A story on Wired came out recently about a $9 million ripoff of RBS WorldPay. Further reading on Wired led me to articles about, variously, a cracking of an ATM network in 7-Eleven stores that linked to Citibank, iWire cash payment cards, and Direct Cash management cards.
It seems that the bad folks are cracking ATMs and cash/debit/gift cards MUCH faster than the banks and financial services people can keep up. They have gotten adept at being able to clone cards, crack PINS and break account limits in order to drain accounts quickly with a host of people making fast runs on the system. Profits range from $750,000 to, so far, $9 million.
Banks and businesses are being ever more cagey about announcing such breaches, pointing fingers at various processors and claiming they can’t talk due to “ongoing criminal investigations.” This is the claim for the heist of $9 million that happened last November. Frankly, that excuse is getting harder and harder to swallow.
As my last post noted, we are starting to see a pattern of “repeat-offenders.” Companies that are broken into more than once, and don’t seem to be able (or willing) to make changes so that breakins stop happening. Monster.com comes to mind.
Of course, as consumers, we don’t see an impact until our cards get canceled, or God forbid, our accounts get drained. But for people being issued cash cards as a form of payroll, this can have devastating consequences. If you’re living from paycard to paycard, and one paycard gets hacked, what will you do for food, gas other necessary things that week? It might take the card company a week or two to straighten things out – maybe more. What happens until then?
The rising cost of these data losses are being well documented. For now, banks and financial companies are eating the cost out of their profits, and collecting damages from each other. It’s not a pretty picture, and ATMs are a growing part of the mess.
This is liable to get worse before it gets better. Companies tend to be unwilling to spend money on securing data in the best of times; but in these worst of times, securing data is just not happening.
PCI – Pay Cash Instead.