Fraudsters are increasingly turning to prepaid cards for the movement of money to perpetrate fraud, says payments fraud expert Tom Wills.
Today, human money-movers known as mules are being replaced with prepaid cards, he says. Plastic is less risky and less expensive, says Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation.
"Money mules are a key link in this overall fraud chain," Wills explains in an interview with Information Security Media Group [transcript below]. "For the crime bosses, money mules are people, so they're messy and they're hard to manage. The banks have monitoring systems that detect patterns and anomalies. Once those detection systems kick in, then new mules have to be recruited."
Money mules have a short shelf life; prepaid cards do not, Wills says. "Prepaid cards are inanimate objects, so they're much more useful to criminals," he says.
Using compromised online banking accounts, fraudsters can quickly and easily buy a prepaid card under a stolen account, load it with cash and then launder funds through it, Wills says.
During this interview, Wills also discusses:
- What banks can do to mitigate prepaid fraud risks;
- How stronger authentication practices could reduce prepaid fraud; and
- Why security experts should be involved in prepaid card production.
For more than three decades, Wills has worked with companies such as Visa, VeriFone, Intuit, Wells Fargo and Bank of America, as well as startups, to enhance security and compliance. He is a frequent speaker and media commentator on the topics of mobile, identity and security.
Fighting Prepaid Fraud
TRACY KITTEN: How have prepaid card risks escalated in the last year?
TOM WILLS: There's always been a high level of fraud and money laundering associated with prepaid cards, ever since they were first issued in the 1990s. But the really big thing that's happened in the past year is that criminal hackers have started to exploit prepaid card systems; not just the cards themselves, but, equally as much, the back-office systems that banks use to manage their prepaid card products as a way to facilitate online banking fraud. The other thing that's happening is that we're starting to see exploitation of reloadable prepaid cards, because in the past it's been mainly perpetrated on non-reloadable cards, so two fairly big developments here. We've seen this in four different high-profile data breach cases that have happened, starting with the most recent one, which happened at Chase. Also, we had the breach that took place in late 2012 that targeted the prepaid card processors for two banks in the Middle East. ... These were the processors, not the issuing banks themselves, which resulted in a $45 million ATM fraud that was coordinated across several countries and took place in the space of a few hours, which I believe there were some arrests on recently. That was targeting prepaid systems. The RBS WorldPay breach that took place in 2008 was really a precursor to all this. The other one is the FIS breach in 2011, which I believe led to about a $15 million fraud.
KITTEN: Why was the attack of FIS's prepaid card system so damaging to so many of its processors' bank and credit union customers?
WILLS: As mentioned, the FIS breach happened at a processor with a card management platform; this back-office system used to manage prepaid cards had been outsourced to FIS by a number of prepaid card issuers, and, therefore, not only one issuer was affected, multiple issuers were. That led to a significant amount of fraud that was damaging for those issuers' reputations, and that's why it was such a big deal.
Prepaid Card Risks
KITTEN: Can you explain how some of these risks are emerging and why they're so damaging?
WILLS: Let me start by explaining the two basic types of prepaid cards and how they work, and then my explanation about the attacks will be much more understandable. There are two basic types of prepaid cards: reloadable and non-reloadable. Let me start with non-reloadable, because those are the types of cards that we have traditionally seen a lot of money laundering activity and fraud on. Non-reloadable cards are your gift cards, the mobile top-up cards, things like iTunes and Macy's cards, the things that you see on the racks of a checkout at stores. Usually, they're in small denominations of $25, $50 or $100, and the key thing about these non-reloadable cards is that they can only be used until the balance is depleted. There is no due diligence on the customer, so they can be purchased with cash and therefore are anonymous cards; that makes them perfect for money laundering, and they've been used extensively for that for some years. Then there is the reloadable type of card where the balance can be drawn down, but topped off at any time as well, as long as the account is open. These reloadable cards do have "Know Your Customer" requirements, so the customer has to register their ID. It's much like opening a credit card or bank account, and they can be reloaded from multiple sources online or sometimes from ATMs. They can also be used at ATMs, so they work just like a credit or debit card, except that the balance draws down when you use it.
