Global Payments Breach Led To Prepaid Card Fraud

tsu doh nimh writes "Global Payments, the Atlanta-based credit card processor that disclosed a major breach of its systems last month, has said that less than 1.5 million card numbers were stolen, and that customer names and addresses weren't included in the purloined data. But security reporter Brian Krebs carries a piece today highlighting how thieves were still able to use the data to clone debit cards, which were then used in shopping sprees in and around the Las Vegas area recently."

no one

[nimbius]

has been caught and global payments hasnt been charged with any crime, nor have their executives or management.
meanwhile Jeremy Hammond is being held without bail for leaking stratfor credit card numbers, and faces up to 30 years in prison if convicted.

global payments leak:
1,500,000
stratfor:
60,000

Re:no one

[shoehornjob]

Agreed. There simply isn't enough motivation for credit card executives to change their business practices. There needs to be an extra layer of security in place to mitigate damages from fraud. The executives that let this happen need to answer for it otherwise the system will never change. I could say the same about Wall Street bankers that lose billions of dollars in hedge funds. I'm not exactly crying for the clients mind you but this mess is getting out of control.

Re:Did I miss something here?

[Baloroth]

They didn't have any pre-paid card numbers, they had actual debit cards. But, they only had limited data from them (Track 2 data) which isn't enough to clone the complete card. Instead, they bought en-masse cheap prepaid cards, which could then be re-encoded with the debit-card data (and then used to buy more expensive pre-paid cards, which were used for the actual purchases). Since Track 2 doesn't include personal information, such as addresses, names, or PINs, they couldn't just clone the card directly, hence the use of the prepaid cards.

I suspect they didn't buy off-the-shelf commercially available cards because that would look extremely suspicious, whereas pre-paid cards aren't suspicious (there is really no easy way to verify the number on the card is the same as on the stripe), and regular online purchases (customary for this kind of fraud) are impossible with no billing address/name/etc.

Re:Did I miss something here?

[Fnord666]

According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.

Yes, apparently you missed something.

Re:Did I miss something here?

[CodeBuster]

even though it was stupid from the standpoint of someone who values their freedom.

The people making the purchases in Vegas and the people who "cloned" the cars were not likely the same people. Did TFA say *exactly* what was purchased using these cloned cards? For example, the people who actually used the cards, aka "the mules", were probably instructed to purchase portable high value items, including fine jewelry and watches, and then to mail those items on to fences in Russia, Eastern Europe, Asia or Africa. This also explains why Vegas was chosen because there are many high end shops selling very expensive jewelery, watches and other luxury goods in high volumes on credit so a large number of transactions is less likely to be noticed. Once the goods arrive overseas, they are resold and the profits, minus cuts for middle men, are transferred back to the technically sophisticated criminals who reside in countries where it's difficult or impossible for US law enforcement to reach them. Obviously this is less desirable then simply transferring funds electronically and directly, but the limited amount of data stolen in this case, as others have already pointed out, limited the options of these thieves.

Re:Did I miss something here?

[CodeBuster]

I don't know. Getting a bunch of prepaid cards and then using them to get cash back at places doesn't sound like a half bad idea if you can pull it off fast enough to get some money.

Except for the fact that every store which sells these prepaid debit cards has video surveillance of all checkout stations and it even says on the card packaging that surveillance video will be provided to law enforcement in the event of fraud or use of the card to purchase illegal goods or services. If you're considering doing something like this, I would advise against it. If you're living in the US and you're caught, you will become the newest member of that permanent underclass which is forever cut off from any meaningful employment or worthwhile future opportunities by virtue of being a convicted felon. There's now effectively zero forgiveness in American society for ex-criminals, reformed or not. One mistake and you're branded for life. Consider all of this carefully before deciding whether or not to commit a crime, especially a blue collar one like low-rent debit card fraud. No matter how desperate you are, it's almost certainly NOT worth it.

Re:WHARRGARBL

[ozmanjusri]

you really don't get intent do you?

And you really don't get responsibility, so you're even.

Why don't you kiss and make up?

Re:Did I miss something here?

[Sique]

On the other hand, if you ever got caught commiting a crime, for the rest of your life you seem to have to commit crimes to just get along, just as if zero tolerance and zero forgiveness were a recipe to increase crime rates.