debit cards has video surveillance of all checkout stations and it even says on the card packaging that surveillance video will be provided to law enforcement in the event of fraud or use of the card to purchase illegal goods or services.
  
  Video evidence violate's the 5th ammendment. Also maybe the 6th since camera's cannot be crossexamined by defense council.
  (roman_mir, still lost my password)
11. Re:Did I miss something here? by Sique · 2012-05-14 20:15 · Score: 2
  
  On the other hand, if you ever got caught commiting a crime, for the rest of your life you seem to have to commit crimes to just get along, just as if zero tolerance and zero forgiveness were a recipe to increase crime rates.
  
  --
  .sig: Sique *sigh*
12. Re:Did I miss something here? by expatriot · 2012-05-14 21:40 · Score: 1
  
  If you use a terminal that you know has video, you waive your right not to be videoed in public. Which is a pretty tenuous right anyway. And you can hire an expert to evaluate the recording.
  Or you can not clone cards and steal money from people and companies.
13. Re:Did I miss something here? by L4t3r4lu5 · 2012-05-14 22:57 · Score: 1
  
  There's now effectively zero forgiveness in American society for ex-criminals, reformed or not. One mistake and you're branded for life.
  No wonder your prison system is so successful^Wprofitable. Criminals simply cannot afford be rehabilitated.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
14. Re:Did I miss something here? by Anonymous Coward · 2012-05-14 23:10 · Score: 0
  
  "One mistake and you're branded for life"
  Thanks to the Republicans who called themselves "Christians".
  Tax credits need to be given for courageous employer who hire felons.
  Give them the same right and benefits as war vets, as they are technically "prisoner of war" against rich Jewish bankers and their minions.
15. Re:Did I miss something here? by ub3r+n3u7r4l1st · 2012-05-14 23:11 · Score: 1
  
  especially in this country you can commit and prosecuted for something you do every day:
  http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594032556
  Couple this with the logic that "ignorance is not an excuse", and you have a perfect system right there.
  
  --
  New Economic Perspectives
16. Re:Did I miss something here? by trum4n · 2012-05-15 00:56 · Score: 1
  
  You're point would have been valid if you wern't Mel Gibson.
17. Re:Did I miss something here? by gl4ss · 2012-05-15 04:01 · Score: 1
  
  look, given what you just said..
  you think it's that hard to find some already convicted felons to do scam? I think not.
  if they were living in vegas regularly, then it would be stupid to use them in vegas of course, but you could drive to vegas and drive out of vegas.
  
  --
  world was created 5 seconds before this post as it is.
18. Re:Did I miss something here? by tlhIngan · 2012-05-15 04:20 · Score: 1
  
  They bought some cheap pre-paid cards (probably with cash), re-encoded the mag stripes with valid stolen debit card numbers, and used those to buy more higher-value prepaid cards (via a signature-based transaction so no PIN needed), which they then used to buy expensive stuff. I'm just curious why you would be able to buy a pre-paid card with another pre-paid card in the first place.
  
  Depends on the pre-paid card. After all, if you buy a store gift card (prepaid card), you can often buy anything sold in that store with that card. So if you went into Safeway, bought a $10 gift card from them, re-encoded the stripe to be a debit card, you can then use that Safeway card to purchase a more expensive item. Safeway and other stores often sell a bunch of other prepaid cards, for stuff like cellphones, iTunes, Xbox/PSN/Wii, other online services, etc.
  The thing is - store prepaid cards cost the store some money (the money they earn in interest basically keeps the system afloat - making the cards, administration, permanent liability (many places outlaw expiring gift cards)). However, a gift card to something like iTunes makes profit. Given the amount of 20% off iTunes card deals that happen regularly (e.g., $20 for $25 iTunes card), I'd really believe the store was getting them for a 25% discount (and Apple's 5% of the remainder (remember Apple takes 30%?) pays for the card and iTunes maintenance). I would think other cards have similar deals.
  And most likely they bought those Visa prepaid cards they sell in stores - given it costs like $8 to buy 'em plus whatever you put in, I'm guessing the store gets a chunk of that $8 and maybe a percent of the preload value.
19. Re:Did I miss something here? by Darinbob · 2012-05-15 06:33 · Score: 1
  
  This makes sense. They have hundreds of soldiers around the gold at Fort Knox but only one little old cleaning lady guards the copper plumbing.
Nothing to see here by T+Murphy · 2012-05-14 14:37 · Score: 0

So long as they pre-paid for the fraud, I don't see the problem here. No need to discourage honest criminals. I just wonder if they prepaid in fines only, or if they managed to find a warden willing to let them prepay their time served too.

