Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Global Payments Breach Led To Prepaid Card Fraud

Unknown Lamer posted more than 2 years ago | from the don't-copy-that-magstripe dept.

Security 50

tsu doh nimh writes "Global Payments, the Atlanta-based credit card processor that disclosed a major breach of its systems last month, has said that less than 1.5 million card numbers were stolen, and that customer names and addresses weren't included in the purloined data. But security reporter Brian Krebs carries a piece today highlighting how thieves were still able to use the data to clone debit cards, which were then used in shopping sprees in and around the Las Vegas area recently."

cancel ×

50 comments

Sorry! There are no comments related to the filter you selected.

Did I miss something here? (1)

pla (258480) | more than 2 years ago | (#40001827)

Wait... So someone hacks in and steals a million and a half valid prepaid card numbers - And they bother with resorting to identity theft based on the payment info used to purchase those cards?

That seems somehow... Inefficient. Like breaking into Fort Knox so you can steal the copper plumbing.

Re:Did I miss something here? (4, Informative)

Baloroth (2370816) | more than 2 years ago | (#40001961)

They didn't have any pre-paid card numbers, they had actual debit cards. But, they only had limited data from them (Track 2 data) which isn't enough to clone the complete card. Instead, they bought en-masse cheap prepaid cards, which could then be re-encoded with the debit-card data (and then used to buy more expensive pre-paid cards, which were used for the actual purchases). Since Track 2 doesn't include personal information, such as addresses, names, or PINs, they couldn't just clone the card directly, hence the use of the prepaid cards.

I suspect they didn't buy off-the-shelf commercially available cards because that would look extremely suspicious, whereas pre-paid cards aren't suspicious (there is really no easy way to verify the number on the card is the same as on the stripe), and regular online purchases (customary for this kind of fraud) are impossible with no billing address/name/etc.

Re:Did I miss something here? (1)

Zero__Kelvin (151819) | more than 2 years ago | (#40001967)

Yes. You missed something. They bought the cheap cards solely for the magnetic strip and appearance of validity (a forged or blank card would draw attention, but one with the official logo and holographic stamp obviously wouldn't.) They then modified the mag strip data so that it had completely different information on them. They paid a small amount, and then modified the cards so that they had the account information of cardholders with significantly more value on their cards (i.e. cloned them.) It was actually pretty clever from a technological standpoint, even though it was stupid from the standpoint of someone who values their freedom.

Re:Did I miss something here? (4, Interesting)

CodeBuster (516420) | more than 2 years ago | (#40002269)

even though it was stupid from the standpoint of someone who values their freedom.

The people making the purchases in Vegas and the people who "cloned" the cars were not likely the same people. Did TFA say *exactly* what was purchased using these cloned cards? For example, the people who actually used the cards, aka "the mules", were probably instructed to purchase portable high value items, including fine jewelry and watches, and then to mail those items on to fences in Russia, Eastern Europe, Asia or Africa. This also explains why Vegas was chosen because there are many high end shops selling very expensive jewelery, watches and other luxury goods in high volumes on credit so a large number of transactions is less likely to be noticed. Once the goods arrive overseas, they are resold and the profits, minus cuts for middle men, are transferred back to the technically sophisticated criminals who reside in countries where it's difficult or impossible for US law enforcement to reach them. Obviously this is less desirable then simply transferring funds electronically and directly, but the limited amount of data stolen in this case, as others have already pointed out, limited the options of these thieves.

Re:Did I miss something here? (2)

Fnord666 (889225) | more than 2 years ago | (#40001969)

According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.

Yes, apparently you missed something.

Re:Did I miss something here? (1)

simcop2387 (703011) | more than 2 years ago | (#40001977)

I don't know. Getting a bunch of prepaid cards and then using them to get cash back at places doesn't sound like a half bad idea if you can pull it off fast enough to get some money.

Re:Did I miss something here? (2)

CodeBuster (516420) | more than 2 years ago | (#40002339)

I don't know. Getting a bunch of prepaid cards and then using them to get cash back at places doesn't sound like a half bad idea if you can pull it off fast enough to get some money.

Except for the fact that every store which sells these prepaid debit cards has video surveillance of all checkout stations and it even says on the card packaging that surveillance video will be provided to law enforcement in the event of fraud or use of the card to purchase illegal goods or services. If you're considering doing something like this, I would advise against it. If you're living in the US and you're caught, you will become the newest member of that permanent underclass which is forever cut off from any meaningful employment or worthwhile future opportunities by virtue of being a convicted felon. There's now effectively zero forgiveness in American society for ex-criminals, reformed or not. One mistake and you're branded for life. Consider all of this carefully before deciding whether or not to commit a crime, especially a blue collar one like low-rent debit card fraud. No matter how desperate you are, it's almost certainly NOT worth it.

