After observing a noticeable increase in sophisticated attacks targeting payment processors of prepaid debit accounts in which criminals are able to manipulate balances of accounts and/or fraud prevention controls, the United States Secret Service released an Industry Advisory on March 15, 2013. The Advisory outlines several “macro” and “prepaid platform specific” strategies that payment processers should take to mitigate the risk of such attacks occurring on their systems.
The Advisory notes that the goal of such attacks is to “obtain administrative access to the database systems” related to the accounts so the attackers can increase account balances and alter certain fraud and loss prevention controls to prevent account alerts from triggering. After successfully altering the database systems, the attackers proceed to conduct simultaneous ATM withdrawals from the same accounts in multiple countries.
To mitigate the risk of such attacks, the Secret Service recommends that payment processors take several steps related to prepaid debit account platforms, including: requiring two factor authentication for remote access into the database systems; disabling or deleting administrative testing accounts when no longer in use; protecting account information by limiting how PIN reset requests are sent to account holders; and by employing aggressive fraud detection measures. On a more global level, the Secret Service recommends that payment processors review how their network security and fraud/loss prevention groups communicate with each other so that the companies can create and implement strategies to quickly detect attacks.
The complete Secret Service Industry Advisory can be found here.
Written by Kimberly Peretti, Partner, Security Incident Management & Response Team, and Lou Dennig, Associate, Litigation | Alston & Bird LLP