Prepaid debit cards: a weak link in bank security

Pinterest LinkedIn Tumblr


A brazen gang of cyber criminals, who stole $45 million from bank ATMs in 27 countries, exposes an Achilles heel in the global financial industry: prepaid debit cards.

Cyber security experts and industry analysts say the burgeoning use of prepaid debit cards for everything from gift certificates to disaster relief handouts is making it easier for hackers to withdraw large amounts of money before detection.

Prepaid cards have fewer controls on them than on regular credit and debit cards issued by banks. Each prepaid card issued is like a blank slate: anonymous, new, and lacking any credit history or individual behavior pattern against which bankers and payment processors can measure activity to look for red flags.

They are also easier to hack. Raising a withdrawal limit on a prepaid card involves hacking into a system at a third-party payment processor, a company that is generally smaller than a bank and, if based outside the United States, potentially subject to looser cyber security standards.

“It’s usually prepaid debit cards. That’s the card of choice in this. The bad guys know the system and they have been able to exploit it,” said Joe Petro, a managing director at Promontory Financial Group, who worked for 20 years as the head of fraud prevention and investigations for Citigroup Inc.

“The vulnerability stems from third-party processors, who may not have the same level of security systems that banks are able to have,” he added. Petro was speaking generally and said he did not have direct knowledge of the $45 million heist.

In a globally coordinated campaign, hackers broke into two unidentified payment processing companies that handled the prepaid debit cards for two Middle Eastern banks, U.S. prosecutors said on Thursday.

Once inside the computer networks, they increased the available balance and withdrawal limits on prepaid MasterCard debit cards issued by Bank of Muscat of Oman and National Bank of Ras Al Khaimah PSC of the United Arab Emirates.
– See more at:

Write A Comment