What's confusing is that both types are issued by the major card brands, Visa, MasterCard and American Express. We associate fraud and money laundering with non-reloadable cards, and, in theory at least, the risk controls on reloadable cards are better. But what's really interesting is that the emerging attacks I mentioned earlier all involve reloadable cards; that's a change. These reloadable cards have a unique quality that makes them very useful to cyberfraudsters, in the fact that they can be used at ATMs, unlike these anonymous non-reloadable cards.
KITTEN: How are prepaid cards being used in card fraud schemes?
WILLS: Keeping that difference in mind, between reloadable and non-reloadable cards, there are two types of attacks that have emerged in the past 18 months to two years. The first one is where card management platforms, again those back office platforms that are being run by banks issuing prepaid cards, are being attacked. Prepaid card accounts are then being issued with counterfeit cards to launder money, and this is known as an unlimited operation because it involves taking the limits off the prepaid card account. So how does it work? The hackers manage to break into the card management platform itself. They do several things once they've broken in: they steal card numbers and change credit balances on the accounts so they are inflated. If the balance is $1,000 and it's up to $5,000, they remove spending limits on these cards. Typically, reloadable prepaid cards have a daily or weekly spending limits, and those are taken out by the hackers. They also somehow get hold of the PINs on those cards. Then, they take that card data they've stolen off the platform and encode it onto a handful of plastic cards. Then, as quickly as possible, they rush out to ATMs and withdraw the funds from those cards, which have very high limits on them having been removed.
After that, the cash gets laundered by buying cars, luxury items and so on. Looking at those types of attacks, they are almost certainly insider attacks because of the detailed knowledge of the card management platform that the hackers have to have in order to conduct this. Just speculation here, but the attacks are probably APTs, advanced persistent threats, which are taking place over several months and not detected right away. The hackers in the Bank of Iman case [in the Middle East], they actually stayed connected to the card management platform in real-time while the money was being withdrawn from the ATMs, and they watched what was going on as a way to sort of keep an eye out on their cash-out help that they were using in different countries.
The second kind of attack that's emerged is where money mules are being hired to launder the proceeds of these online banking attacks. These money mules, we've seen them for several years now, are recruited by work-at-home schemes and so on. Often they don't know that they're money mules - that they're actually participating in money laundering. This function is being replaced by prepaid cards. ... Money mules are a key link in this overall fraud chain. For the crime bosses, money mules are people, so they're messy and they're hard to manage. They go rogue on the fraudster sometimes, they make mistakes. The banks do have monitoring systems that detect patterns and anomalies. So once those detection systems kick in, then new mules have to be recruited. You have a short shelf life, if you will. On the other hand, prepaid cards are inanimate objects, so they're much more useful to criminals. The way it works is that these prepaid cards are attached to an online banking account that has been breached. As part of breaching the online banking account, identity theft has occurred, which allows the fraudsters to obtain a prepaid card in the name of the victim, and they simply get prepaid cards, load them up with cash, and use them to launder the funds rather than hiring human help for that.
KITTEN: Can you explain why prepaid card fraud is growing?
WILLS: It's not growing so much as it's changing. As I described earlier, you have these new attack modes that have happened, the "traditional type" of prepaid fraud and money laundering continues basically as is. It's changing simply because the banking fraud groups are extremely creative and, as they always do, they found a weak link in the chain of security that they can exploit.
Outsourcing Prepaid Portfolios
KITTEN: What are the third-party risks? Are most prepaid portfolios outsourced?
WILLS: I think that it's probably about 50/50 in the world. I couldn't quote you an exact number of how many are outsourced or not. Typically, portfolios with smaller financial institutions are outsourced, and they're run in-house by larger ones; but there are some large financial institutions that are outsourcing them as well. Banks are generally pretty good compared to other industries at enterprise information security, which is what we're talking about when we talk about securing that card management platform. But they're not always as up to speed as in securing the hyper-extended enterprise; that is not just the data center but the networks and data centers of partners who were connected to them, and that would of course include prepaid card management service providers if that function is outsourced. So when a service provider is connected to the financial institution, they may not have done as thorough due diligence on the partner's networks as their own, and therein lies the main risk.
