Sunday, May 12, 2013

$45 Million Heist with Prepaid Card Duplication: Lessons Learned

In my previous post "$45 Million Heist with Prepaid Card Duplication", I had highlighted the questions that creep up in our mind as general readers or followers of the news.  Those questions are basically something that need to be dealt with or answered for a meaningful conclusion of the investigation.

However, from the Risk Management perspective and the ongoing compliance enforcement, there are few critical lessons learned if the GRC world is watching this incident from that perspective.  

It was really amazing to learn the way these scammers came along together and indulged in such a widespread scam to cover 27 countries as reported.  Here is the first lesson learned - 
  • Organize your move and collateral to ensure that Risks are covered at all times. This can be achieved only when you have a sound Risk Management Framework to document All the possible Risks and monitor them on an ongoing basis
Banking organizations across the 27 countries failed to identify the large chunk of withdrawals from their ATMs. Here is the second lesson learned - 
  • Banks need to put a governing policy to monitor the cash withdrawals from their ATMs. They need to closely review the Cash withdrawal pattern from various ATMs they own. This would help raise the red flag faster
Payment Processors failed to maintain their security measures in-line with those required for Banking Organizations. Here is the third lesson learned - 
  • Payment Processors must ensure that they deploy layered security to ensure that the Databases are always hosted in the most secure zone and preferably be protected by host based IPS systems that would raise alarms on detecting any anomalous behavior
Card Networks failed to raise the alarm too and rather delisted a given payment processor that was breached.  This is certainly an act of washing out once own hands of the responsibility. Fourth lesson learned here - 
  • Card Networks need to ensure that they control the limits once defined. Meaning, once a Payment Processor or Bank has defined transaction limit on a given Pre-Paid Card, it needs to be populated to the Card Network. This should be a One Time one way update.  Generally a Pre-Paid Card user is not worried with the limits set on the card as they use cards for limited set of transactions only.  So if there is a change in the Transaction limit from the Payment Processor or Bank, the Card Network should over-write it....(this may seem to be insensible to many, but would help avoid such heists in future)
The entire Banking System across the reported 27 Countries failed to detect the heist and report it. here is the Fifth Lesson learned - 
  • The Banking system across world would need to develop a Governance mechanism to share daily charge back reports and highlight the cases that they seem are alarming. This would help the target banks to react faster than not and help avoid such mass scale heists
Few other lessons learned - 
  1. Payment processors and Banks to ensure that they have transaction monitoring systems deployed specifically for the Pre-Paid Cards as with the change in the Guard on Debit and Credit Cards, Scammers would focus on less secure cards
  2. Payment processors and Banks to develop systems to ensure that Risk Management Function is made responsible to review the anomalous behavior as noted in the transaction monitoring systems and as received in the charge back reports
  3. Information Security Mechanisms are beefed up across all the Payment Processors and Across the Payment Networks to help thwart such attempts in future
  4. Though Pre-Paid Cards are not related to any person in particular and hence they are not treated at par with the other Bank Cards, it it critical that Data Protection Regulations do cover these Cards. PCI Council too must ensure that they have comprehensive steps taken to this effect and bring the Pre-Paid Cards under the Scanner of PCI-DSS. They should also ensure that the Applications used for the Purpose are brought under the Scanner of PA-DSS.
------------------------------------------------------------------------------------------------------------