Sunday, May 12, 2013

$45 Million Heist with Prepaid Card Duplication

I had been following the entire development on the big heist that was cracked by the US law enforcement.  The news in itself as lead to an interesting assessment for me on the way the Data Theft and duplication was carried out at mass scale.  I read various articles written across multiple news sites and went through even the comments that were made by various set of readers.  Some were pretty interesting and others were made out of hate for India and Indian service Providers as there were two card processors from India whose systems were breached.  The world as it sees may see it as a lapse of security measure implemented by the two payment processors from India, but then why shouldn't they look at the lapse of overall Risk Management System at the Banks as well as the Card network System in general??

There were articles and comments that pointed on the Core Banking Software in use, but then both the writer of the article as well as the comments need to understand that Core Banking Application has nothing to do with the Payment Cards that were compromised in this case. Before we point out the responsibility at the Core Banking Application or System or the People at the three types of organizations involved, we need to actually understand the modus operandi of the Gang Spread Across 27 Countries and specific Target being made at two Banks in Middle East.  Making a general Comment otherwise would simply be because you hate someone or because you have no knowledge either of the Baking System or the Pre-paid Card System for that purpose...Also, those trying to relate the software to this heist must first understand the it doesn't have any relation to the pre-paid cards, that is a different system that interacts with CORE BANKING Application....

One interesting point that I noted in the entire set of developments is the Lack of Controls around the Payment Cards that were compromised.  Why is it that the Banks when deploy enough controls on the Debit and Credit cards, they miss to deploy controls around the pre-paid cards that are mostly used as "Travel Currency Cards" or "Gift Cards" in most cases?  I am still perturbed as to how and why the Banks let the Payment Processors manage the Data on their local database without enforcing right set of controls required? Some additional questions that crept up to my mind - 
  1. Didn't the Payment Processor deploy layered security to ensure that the Database is in the most secured zone?
  2. Weren't Host base IDS/IPS systems deployed?
  3. Weren't transaction monitoring and logging systems deployed to create alert for fraudulent withdrawals?
  4. Weren't alerting system put in place for changes in database?
  5. Why would Visa and MasterCard let huge withdrawals go through multiple ATMs and that too from the same cards? Why were the patterns not monitored at their end?
  6. Why didn't the Banks whose ATMs were used ever sounded an alarm in the Banking Community about the huge transactions? Were they enjoying withdrawals from their ATMs and raising bills to the target Banks??
There are many such questions that need to be answered and probably we might never get an answer to these questions...for we would just read the development and arrests...What happens at the Banks, what happens at Visa and MasterCard and other organizations involved would never come to light...but, then its our Money and we must know if it is safeguarded...

Related Post - $45 Million Heist with Prepaid Card Duplication: Lessons Learned

1 comment:

  1. We need to create a public awareness system.
    I fully doubt that very few know how actually the credit/ debit card system functions.Which are the agencies that issue these card. Which are the banks/ service centers working at the back end facilitating these transactions.

    U have asked here that Why didn't the Banks whose ATMs were used ever sounded an alarm in the Banking Community about the huge transactions? Were they enjoying withdrawals from their ATMs and raising bills to the target Banks??. Its simple. These banks r only interested in business, and don't care about any frauds as long as their money is recovered.
    There have been cases where procedures have been circumvented to favour the recipients.