Re:Did I miss something here? (0)

Anonymous Coward | more than 2 years ago | (#40002991)

Except for the fact that every store which sells these prepaid debit cards has video surveillance of all checkout stations and it even says on the card packaging that surveillance video will be provided to law enforcement in the event of fraud or use of the card to purchase illegal goods or services.

Video evidence violate's the 5th ammendment. Also maybe the 6th since camera's cannot be crossexamined by defense council.

(roman_mir, still lost my password)

Re:Did I miss something here? (1)

expatriot (903070) | more than 2 years ago | (#40003279)

If you use a terminal that you know has video, you waive your right not to be videoed in public. Which is a pretty tenuous right anyway. And you can hire an expert to evaluate the recording.
  Or you can not clone cards and steal money from people and companies.

Re:Did I miss something here? (2)

Sique (173459) | more than 2 years ago | (#40003001)

On the other hand, if you ever got caught commiting a crime, for the rest of your life you seem to have to commit crimes to just get along, just as if zero tolerance and zero forgiveness were a recipe to increase crime rates.

Re:Did I miss something here? (1)

L4t3r4lu5 (1216702) | more than 2 years ago | (#40003487)

There's now effectively zero forgiveness in American society for ex-criminals, reformed or not. One mistake and you're branded for life.

No wonder your prison system is so successful^Wprofitable. Criminals simply cannot afford be rehabilitated.

Re:Did I miss something here? (1)

ub3r n3u7r4l1st (1388939) | more than 2 years ago | (#40003581)

especially in this country you can commit and prosecuted for something you do every day:

http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594032556 [amazon.com]

Couple this with the logic that "ignorance is not an excuse", and you have a perfect system right there.

Re:Did I miss something here? (0)

Anonymous Coward | more than 2 years ago | (#40003573)

"One mistake and you're branded for life"

Thanks to the Republicans who called themselves "Christians".

Tax credits need to be given for courageous employer who hire felons.

Give them the same right and benefits as war vets, as they are technically "prisoner of war" against rich Jewish bankers and their minions.

Re:Did I miss something here? (1)

trum4n (982031) | more than 2 years ago | (#40004203)

You're point would have been valid if you wern't Mel Gibson.

Re:Did I miss something here? (1)

gl4ss (559668) | more than 2 years ago | (#40006177)

look, given what you just said..

you think it's that hard to find some already convicted felons to do scam? I think not.
if they were living in vegas regularly, then it would be stupid to use them in vegas of course, but you could drive to vegas and drive out of vegas.

Re:Did I miss something here? (1)

DanTheManMS (1039636) | more than 2 years ago | (#40002005)

Wait... So someone hacks in and steals a million and a half valid prepaid card numbers [...]

It took a few re-readings, but to my best understanding, they stole valid debit card numbers, not prepaid ones. They only had the numbers and expiration date though, so full-on identity theft would be difficult, and this article is explaining how even having only the number was enough. They bought some cheap pre-paid cards (probably with cash), re-encoded the mag stripes with valid stolen debit card numbers, and used those to buy more higher-value prepaid cards (via a signature-based transaction so no PIN needed), which they then used to buy expensive stuff. I'm just curious why you would be able to buy a pre-paid card with another pre-paid card in the first place.

I had forgotten about the original story on this incident, but that would explain why I got a new credit card in the mail a week or two ago...

Re:Did I miss something here? (1)

Dainsanefh (2009638) | more than 2 years ago | (#40002109)

They won't let you buy another prepaid debit card with credit cards or debit cards, but you can buy GIFT CARDS from debit cards. Retailers gift cards like Best Buy , iTunes have HIGH resell value.

Re:Did I miss something here? (0)

Anonymous Coward | more than 2 years ago | (#40002225)

Yes they will. I just did it this week.

Re:Did I miss something here? (1)

tlhIngan (30335) | more than 2 years ago | (#40006401)

They bought some cheap pre-paid cards (probably with cash), re-encoded the mag stripes with valid stolen debit card numbers, and used those to buy more higher-value prepaid cards (via a signature-based transaction so no PIN needed), which they then used to buy expensive stuff. I'm just curious why you would be able to buy a pre-paid card with another pre-paid card in the first place.

Depends on the pre-paid card. After all, if you buy a store gift card (prepaid card), you can often buy anything sold in that store with that card. So if you went into Safeway, bought a $10 gift card from them, re-encoded the stripe to be a debit card, you can then use that Safeway card to purchase a more expensive item. Safeway and other stores often sell a bunch of other prepaid cards, for stuff like cellphones, iTunes, Xbox/PSN/Wii, other online services, etc.

