Forgot your password?
typodupeerror
Security IT

Global Payments Breach Led To Prepaid Card Fraud 50

Posted by Unknown Lamer
from the don't-copy-that-magstripe dept.
tsu doh nimh writes "Global Payments, the Atlanta-based credit card processor that disclosed a major breach of its systems last month, has said that less than 1.5 million card numbers were stolen, and that customer names and addresses weren't included in the purloined data. But security reporter Brian Krebs carries a piece today highlighting how thieves were still able to use the data to clone debit cards, which were then used in shopping sprees in and around the Las Vegas area recently."
This discussion has been archived. No new comments can be posted.

Global Payments Breach Led To Prepaid Card Fraud

Comments Filter:
  • Wait... So someone hacks in and steals a million and a half valid prepaid card numbers - And they bother with resorting to identity theft based on the payment info used to purchase those cards?

    That seems somehow... Inefficient. Like breaking into Fort Knox so you can steal the copper plumbing.
    • by Baloroth (2370816) on Monday May 14, 2012 @10:51PM (#40001961)

      They didn't have any pre-paid card numbers, they had actual debit cards. But, they only had limited data from them (Track 2 data) which isn't enough to clone the complete card. Instead, they bought en-masse cheap prepaid cards, which could then be re-encoded with the debit-card data (and then used to buy more expensive pre-paid cards, which were used for the actual purchases). Since Track 2 doesn't include personal information, such as addresses, names, or PINs, they couldn't just clone the card directly, hence the use of the prepaid cards.

      I suspect they didn't buy off-the-shelf commercially available cards because that would look extremely suspicious, whereas pre-paid cards aren't suspicious (there is really no easy way to verify the number on the card is the same as on the stripe), and regular online purchases (customary for this kind of fraud) are impossible with no billing address/name/etc.

    • Yes. You missed something. They bought the cheap cards solely for the magnetic strip and appearance of validity (a forged or blank card would draw attention, but one with the official logo and holographic stamp obviously wouldn't.) They then modified the mag strip data so that it had completely different information on them. They paid a small amount, and then modified the cards so that they had the account information of cardholders with significantly more value on their cards (i.e. cloned them.) It was
      • by CodeBuster (516420) on Tuesday May 15, 2012 @12:05AM (#40002269)

        even though it was stupid from the standpoint of someone who values their freedom.

        The people making the purchases in Vegas and the people who "cloned" the cars were not likely the same people. Did TFA say *exactly* what was purchased using these cloned cards? For example, the people who actually used the cards, aka "the mules", were probably instructed to purchase portable high value items, including fine jewelry and watches, and then to mail those items on to fences in Russia, Eastern Europe, Asia or Africa. This also explains why Vegas was chosen because there are many high end shops selling very expensive jewelery, watches and other luxury goods in high volumes on credit so a large number of transactions is less likely to be noticed. Once the goods arrive overseas, they are resold and the profits, minus cuts for middle men, are transferred back to the technically sophisticated criminals who reside in countries where it's difficult or impossible for US law enforcement to reach them. Obviously this is less desirable then simply transferring funds electronically and directly, but the limited amount of data stolen in this case, as others have already pointed out, limited the options of these thieves.

    • by Fnord666 (889225)

      According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.

      Yes, apparently you missed something.

    • I don't know. Getting a bunch of prepaid cards and then using them to get cash back at places doesn't sound like a half bad idea if you can pull it off fast enough to get some money.

      • I don't know. Getting a bunch of prepaid cards and then using them to get cash back at places doesn't sound like a half bad idea if you can pull it off fast enough to get some money.

        Except for the fact that every store which sells these prepaid debit cards has video surveillance of all checkout stations and it even says on the card packaging that surveillance video will be provided to law enforcement in the event of fraud or use of the card to purchase illegal goods or services. If you're considering doing something like this, I would advise against it. If you're living in the US and you're caught, you will become the newest member of that permanent underclass which is forever cut off

        • by Sique (173459)

          On the other hand, if you ever got caught commiting a crime, for the rest of your life you seem to have to commit crimes to just get along, just as if zero tolerance and zero forgiveness were a recipe to increase crime rates.

