Secret Service warns of rising prepaid fraud

In March 2013, the United States Secret Service issued a warning to the prepaid card industry that fraudsters are increasingly targeting the back-end computer systems of prepaid card processors. The agency said that, using a variety of remote attacks, hackers gain entry to networks with the ultimate goal of obtaining administrative access to prepaid accounts.

"In a successful event, the attackers are able to manipulate some combination of the balances of the target accounts and the fraud/loss prevention controls utilized by the processer," the Secret Service said. "Subsequently, unauthorized ATM withdrawals are conducted simultaneously in multiple countries throughout the world. In most instances these withdrawals are monitored in real time by the individuals conducting the operation."

Among the enterprise-wide strategies the agency advised processors to employ to thwart network breaches:

• Integrate information security best practices into all levels of organizational planning
• Ensure information technology concerns are addressed when planning mergers, acquisitions or sales
• Formalize and deploy strategies that take into account the relationship between network security and fraud loss prevention

For individual prepaid card processing platforms within networks, the Secret Service suggested that processors:

• Utilize multiple alert methods to notify network administrators of changes to rules and restrictions on prepaid databases
• Require two-factor authentication security protocols for employees to gain remote access to databases
• Use duplicative controls for the collection, preservation and validation of database logs and immediately address inconsistencies in logs

Among the fraud detection methods that processors should employ, the agency cited:

• Alerts on accounts where three transactions using the accounts are conducted at separate ATMs in under two minutes
• Alerts on accounts where ATM transactions are conducted with the accounts via two separate countries within five minutes
• Alerts on accounts where five balance inquiries are conducted on the accounts within three hours

The Secret Services' industry advisory can be accessed at www.alston.com/files/docs/Industry-Advisory-Payment-Processers.pdf , courtesy of Alston & Bird LLP.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.