The thing is - store prepaid cards cost the store some money (the money they earn in interest basically keeps the system afloat - making the cards, administration, permanent liability (many places outlaw expiring gift cards)). However, a gift card to something like iTunes makes profit. Given the amount of 20% off iTunes card deals that happen regularly (e.g., $20 for $25 iTunes card), I'd really believe the store was getting them for a 25% discount (and Apple's 5% of the remainder (remember Apple takes 30%?) pays for the card and iTunes maintenance). I would think other cards have similar deals.

And most likely they bought those Visa prepaid cards they sell in stores - given it costs like $8 to buy 'em plus whatever you put in, I'm guessing the store gets a chunk of that $8 and maybe a percent of the preload value.

Re:Did I miss something here? (1)

Darinbob (1142669) | more than 2 years ago | (#40008147)

This makes sense. They have hundreds of soldiers around the gold at Fort Knox but only one little old cleaning lady guards the copper plumbing.

Nothing to see here (0)

T Murphy (1054674) | more than 2 years ago | (#40001897)

So long as they pre-paid for the fraud, I don't see the problem here. No need to discourage honest criminals. I just wonder if they prepaid in fines only, or if they managed to find a warden willing to let them prepay their time served too.

no one (3, Interesting)

nimbius (983462) | more than 2 years ago | (#40001953)

has been caught and global payments hasnt been charged with any crime, nor have their executives or management.
meanwhile Jeremy Hammond is being held without bail for leaking stratfor credit card numbers, and faces up to 30 years in prison if convicted.

global payments leak:
1,500,000
stratfor:
60,000

Re:no one (0)

Anonymous Coward | more than 2 years ago | (#40002029)

up to 30 years in prison if convicted? Not good enough!

Re:no one (0)

Anonymous Coward | more than 2 years ago | (#40002149)

Well, duh. One of those is a criminal breaking into systems. The other was a company that was the victim of a crime. We also don't charge people who get their houses broken into with crimes yet we do for the person breaking into another person's house.

Re:no one (1)

Wattos (2268108) | more than 2 years ago | (#40002255)

Well, duh. One of those is a criminal breaking into systems. The other was a company that was the victim of a crime. We also don't charge people who get their houses broken into with crimes yet we do for the person breaking into another person's house.

Your analogy is broken. In this case, it is more like blaming the bank which was robbed. You blame them not for the fact that is was robbed, but that inadequate security measures (like this [goodmeme.net] ) were put in place to protect your money.

Since online transactions seemed to be their business, they should have made sure that it is next to impossible to leak the data. Most lilkely a lot of corners were cut to maximize profits. I have no idea what was exploited to get the data, but I am quite sure that it can be found here [mitre.org]

you don't understand logic or morality (1)

circletimessquare (444983) | more than 2 years ago | (#40002291)

if i leave a $100 bill on my porch, i'm an idiot

if you come and take it, you're evil

my mistake was lax security

your INTENT was to take that which was clearly not yours

time and time again, i see analysis of crimes and world events on slashdot without even the vaguest comprehension of the concept of INTENT

is this some sort psychological problem with aspergers types or something?

the inability to comprehend, understand, or otherwise incorporate the concept of intent when making judgments?

intent

http://en.wikipedia.org/wiki/Intent_(law) [wikipedia.org]

learn it, incorporate it into your opinions, or your opinion is useless

Re:you don't understand negligence (1)

Wattos (2268108) | more than 2 years ago | (#40002343)

It seems that you do not understand the issue here. This is not about you leaving your money on your porch.

This is about relying on someone else to keep your money safe. If they leave your money on the porch, then it is negligence (http://en.wikipedia.org/wiki/Negligence)

those who go personally or bring property where they know that they or it may come into collision with the persons or property of others have by law a duty cast upon them to use reasonable care and skill to avoid such a collision.

And that indeed is punishable by law.

learn it, incorporate it into your opinions, or your opinion is useless

WHARRGARBL (1)

circletimessquare (444983) | more than 2 years ago | (#40002501)

you really don't get intent do you?

Re:WHARRGARBL (3, Insightful)

ozmanjusri (601766) | more than 2 years ago | (#40002553)

you really don't get intent do you?

And you really don't get responsibility, so you're even.

Why don't you kiss and make up?

Re:WHARRGARBL (0)

Anonymous Coward | more than 2 years ago | (#40006983)

What is your intent on that collision of property?

Re:WHARRGARBL (0)

Anonymous Coward | more than 2 years ago | (#40011227)

No they are not

You don't seem to get intent either

Yes, global payment are responsible (and you can be sure they will be held responsible, don't you worry...)

Re:you don't understand logic or morality (1)

ozmanjusri (601766) | more than 2 years ago | (#40002549)

if i leave a $100 bill on my porch, i'm an idiot

If it was your $100 bill, true.

If it was my $100 bill (X 1,500,000), then you're as evil as the thieves.

