Global Payments Breach Led To Prepaid Card Fraud

tsu doh nimh writes "Global Payments, the Atlanta-based credit card processor that disclosed a major breach of its systems last month, has said that less than 1.5 million card numbers were stolen, and that customer names and addresses weren't included in the purloined data. But security reporter Brian Krebs carries a piece today highlighting how thieves were still able to use the data to clone debit cards, which were then used in shopping sprees in and around the Las Vegas area recently."

Re:Did I miss something here?

[Baloroth]

They didn't have any pre-paid card numbers, they had actual debit cards. But, they only had limited data from them (Track 2 data) which isn't enough to clone the complete card. Instead, they bought en-masse cheap prepaid cards, which could then be re-encoded with the debit-card data (and then used to buy more expensive pre-paid cards, which were used for the actual purchases). Since Track 2 doesn't include personal information, such as addresses, names, or PINs, they couldn't just clone the card directly, hence the use of the prepaid cards.

I suspect they didn't buy off-the-shelf commercially available cards because that would look extremely suspicious, whereas pre-paid cards aren't suspicious (there is really no easy way to verify the number on the card is the same as on the stripe), and regular online purchases (customary for this kind of fraud) are impossible with no billing address/name/etc.

Re:Did I miss something here?

[CodeBuster]

even though it was stupid from the standpoint of someone who values their freedom.

The people making the purchases in Vegas and the people who "cloned" the cars were not likely the same people. Did TFA say *exactly* what was purchased using these cloned cards? For example, the people who actually used the cards, aka "the mules", were probably instructed to purchase portable high value items, including fine jewelry and watches, and then to mail those items on to fences in Russia, Eastern Europe, Asia or Africa. This also explains why Vegas was chosen because there are many high end shops selling very expensive jewelery, watches and other luxury goods in high volumes on credit so a large number of transactions is less likely to be noticed. Once the goods arrive overseas, they are resold and the profits, minus cuts for middle men, are transferred back to the technically sophisticated criminals who reside in countries where it's difficult or impossible for US law enforcement to reach them. Obviously this is less desirable then simply transferring funds electronically and directly, but the limited amount of data stolen in this case, as others have already pointed out, limited the options of these thieves.