--
My webcomic
no one by nimbius · 2012-05-14 14:50 · Score: 3, Interesting

has been caught and global payments hasnt been charged with any crime, nor have their executives or management.
meanwhile Jeremy Hammond is being held without bail for leaking stratfor credit card numbers, and faces up to 30 years in prison if convicted.

global payments leak:
1,500,000
stratfor:
60,000

--
Good people go to bed earlier.
1. Re:no one by Anonymous Coward · 2012-05-14 15:02 · Score: 0
  
  up to 30 years in prison if convicted? Not good enough!
2. Re:no one by Anonymous Coward · 2012-05-14 15:34 · Score: 0
  
  Well, duh. One of those is a criminal breaking into systems. The other was a company that was the victim of a crime. We also don't charge people who get their houses broken into with crimes yet we do for the person breaking into another person's house.
3. Re:no one by Anonymous Coward · 2012-05-14 15:45 · Score: 0
  
  The differences:
  1) Nobody would argue those executives intentionally leaked the info. Keeping the info as secure as possible while paying as little for that security as possible is in their best interests. Regulators, stockholders, courts, etc. would be on them the minute they *hypothetically tried* to leak such info. And for what? Paltry sums compared to the executives' salary and bonuses. Sure, in the name of cost cutting they may have stripped their logistical operations to the point that it was no longer secure; They may have effectively pocketted money for their cost cutting, effectively stealing from the company by leaving its infrastructure poorer than they found it. But they didn't just hand over the data. In other words, these guys used a toy lock on their vault but they didn't technically leave the vault door open.
  2) They're executives; Unless you can prove massive and intentional harm their lawyers and connections will ensure they are above the law and especially beyond anyone who could make them take anything resembling true responsibility for their actions.
4. Re:no one by Wattos · 2012-05-14 16:01 · Score: 1
  
  Well, duh. One of those is a criminal breaking into systems. The other was a company that was the victim of a crime. We also don't charge people who get their houses broken into with crimes yet we do for the person breaking into another person's house.
  Your analogy is broken. In this case, it is more like blaming the bank which was robbed. You blame them not for the fact that is was robbed, but that inadequate security measures (like this) were put in place to protect your money.
  Since online transactions seemed to be their business, they should have made sure that it is next to impossible to leak the data. Most lilkely a lot of corners were cut to maximize profits. I have no idea what was exploited to get the data, but I am quite sure that it can be found here
5. Re:no one by dmomo · 2012-05-14 17:52 · Score: 1
  
  It fails because he is saying: no one was was convicted on charge A, so person X should not be punished for B.
  So, his argument is like this one: "Since nobody was hanged for the "Jack the Ripper" murders, my drunken uncle should not have to undergo a breathalyzer".
6. Re:no one by shoehornjob · 2012-05-14 23:16 · Score: 2
  
  Agreed. There simply isn't enough motivation for credit card executives to change their business practices. There needs to be an extra layer of security in place to mitigate damages from fraud. The executives that let this happen need to answer for it otherwise the system will never change. I could say the same about Wall Street bankers that lose billions of dollars in hedge funds. I'm not exactly crying for the clients mind you but this mess is getting out of control.
  
  --
  "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
7. Re:no one by Anonymous Coward · 2012-05-15 05:02 · Score: 0
  
  Willful malice is more indictable than gross incompetence.
JP Morgan stole $2 billion by Anonymous Coward · 2012-05-14 15:40 · Score: 0

Mere pennies!
JP Morgan lost $2 billion, using derivatives. Mostly borrow money against small leverage from the Federal Reserve. It turns out the head of JP Morgan is also on the board of the Federal Reserve Bank of NY. Hardly anyone bats an eyelid.
So prepaid credit cards leak and a few people steal a few bucks? Dude, you should see what Wallstreet is up to!
1. Re:JP Morgan stole $2 billion by Anonymous Coward · 2012-05-14 23:25 · Score: 0
  
  JPM makes $2 billion in profit every quarter. That loss certainly hurts but it's hardly an issue.
you don't understand logic or morality by circletimessquare · 2012-05-14 16:12 · Score: 1

if i leave a $100 bill on my porch, i'm an idiot
if you come and take it, you're evil
my mistake was lax security
your INTENT was to take that which was clearly not yours
time and time again, i see analysis of crimes and world events on slashdot without even the vaguest comprehension of the concept of INTENT
is this some sort psychological problem with aspergers types or something?
the inability to comprehend, understand, or otherwise incorporate the concept of intent when making judgments?
intent
http://en.wikipedia.org/wiki/Intent_(law)
learn it, incorporate it into your opinions, or your opinion is useless

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:you don't understand logic or morality by ozmanjusri · 2012-05-14 17:48 · Score: 1
  
  if i leave a $100 bill on my porch, i'm an idiot
  If it was your $100 bill, true.
  If it was my $100 bill (X 1,500,000), then you're as evil as the thieves.
  