Re:you don't understand logic or morality (0)

Anonymous Coward | more than 2 years ago | (#40053799)

Not if he paid you back (without having to go to court)

Re:you don't understand logic or morality (1)

jafiwam (310805) | more than 2 years ago | (#40003947)

What do you expect for a bunch of Asperger's spectrum disorder dingleberries that have trouble telling the difference between people with minds and feelings and a real-doll. This type of mistake, understanding intent is part of the definition of the thing!

Re:no one (1)

dmomo (256005) | more than 2 years ago | (#40002559)

It fails because he is saying: no one was was convicted on charge A, so person X should not be punished for B.

So, his argument is like this one: "Since nobody was hanged for the "Jack the Ripper" murders, my drunken uncle should not have to undergo a breathalyzer".

JP Morgan stole $2 billion (0)

Anonymous Coward | more than 2 years ago | (#40002177)

Mere pennies!

JP Morgan lost $2 billion, using derivatives. Mostly borrow money against small leverage from the Federal Reserve. It turns out the head of JP Morgan is also on the board of the Federal Reserve Bank of NY. Hardly anyone bats an eyelid.

So prepaid credit cards leak and a few people steal a few bucks? Dude, you should see what Wallstreet is up to!

Re:JP Morgan stole $2 billion (0)

Anonymous Coward | more than 2 years ago | (#40003649)

JPM makes $2 billion in profit every quarter. That loss certainly hurts but it's hardly an issue.

Re:no one (0)

Anonymous Coward | more than 2 years ago | (#40002199)

The differences:

1) Nobody would argue those executives intentionally leaked the info. Keeping the info as secure as possible while paying as little for that security as possible is in their best interests. Regulators, stockholders, courts, etc. would be on them the minute they *hypothetically tried* to leak such info. And for what? Paltry sums compared to the executives' salary and bonuses. Sure, in the name of cost cutting they may have stripped their logistical operations to the point that it was no longer secure; They may have effectively pocketted money for their cost cutting, effectively stealing from the company by leaving its infrastructure poorer than they found it. But they didn't just hand over the data. In other words, these guys used a toy lock on their vault but they didn't technically leave the vault door open.

2) They're executives; Unless you can prove massive and intentional harm their lawyers and connections will ensure they are above the law and especially beyond anyone who could make them take anything resembling true responsibility for their actions.

Re:no one (2)

shoehornjob (1632387) | more than 2 years ago | (#40003615)

Agreed. There simply isn't enough motivation for credit card executives to change their business practices. There needs to be an extra layer of security in place to mitigate damages from fraud. The executives that let this happen need to answer for it otherwise the system will never change. I could say the same about Wall Street bankers that lose billions of dollars in hedge funds. I'm not exactly crying for the clients mind you but this mess is getting out of control.

Re:no one (0)

Anonymous Coward | more than 2 years ago | (#40006951)

Willful malice is more indictable than gross incompetence.

Less than 1.5 million card numbers were stolen (1)

hcs_$reboot (1536101) | more than 2 years ago | (#40002375)

Mathematically, that could be just 2 or 3

Re:Less than 1.5 million card numbers were stolen (1)

rvw (755107) | more than 2 years ago | (#40002929)

Mathematically, that could be just 2 or 3

Logically, it would mean more than 1.4 million.

Whoa... (1)

Altanar (56809) | more than 2 years ago | (#40003079)

Got a call from my bank a couple days ago saying that someone had cloned my debit card and was trying to brute force my pin number. Of course, they locked out the card after a couple false positives, but at least I know now where they got my card info from.

Re:Whoa... (1)

Altanar (56809) | more than 2 years ago | (#40003085)

False positives? Gah! Not what I meant.

Re:Whoa... (1)

noc007 (633443) | more than 2 years ago | (#40004315)

Obviously Global Payments or PCI has been slacking. They should have notified the bank that the card number has been stolen or may have been stolen. The card issuing bank would then have issued you a new card.

work at home (0)

Anonymous Coward | more than 2 years ago | (#40005043)

what Antonio answered I am impressed that you can earn $6779 in one month on the internet. did you read this webpage http://nutshellurl.com/54oz

Chips? (1)

houghi (78078) | more than 2 years ago | (#40007579)

First I was thinking how they could know the PIN code and then I realized that US cards do not have a chip set and no pin code.

In Europe many stores will not accept the card if the chip does not work. If they do, many will ask for a second part of ID and/or call in to verify if the card is stolen or not.

Re:Chips? (1)

Qzukk (229616) | more than 2 years ago | (#40011437)

Debit cards have a PIN, but most of them double as a "credit" card that doesn't use the PIN but still sucks the funds direct from your bank account.

The really interesting thing here is using plastic to buy more plastic. I could have sworn that prepaid cards had to be bought with cash around these parts, but I don't go around buying prepaid cards so I don't know.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?