Global Payments Breach Led To Prepaid Card Fraud 50
tsu doh nimh writes "Global Payments, the Atlanta-based credit card processor that disclosed a major breach of its systems last month, has said that less than 1.5 million card numbers were stolen, and that customer names and addresses weren't included in the purloined data. But security reporter Brian Krebs carries a piece today highlighting how thieves were still able to use the data to clone debit cards, which were then used in shopping sprees in and around the Las Vegas area recently."
Did I miss something here? (Score:2)
That seems somehow... Inefficient. Like breaking into Fort Knox so you can steal the copper plumbing.
Re:Did I miss something here? (Score:5, Informative)
They didn't have any pre-paid card numbers, they had actual debit cards. But, they only had limited data from them (Track 2 data) which isn't enough to clone the complete card. Instead, they bought en-masse cheap prepaid cards, which could then be re-encoded with the debit-card data (and then used to buy more expensive pre-paid cards, which were used for the actual purchases). Since Track 2 doesn't include personal information, such as addresses, names, or PINs, they couldn't just clone the card directly, hence the use of the prepaid cards.
I suspect they didn't buy off-the-shelf commercially available cards because that would look extremely suspicious, whereas pre-paid cards aren't suspicious (there is really no easy way to verify the number on the card is the same as on the stripe), and regular online purchases (customary for this kind of fraud) are impossible with no billing address/name/etc.
Re: (Score:2)
Re:Did I miss something here? (Score:5, Interesting)
even though it was stupid from the standpoint of someone who values their freedom.
The people making the purchases in Vegas and the people who "cloned" the cars were not likely the same people. Did TFA say *exactly* what was purchased using these cloned cards? For example, the people who actually used the cards, aka "the mules", were probably instructed to purchase portable high value items, including fine jewelry and watches, and then to mail those items on to fences in Russia, Eastern Europe, Asia or Africa. This also explains why Vegas was chosen because there are many high end shops selling very expensive jewelery, watches and other luxury goods in high volumes on credit so a large number of transactions is less likely to be noticed. Once the goods arrive overseas, they are resold and the profits, minus cuts for middle men, are transferred back to the technically sophisticated criminals who reside in countries where it's difficult or impossible for US law enforcement to reach them. Obviously this is less desirable then simply transferring funds electronically and directly, but the limited amount of data stolen in this case, as others have already pointed out, limited the options of these thieves.
Re: (Score:3)
According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.
Yes, apparently you missed something.
Re: (Score:1)
I don't know. Getting a bunch of prepaid cards and then using them to get cash back at places doesn't sound like a half bad idea if you can pull it off fast enough to get some money.
Re: (Score:3)
I don't know. Getting a bunch of prepaid cards and then using them to get cash back at places doesn't sound like a half bad idea if you can pull it off fast enough to get some money.
Except for the fact that every store which sells these prepaid debit cards has video surveillance of all checkout stations and it even says on the card packaging that surveillance video will be provided to law enforcement in the event of fraud or use of the card to purchase illegal goods or services. If you're considering doing something like this, I would advise against it. If you're living in the US and you're caught, you will become the newest member of that permanent underclass which is forever cut off
Re: (Score:2)
If you use a terminal that you know has video, you waive your right not to be videoed in public. Which is a pretty tenuous right anyway. And you can hire an expert to evaluate the recording.
Or you can not clone cards and steal money from people and companies.
Re: (Score:3)
On the other hand, if you ever got caught commiting a crime, for the rest of your life you seem to have to commit crimes to just get along, just as if zero tolerance and zero forgiveness were a recipe to increase crime rates.
Re: (Score:2)
There's now effectively zero forgiveness in American society for ex-criminals, reformed or not. One mistake and you're branded for life.
No wonder your prison system is so successful^Wprofitable. Criminals simply cannot afford be rehabilitated.
Re: (Score:2)
especially in this country you can commit and prosecuted for something you do every day:
http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594032556 [amazon.com]
Couple this with the logic that "ignorance is not an excuse", and you have a perfect system right there.
