In December 2008, prepaid card issuer and processor RBS WorldPay Inc. disclosed a security breach in its U.S., open-loop gift and payroll card system. The breach resulted in an ATM scam that netted fraudsters $9 million. While RBS said the damage was contained and the company had taken steps to strengthen the safeguards to its systems, the breach and its aftermath should serve as a wake-up call to the prepaid card industry.
In a report entitled Prepaid Fraud and Risk: Between Cash and a Hard Place, David Fish, Principal Analyst at Mercator Advisory Group, outlined steps the industry should take to secure systems and outthink the hackers.
According to Fish, the same basic principals that govern credit and debit card fraud management systems also apply to prepaid card systems. All systems have authorization and clearing functions. Card issuers and program managers set authorization policies. Processors that manage risk tolerances and authorization streams approve or decline transactions based on the policies already set up.
"But there are caveats that come with prepaid like load transactions that the systems need to be aware of and take into account," Fish said. "There is an additional section on the policy on loads. So that's how prepaid is unique in authorization."
Fish said that prepaid fraud systems need to check the "value and velocity" of transactions, both when value is subtracted from cards when they are used and when value is added to cards through loads and reloads.
"The transactional monitoring piece has to be modified to accommodate for the uniqueness of prepaid," he said. "It has load transactions. It has activation transactions. It's not just usage. So the parameters of an issuer's or program manager's fraud system or a processor's fraud system do need to be modified in such a way that that uniqueness is taken into account."
Additionally, Fish believes the prepaid card industry must do a better job of communicating between companies and systems. "The degree of cross-industry coordination to combat fraud and money laundering needs to accelerate," he said. "While it's not a new idea in the slightest, the demand for collaborative, systemic fraud controls has really never been greater."
Fish noted that consortia and trade associations, such as the Network Branded Prepaid Card Association and the Center for Financial Services Innovation, have been active in fostering dialogue between prepaid constituencies.
"So it's not like there's a total lack of any sort of consortium on the prepaid side," he said. "What I'm saying is that the businesses themselves need to be linked in such a way that risk management can happen across the industry."
Not only should industry players adopt industrywide security standards, but the systems themselves "should also talk to each other in such a way that the entire payments ecosystem is made more secure," Fish said.
Fish gave the RBS breach as an example. "The crooks were able to hack into the platform and adjust the card parameters so that the mules could go to the ATMs and withdraw $9 million," he said. "That scam was made possible not only by the hackers' manipulation of RBS Worldpay, but there's nothing in the ATMs to say nope, that's not right and stop that transaction."
Mercator's fraud report goes into detail on fraud perpetrated using general purpose reloadable (GPR) cards. GPRs have greater fraud potential than closed-loop gift cards, for example, because they have "longer account lifecycles and increased volume and liquidity driven by reload schemes," according to the report.
The breach at RBS involved the theft of data from GPR cards. RBS said 1.5 million open-loop gift and payroll card numbers were compromised in the breach. Only 100 of the card numbers - all from payroll accounts - were allegedly used in the ATM scam.
"That level of sophistication and that type of attack is where the fraud community seems to be moving," Fish said.
The RBS breach and its aftermath - three law firms filed a class action lawsuit against RBS and the processor was stripped of its Payment Card Industry Data Security Standard compliance certification - represents "every payment company's worst nightmare," Fish added. "I think in order to rest a bit better at night, these players are going to need to cooperate."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
