Since a group of hackers broke into a processor and pulled $45 million out of ATMs using prepaid cards, the media has been atwitter about how prepaid cards are a tool for criminals and maniacs as they misunderstand what happened. Reuters, in an article entitled “Prepaid debit cards: a weak link in bank security” makes the following assertions:
Each prepaid card issued is like a blank slate: anonymous, new, and lacking any credit history or individual behavior pattern against which bankers and payment processors can measure activity to look for red flags.
They are also easier to hack. Raising a withdrawal limit on a prepaid card involves hacking into a system at a third-party payment processor, a company that is generally smaller than a bank and, if based outside the United States, potentially subject to looser cyber security standards.
All of these assertions reflect a lack of understanding about prepaid cards and how they work. While prepaid cards do not check credit history, they do verify identity. Prepaid card program managers do have transaction history and watch for signs of fraudulent behavior such as unusual transaction locations and velocities.
What the hack shows is not that prepaid is a vulnerability, but that prepaid has controls in place to prevent fraud and money laundering. Many of these limits seem to have been circumvented by hacking the processors which set them, something that could have also left credit cards and debit cards vulnerable. After all, these criminals did get caught in large part because they left an electronic trail that was traceable through the card use.