  --
  "I've got more toys than Teruhisa Kitahara."
2. Re:you don't understand logic or morality by jafiwam · 2012-05-15 00:22 · Score: 1
  
  What do you expect for a bunch of Asperger's spectrum disorder dingleberries that have trouble telling the difference between people with minds and feelings and a real-doll. This type of mistake, understanding intent is part of the definition of the thing!
3. Re:you don't understand logic or morality by Anonymous Coward · 2012-05-19 10:14 · Score: 0
  
  Not if he paid you back (without having to go to court)
Re:you don't understand negligence by Wattos · 2012-05-14 16:26 · Score: 1

It seems that you do not understand the issue here. This is not about you leaving your money on your porch.
This is about relying on someone else to keep your money safe. If they leave your money on the porch, then it is negligence (http://en.wikipedia.org/wiki/Negligence)

those who go personally or bring property where they know that they or it may come into collision with the persons or property of others have by law a duty cast upon them to use reasonable care and skill to avoid such a collision.

And that indeed is punishable by law.
learn it, incorporate it into your opinions, or your opinion is useless
Less than 1.5 million card numbers were stolen by hcs_$reboot · 2012-05-14 16:36 · Score: 1

Mathematically, that could be just 2 or 3

--
Slashdot, fix the reply notifications... You won't get away with it...
1. Re:Less than 1.5 million card numbers were stolen by rvw · 2012-05-14 19:55 · Score: 1
  
  Mathematically, that could be just 2 or 3
  Logically, it would mean more than 1.4 million.
WHARRGARBL by circletimessquare · 2012-05-14 17:26 · Score: 1

you really don't get intent do you?

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:WHARRGARBL by ozmanjusri · 2012-05-14 17:50 · Score: 3, Insightful
  
  you really don't get intent do you?
  And you really don't get responsibility, so you're even.
  Why don't you kiss and make up?
  
  --
  "I've got more toys than Teruhisa Kitahara."
2. Re:WHARRGARBL by Anonymous Coward · 2012-05-15 05:06 · Score: 0
  
  What is your intent on that collision of property?
3. Re:WHARRGARBL by Anonymous Coward · 2012-05-15 10:54 · Score: 0
  
  No they are not
  You don't seem to get intent either
  Yes, global payment are responsible (and you can be sure they will be held responsible, don't you worry...)
Whoa... by Altanar · 2012-05-14 20:35 · Score: 1

Got a call from my bank a couple days ago saying that someone had cloned my debit card and was trying to brute force my pin number. Of course, they locked out the card after a couple false positives, but at least I know now where they got my card info from.
1. Re:Whoa... by Altanar · 2012-05-14 20:36 · Score: 1
  
  False positives? Gah! Not what I meant.
2. Re:Whoa... by noc007 · 2012-05-15 01:11 · Score: 1
  
  Obviously Global Payments or PCI has been slacking. They should have notified the bank that the card number has been stolen or may have been stolen. The card issuing bank would then have issued you a new card.
work at home by Anonymous Coward · 2012-05-15 02:21 · Score: 0

what Antonio answered I am impressed that you can earn $6779 in one month on the internet. did you read this webpage http://nutshellurl.com/54oz
Chips? by houghi · 2012-05-15 05:56 · Score: 1

First I was thinking how they could know the PIN code and then I realized that US cards do not have a chip set and no pin code.
In Europe many stores will not accept the card if the chip does not work. If they do, many will ask for a second part of ID and/or call in to verify if the card is stolen or not.

--
Don't fight for your country, if your country does not fight for you.
1. Re:Chips? by Qzukk · 2012-05-15 11:17 · Score: 1
  
  Debit cards have a PIN, but most of them double as a "credit" card that doesn't use the PIN but still sucks the funds direct from your bank account.
  The really interesting thing here is using plastic to buy more plastic. I could have sworn that prepaid cards had to be bought with cash around these parts, but I don't go around buying prepaid cards so I don't know.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.