Prepaid debit cards are quickly growing in popularity among consumers, but the global conspiracy that stole $45 million from two Middle Eastern banks shows that they’re also attracting attention from another element: criminals.
Federal prosecutors in New York announced charges Thursday against eight defendants accused of participating in a “massive 21st century bank heist” that spanned at least 26 countries.
According to the indictment, the scheme worked like this: Hackers gained entry into databases of prepaid debit cards from a card-processing company and increased the account balances and removed withdrawal limits on several accounts. Then, teams of fraudsters installed magnetic stripes on cards to reflect that account information. Finally, thieves used the doctored cards at ATMs to withdraw millions in cash over several hours.
The criminals used the scheme twice, according to the indictment: once in December, then again in February. In a 10-hour period on Feb. 19 and 20, the thieves made off with $40 million by withdrawing cash in 36,000 ATM transactions in 24 countries.
There’s no evidence that any consumer suffered financial harm. The banks — Rakbank in the United Arab Emirates and Bank of Muscat in Oman — are likely to eat any losses, along with the unnamed Indian and U.S. credit-card processors.
But experts and consumer advocates said the heist highlights the need for consumers to be vigilant in protecting and verifying their financial information, especially on prepaid cards. Often, consumers fail to check their account activity on prepaid cards the same way they might on credit cards or checking accounts.
“Consumers need to just be smart, and if something looks strange, report it to the bank,” says Ruth Susswein, deputy director of national priorities with Consumer Action. “Be aware of your accounts.”
Prepaid cards generally have fewer legal protections against fraud, Susswein says, but in practice, most issuers will reimburse cardholders if a card is used illegally — especially if the user promptly reports suspicious activity. Federal regulators are considering adding new anti-fraud protections on prepaid cards.
Doug Johnson, vice president of risk management policy with the American Bankers Association, says the heist highlights the interconnected nature of finance, in which several companies — often including retailers, processors and financial institutions — have access to account information. Although consumers cannot control that, they can choose what products to use, and he says U.S. banks have generally done a good job at keeping consumer information secure, compared with other issuers, such as retailers.
“When thinking about prepaid cards, it’s beneficial to think about who is issuing it,” he says. “With a bank, you can have a higher degree of confidence that your data will be protected so you won’t have to go through the inconvenience of reporting unauthorized transactions and so on.”
The ease of use of prepaid cards also attracts criminals, but law enforcement might soon have new tools. The Department of Homeland Security said in 2012 that it was considering rules that would crack down on the use of cards in money laundering and even terrorism.
U.S. consumers are expected to load $117 billion onto prepaid cards this year, more than double the figure from 2011, according to Mercator Advisory Group. That amount is rising as more people see prepaid cards as a financially responsible budgeting tool.
Ben Jackson, a senior analyst with Mercator who studies prepaid cards, says some features of prepaid cards make them unattractive to thieves, such as limits on the amounts you can load and spend, as well as electronic records of transactions. Still, with the dramatic growth in prepaid cards, it’s not surprising that thieves are flocking to them, he says.
“Every time some new payment mechanism comes out, criminals are going to find a way to use it,” he says. “A famous bank robber once said, ‘Why do I rob banks? Because that’s where the money is.’ Why do criminals use prepaid cards? Because there’s money there.”