A few weeks ago, a story broke about arrests made related to a series of incredible ATM heists. A group of criminals struck twice, in over 25 countries and took in over $45 million. The thefts were incredible, not only because they took in so much money, but also because of how well-executed they were, with the thieves striking quickly and efficiently, in so many cities across the globe. How were they able to do this?
They began with prepaid debit cards. Computer hackers hacked into the systems of two prepaid debit card processors and stole debit card numbers. The first time they stole five prepaid debit card numbers from a processor in India and the second time they stole twelve account numbers from a United States based processor. After stealing the numbers, they raised the limits on the debit cards, or removed them completely. This was possible, in part, because prepaid debit cards start out as a blank slate, unconnected to an individual’s account. The limits are set by the amount of cash paid into the account. This information is what was manipulated by the hackers. The hackers then sent the card information to their team members who were scattered around in over 25 countries around the world.
In the same way that a hotel programs a key card for a guest’s room, these criminals programmed the magnetic strips on blank cards, using a machine known as a skimmer, and cloned the prepaid debit cards. In fact, even hotel key cards can be used to clone debit or credit cards, as the technology used to create bank cards is the same technology used to make hotel room cards – not very comforting, is it? Finally, armed with cloned prepaid seemingly limitless debit cards, teams went out onto the streets and withdrew cash. A lot of cash. During the first heist, using five prepaid numbers, the thieves withdrew $5 million from ATMs in 20 countries. During the second heist, using twelve prepaid accounts, the thieves withdrew $40 million from ATMs in 26 countries in under 10 hours. This is not the first time that this has occurred – theft using prepaid debit card information has happened several times – but this is the grandest scale to date. In a highly coordinated and organized action, the teams of people went from ATM to ATM, swiftly withdrawing funds. They knew which ATMs had the highest maximum withdrawal limits and they knew the most efficient routes to take in order to maximize their intake in the least amount of time. The New York Times reported that from the ATM cameras, one can see a crew member’s backpack getting heavier and heavier, as he went from one machine to the next. There is something to be said for the criminal network; reporting on the shutdown of Liberty Reserve stated that the ATM thieves laundered some of their ill-gotten gains through the shady currency exchange business. When MasterCard, noticed that something was amiss with their prepaid debit cards, they contacted the Secret Service who, among other things, investigates various financial crimes.
The thieves likely targeted prepaid debit cards because of several weaknesses that they were able to exploit. Regular debit cards are connected to a person’s checking account meaning, generally, that a thief is limited to stealing the victim’s checking account balance and not much more than that. A credit card, though a thief can try to go to town with it, is connected to individuals who will notice pretty quickly if a lot of money is taken out of their account. Also, because credit cards come with the history of the user, credit card companies tend to flag them if they notice behavior that is out of the ordinary. The prepaid debit card is a different animal. Prepaid debit cards are a very convenient way for people, who do not wish or are unable to use bank accounts, to go cashless. For a small fee, cash is simply loaded onto a card that will then work as a regular debit card, until the money pre-loaded onto the card is used up. Because it is not connected to a person’s account or spending history, if this card is manipulated, it will take a while before anyone notices that something is amiss.
Because of the nature of the prepaid debit card – that it is not connected to an individual’s account – the thieves needed to steal only a few numbers and raise the limits on a few cards to very high levels. Because only a few were taken, again, it decreased the risk of the theft being immediately noticed. When credit or regular debit cards are stolen, thieves tend to have to steal great numbers of them if they want to make a lot of money out of them. Once a lot of cards are stolen, the chances that someone will notice go up a lot.
As I mentioned before, debit and credit card technology itself is not secure. The magnetic strip technology used on credit and debit cards in the US, is the same technology used to program hotel room keys. The technology has not changed in decades and the machines used to clone credit and debit cards can be bought for $25. The US is the only nation in the G-20 that still uses this magnetic strip technology. The other members use newer chip technology that is more secure.
There are several benefits to the prepaid debit card, some of which are:
- They can be cheaper for some than having to pay all the fees involved in having a bank account;
- Despite the skimming and cloning risk, they tend to be safer than holding large amounts of cash;
- They are good for travel, especially since traveler’s checks are no longer as widely accepted as they used to be and debit cards can be used wherever credit cards are accepted;
- They are great gift cards as they are not limited to a particular vendor.
One challenge for the issuers and processors of these prepaid debit cards is to make them more secure so that they do not end up losing more and more money to heists such as these ones. Though US banks may believe that newer card technology is too expensive, as thieves steal more and more, they may decide that the benefits of the technology outweigh its costs. There is also the challenge of protecting the banks and processors against hackers. There have been arrests of the team members who made the ATM withdrawals, and one has even been found shot dead, however the hackers are still at large. They are probably the most dangerous, for without them the prepaid debit account information could not have been stolen and manipulated. That is an ongoing battle that financial institutions and law enforcement fight; as our systems become more sophisticated, so too do cyber criminals.