Re: (Score:1)
Re: (Score:2)
look, given what you just said..
you think it's that hard to find some already convicted felons to do scam? I think not.
if they were living in vegas regularly, then it would be stupid to use them in vegas of course, but you could drive to vegas and drive out of vegas.
Re: (Score:2)
Wait... So someone hacks in and steals a million and a half valid prepaid card numbers [...]
It took a few re-readings, but to my best understanding, they stole valid debit card numbers, not prepaid ones. They only had the numbers and expiration date though, so full-on identity theft would be difficult, and this article is explaining how even having only the number was enough. They bought some cheap pre-paid cards (probably with cash), re-encoded the mag stripes with valid stolen debit card numbers, and used those to buy more higher-value prepaid cards (via a signature-based transaction so no PIN
Re: (Score:2)
Depends on the pre-paid card. After all, if you buy a store gift card (prepaid card), you can often buy anything sold in that
Re: (Score:2)
This makes sense. They have hundreds of soldiers around the gold at Fort Knox but only one little old cleaning lady guards the copper plumbing.
Nothing to see here (Score:1)
Comment removed (Score:4, Interesting)
Re: (Score:2)
Well, duh. One of those is a criminal breaking into systems. The other was a company that was the victim of a crime. We also don't charge people who get their houses broken into with crimes yet we do for the person breaking into another person's house.
Your analogy is broken. In this case, it is more like blaming the bank which was robbed. You blame them not for the fact that is was robbed, but that inadequate security measures (like this [goodmeme.net]) were put in place to protect your money.
Since online transactions seemed to be their business, they should have made sure that it is next to impossible to leak the data. Most lilkely a lot of corners were cut to maximize profits. I have no idea what was exploited to get the data, but I am quite sure that it can be found
you don't understand logic or morality (Score:2)
if i leave a $100 bill on my porch, i'm an idiot
if you come and take it, you're evil
my mistake was lax security
your INTENT was to take that which was clearly not yours
time and time again, i see analysis of crimes and world events on slashdot without even the vaguest comprehension of the concept of INTENT
is this some sort psychological problem with aspergers types or something?
the inability to comprehend, understand, or otherwise incorporate the concept of intent when making judgments?
intent
http://en.wikiped [wikipedia.org]
Re:you don't understand negligence (Score:2)
It seems that you do not understand the issue here. This is not about you leaving your money on your porch.
This is about relying on someone else to keep your money safe. If they leave your money on the porch, then it is negligence (http://en.wikipedia.org/wiki/Negligence)
those who go personally or bring property where they know that they or it may come into collision with the persons or property of others have by law a duty cast upon them to use reasonable care and skill to avoid such a collision.
And that indeed is punishable by law.
learn it, incorporate it into your opinions, or your opinion is useless
WHARRGARBL (Score:2)
you really don't get intent do you?
Re:WHARRGARBL (Score:4, Insightful)
you really don't get intent do you?
And you really don't get responsibility, so you're even.
Why don't you kiss and make up?
Re: (Score:2)
if i leave a $100 bill on my porch, i'm an idiot
If it was your $100 bill, true.
If it was my $100 bill (X 1,500,000), then you're as evil as the thieves.
Re: (Score:2)
Re: (Score:2)
It fails because he is saying: no one was was convicted on charge A, so person X should not be punished for B.
So, his argument is like this one: "Since nobody was hanged for the "Jack the Ripper" murders, my drunken uncle should not have to undergo a breathalyzer".
Re: (Score:3)
Less than 1.5 million card numbers were stolen (Score:2)
Re: (Score:2)
Mathematically, that could be just 2 or 3
Logically, it would mean more than 1.4 million.
Whoa... (Score:2)
Re: (Score:2)
Re: (Score:2)
Obviously Global Payments or PCI has been slacking. They should have notified the bank that the card number has been stolen or may have been stolen. The card issuing bank would then have issued you a new card.
Re: (Score:2)
Re: (Score:2)
Debit cards have a PIN, but most of them double as a "credit" card that doesn't use the PIN but still sucks the funds direct from your bank account.
The really interesting thing here is using plastic to buy more plastic. I could have sworn that prepaid cards had to be bought with cash around these parts, but I don't go around buying prepaid cards so I don't know.