Fraudsters are increasingly turning to prepaid cards for the movement of money to perpetrate fraud, says payments fraud expert Tom Wills.

Today, human money-movers known as mules are being replaced with prepaid cards, he says. Plastic is less risky and less expensive, says Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation.

"Money mules are a key link in this overall fraud chain," Wills explains in an interview with Information Security Media Group [transcript below]. "For the crime bosses, money mules are people, so they're messy and they're hard to manage. The banks have monitoring systems that detect patterns and anomalies. Once those detection systems kick in, then new mules have to be recruited."

Money mules have a short shelf life; prepaid cards do not, Wills says. "Prepaid cards are inanimate objects, so they're much more useful to criminals," he says.

Using compromised online banking accounts, fraudsters can quickly and easily buy a prepaid card under a stolen account, load it with cash and then launder funds through it, Wills says.

During this interview, Wills also discusses:

What banks can do to mitigate prepaid fraud risks; How stronger authentication practices could reduce prepaid fraud; and Why security experts should be involved in prepaid card production.

For more than three decades, Wills has worked with companies such as Visa, VeriFone, Intuit, Wells Fargo and Bank of America, as well as startups, to enhance security and compliance. He is a frequent speaker and media commentator on the topics of mobile, identity and security.

Fighting Prepaid Fraud

TRACY KITTEN: How have prepaid card risks escalated in the last year?

TOM WILLS: There's always been a high level of fraud and money laundering associated with prepaid cards, ever since they were first issued in the 1990s. But the really big thing that's happened in the past year is that criminal hackers have started to exploit prepaid card systems; not just the cards themselves, but, equally as much, the back-office systems that banks use to manage their prepaid card products as a way to facilitate online banking fraud. The other thing that's happening is that we're starting to see exploitation of reloadable prepaid cards, because in the past it's been mainly perpetrated on non-reloadable cards, so two fairly big developments here. We've seen this in four different high-profile data breach cases that have happened, starting with the most recent one, which happened at Chase. Also, we had the breach that took place in late 2012 that targeted the prepaid card processors for two banks in the Middle East. ... These were the processors, not the issuing banks themselves, which resulted in a $45 million ATM fraud that was coordinated across several countries and took place in the space of a few hours, which I believe there were some arrests on recently. That was targeting prepaid systems. The RBS WorldPay breach that took place in 2008 was really a precursor to all this. The other one is the FIS breach in 2011, which I believe led to about a $15 million fraud.

FIS Attack

KITTEN: Why was the attack of FIS's prepaid card system so damaging to so many of its processors' bank and credit union customers?

WILLS: As mentioned, the FIS breach happened at a processor with a card management platform; this back-office system used to manage prepaid cards had been outsourced to FIS by a number of prepaid card issuers, and, therefore, not only one issuer was affected, multiple issuers were. That led to a significant amount of fraud that was damaging for those issuers' reputations, and that's why it was such a big deal.

Prepaid Card Risks

KITTEN: Can you explain how some of these risks are emerging and why they're so damaging?