        • There's now effectively zero forgiveness in American society for ex-criminals, reformed or not. One mistake and you're branded for life.

          No wonder your prison system is so successful^Wprofitable. Criminals simply cannot afford be rehabilitated.

        • by gl4ss (559668)

          look, given what you just said..

          you think it's that hard to find some already convicted felons to do scam? I think not.
          if they were living in vegas regularly, then it would be stupid to use them in vegas of course, but you could drive to vegas and drive out of vegas.

    • Wait... So someone hacks in and steals a million and a half valid prepaid card numbers [...]

      It took a few re-readings, but to my best understanding, they stole valid debit card numbers, not prepaid ones. They only had the numbers and expiration date though, so full-on identity theft would be difficult, and this article is explaining how even having only the number was enough. They bought some cheap pre-paid cards (probably with cash), re-encoded the mag stripes with valid stolen debit card numbers, and used those to buy more higher-value prepaid cards (via a signature-based transaction so no PIN

      • by tlhIngan (30335)

        They bought some cheap pre-paid cards (probably with cash), re-encoded the mag stripes with valid stolen debit card numbers, and used those to buy more higher-value prepaid cards (via a signature-based transaction so no PIN needed), which they then used to buy expensive stuff. I'm just curious why you would be able to buy a pre-paid card with another pre-paid card in the first place.

        Depends on the pre-paid card. After all, if you buy a store gift card (prepaid card), you can often buy anything sold in that

    • by Darinbob (1142669)

      This makes sense. They have hundreds of soldiers around the gold at Fort Knox but only one little old cleaning lady guards the copper plumbing.

  • So long as they pre-paid for the fraud, I don't see the problem here. No need to discourage honest criminals. I just wonder if they prepaid in fines only, or if they managed to find a warden willing to let them prepay their time served too.
  • no one (Score:4, Interesting)

    by nimbius (983462) on Monday May 14, 2012 @10:50PM (#40001953) Homepage
    has been caught and global payments hasnt been charged with any crime, nor have their executives or management.
    meanwhile Jeremy Hammond is being held without bail for leaking stratfor credit card numbers, and faces up to 30 years in prison if convicted.

    global payments leak:
    1,500,000
    stratfor:
    60,000
    • Agreed. There simply isn't enough motivation for credit card executives to change their business practices. There needs to be an extra layer of security in place to mitigate damages from fraud. The executives that let this happen need to answer for it otherwise the system will never change. I could say the same about Wall Street bankers that lose billions of dollars in hedge funds. I'm not exactly crying for the clients mind you but this mess is getting out of control.
  • Mathematically, that could be just 2 or 3
    • by rvw (755107)

      Mathematically, that could be just 2 or 3

      Logically, it would mean more than 1.4 million.

  • Got a call from my bank a couple days ago saying that someone had cloned my debit card and was trying to brute force my pin number. Of course, they locked out the card after a couple false positives, but at least I know now where they got my card info from.
    • by Altanar (56809)
      False positives? Gah! Not what I meant.
    • by noc007 (633443)

      Obviously Global Payments or PCI has been slacking. They should have notified the bank that the card number has been stolen or may have been stolen. The card issuing bank would then have issued you a new card.

  • by houghi (78078)

    First I was thinking how they could know the PIN code and then I realized that US cards do not have a chip set and no pin code.

    In Europe many stores will not accept the card if the chip does not work. If they do, many will ask for a second part of ID and/or call in to verify if the card is stolen or not.

    • by Qzukk (229616)

      Debit cards have a PIN, but most of them double as a "credit" card that doesn't use the PIN but still sucks the funds direct from your bank account.

      The really interesting thing here is using plastic to buy more plastic. I could have sworn that prepaid cards had to be bought with cash around these parts, but I don't go around buying prepaid cards so I don't know.

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...