Fraud techniques revealed in recent debit card case

On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft.  The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.

Hackers gained unauthorized access to credit card processing companies and conducted what hackers term ÔÇ£unlimited operationÔÇØ.┬á Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed.┬á In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world.┬á These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATM machines.

I have spoken of the increase in coordination of cyber-attacks many times and this is an excellent example.  In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City.  A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.

The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks.  Anomalous behavior monitoring is valuable no matter where the next attack comes from and it is useful in other industries as well.

5 thoughts on “Fraud techniques revealed in recent debit card case

  1. What gets me the most about things like this is the fact that they can take so much money in such a little time. Thanks to advancements in security, authorities are able to track where the money goes much easier than in the past.

    • Constance,

      Thanks for your feedback. Make sure you check your statements frequently to look for unauthorized charges.

  2. I am surprised that the card vendors were not doing a better job of monitoring for anomalous behavior as you mentioned. This seems like a normal practice.

Leave a Reply

Your email address will not be published. Required fields are marked *