Last month, the prepaid industry learned of a massive $45 million fraud perpetrated by a ring of hackers and accomplices scattered across the globe. The criminals in this case hacked into a foreign payment processor and proceeded to manipulate account balances and threshold settings on 12 prepaid card accounts. By doing so, the account balances skyrocketed and any safeguards that would have prevented excessive transactions on the accounts were eliminated.
The Cash Crew Goes to Work
The details of the 12 accounts were then distributed to accomplices around the world who proceeded to encode dummy ATM cards with the compromised prepaid account details. These accomplices, later to be known as the ‘cash crew,’ then used the encoded cards at ATM after ATM, withdrawing millions of dollars from the prepaid accounts all within a short period of time. In New York City alone this fraud accounted for nearly 3,000 ATM withdrawals in a single night totaling close to $2.5 million.
All Hands on Deck
When I first became aware of this fraud, I immediately wondered why nobody noticed unusual activity occurring on the accounts. After all, you’d think that thousands of ATM withdrawals on a single account would raise a few eyebrows somewhere. Then it dawned on me that perhaps the reason nobody noticed the strange activity was because only one entity was monitoring these accounts– the very entity that was compromised in the first place.
This scenario illustrates the importance of utilizing multi-layer transaction monitoring processes whereby multiple entities monitor the same set of data. With prepaid programs, there are generally multiple entities already involved: the issuer, or financial institution funding the cards, the processor, and perhaps even a program manager, such as GiftCards.com, that would oversee the prepaid program on behalf of the issuer. With access to card details, each entity should have an independent transaction monitoring process that alerts the organization to suspicious activity.
Divide and Conquer
In the present case, hackers were able to deactivate security settings with the processor, however, the issuer should have had an independent transaction monitoring program that collects and analyzes transactional data received from the processor. Surely this program would contain ATM velocity thresholds that, if tripped, would alert the organization of a potential compromise. And since the hackers limited their breach to just the processor, the data received by the issuer should be clean.
You’re In Good Hands at GiftCards.com
Aside from being the best gift card site in the world, GiftCards.com prides itself on proactive awareness of fraud, money laundering and security-related threats. As such, the activity of each and every gift card sold at GiftCards.com is independently monitored to ensure that instances like the one mentioned above do not occur with our products. In the end, independent transaction monitoring, though seemingly redundant, is a necessary safeguard in the proactive fight against fraud.