KITTEN: Why was the prepaid portfolio more vulnerable than other card portfolios?
WILLS: We talked about the risk of outsourcing, however, it all really comes down to the quality of security of whoever is hosting the card management platform, whether that be an outsourced service provider or whether it be in-house. Whoever is hosting it, it comes down to the quality of the security that the organization is practicing. I can't comment on those individually in the different breaches that we've been talking about, but what I can say is that it's likely they were vulnerable to all the kinds of threats that have been front and center in enterprise information security the whole profession has been discussing in the last year. So advanced persistent threats, insider threats, and things of that nature.
KITTEN: What other internal risks do prepaid portfolios face?
WILLS: The main thing that we haven't already covered is insider threat, and that's always something that needs to be considered. Unfortunately, it often fails to be, even though we've been seeing it carried out and talking about how serious it is for years now. It fails to be considered thoroughly in a risk assessment and at a security program. Something between 50 and 80 percent of all information security and threats involve insider cooperation of some type.
KITTEN: How are these prepaid fraud risks affecting other banking channels?
WILLS: Maybe a better way of asking that may be, "How are other banking channels affecting prepaid fraud?" because, as we've seen, criminals have sort of co-opted prepaid card systems into their whole online banking fraud ecosystem. We've seen them starting to figure out there's some weak links in the prepaid card systems that they can exploit. We have this replacement of money mules that's going on by using prepaid cards, by taking advantage of the fact that they're anonymous and can be attached very easily to the accounts of someone who's already been victimized by online banking fraud; the other type where someone actually breaks into the card management platform itself and then manipulates the card limits and so on. Those have been basically added on as tools for online banking fraud.
KITTEN: What lessons should banking institutions take as they look out to 2014 and beyond?
WILLS: One is to secure card management platforms better, and that's really an enterprise information security exercise. The second would be to secure online banking better and third, to secure prepaid cards themselves better. To secure the card management platforms better, that's basically good old enterprise information security. The attacks that we have been talking about today exploited weaknesses in the card management platform, likely using APTs and things of that nature. So like any enterprise, even with APTs, the operators of these platforms could benefit by improving detection and response capabilities, by conducting penetration testing, and using data mining and predictive analytics tools, establishing an incident management program, and controlling for insider threats. I can't speak to the specific players here, but I can speak generally in terms of what types of things can be done. In addition to that, all that standard "mom and apple pie" advice about running a robust cybersecurity program, do your risk assessments, practice good Web application security, and harden your service site systems against default passwords.
As far as securing online banking better, nothing new here either. It's everything the experts have been saying; the proof authentication, the proof fraud detection educates the customers, things of that nature. I won't get into the detail of those recommendations, but the source of the prepaid attacks that I'm describing are still rooted in good old-fashioned identity theft, if I can call it that, via social engineering and phishing. I believe that at the end of 2013, we're in a situation where the fraudsters do have the upper hand over the industry, unfortunately. So there's still a lot more work to be done there.
Finally, what can we do to actually better secure the prepaid cards themselves? Prepaid cards are a product. As a product category, they're actually hot right now because they're the fastest-growing segment of payment cards, when you compare them to debit cards. They've been received very well in the marketplace, and there are a lot of different flavors of these products, different features and functions on them. There's a lot of competition going on between issuers of these cards to try and grab market share. They are enthusiastic to launch their products as quickly as they can, and the problem with that is they're being done without a full risk assessment at the product level.
Security risks are sometimes getting skipped over and only addressed after there's been a security breach of some kind. The recommendation there would simply be to put more due care into the development and management of these products and have security experts involved in the product design from the get-go, so that security is baked into the system; it's in the DNA of the product and not added more expensively later on as an afterthought. The industry has been reluctant to do that for competitive and convenience reasons, which are somewhat understandable. But given that these attacks are really on the upswing, now would be a great time to revisit that approach and bake in some more security into those products.