Security Breach Exposes 40M Credit Cards 304
The Good Reverend writes "MasterCard International announced today that a security breach at CardSystems Solutions, a third party processor of payment card data, potentially exposed more than 40 million cards. Mastercard is aware of the specific card numbers affected, and is giving its member financial institutions the numbers that may have been compromised. Unlike many of the past high profile cases this one involves a hacker rather than lost packages. CNN Money, the New York Times, Reuters, MSNBC, ZDNet, C|Net, and the Washington Post are also covering the story."
Proves that the hackers... (Score:5, Insightful)
A bit over 1/4 were mastercard branded... (Score:3, Insightful)
But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet.
So when is the other shoe going to fall?
The card number / expiry-date system is stupid (Score:4, Insightful)
Re: A bit over 1/4 were mastercard branded... (Score:5, Insightful)
> But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet. So when is the other shoe going to fall?
The news has been reporting for the last 14 hours (at least) that the four major credit cards are all affected.
Also, this has been known since May 22, but everyone was keeping it quiet.
If there's another shoe, it's going to be that the breach was even larger than reported, or that they got more information than we're being told.
Re:being a site full of geeks (Score:5, Insightful)
An one more: Processors should have mandatory insurance against this event. Then the insurance company would check their security with a keen eye....
Re: Not just mastercard -- VISA, etc. (Score:3, Insightful)
> Apparently the breach was detected by the company handling the cards (CardSystems Solutions, Inc.) on May 22
One source I read said it was detected by the credit card companies when they noticed an upturn in the number of fraudulent transactions being reported to them by banks, and only then traced back to the clearinghouse.
> VISA spokespeople claim that they did not announce it sooner because there was an ongoing FBI investigation.
Yeah, supposedly there was an agreement to silence (for good reasons or bad), and the other participants are surprised (and probably outraged) that M/C broke the news.
And while the "FBI investigating" story is at least a semi-plausible reason for silence, I suspect the real motivation was "OMFG, let's stall as long as we can and hope Jesus comes back before word gets out". As mentioned in other threads, there are estimates that it will cost a billion dollars to replace all those cards.
Also, IIRC, in the past these exposures have always turned out to be much larger than first reported.
The only way (Score:5, Insightful)
Re:Also proves that.. (Score:4, Insightful)
ABN-AMRO uses such a system (Score:3, Insightful)
It has no connection to your computer, so no inpompabilities for mac/linux users and no chances of spyware/keyloggers making off with valuable passwords. You indentify with wath you know and what you have. The processor only has to know the public part of the keypair (the private one is on your card, probably 'encrypted' with your pin). If such a processor is breached, they will not get any info on the card.
Re:Also proves that.. (Score:2, Insightful)
Deal with it.
imagine a similar disaster (Score:5, Insightful)
Re:Also proves that.. (Score:3, Insightful)
That would be a good analogy if only there was a culture of straight gay people that was upset about being associated with homosexuals.
Microsoft security problem? (Score:1, Insightful)
Re:What I would like to see (Score:3, Insightful)
Of course, the CC companies DON'T CARE if you are trying to get some free stuff. They will happily issue chargebacks and give you your money back. The only person hurt here is the merchant, who loses the amount of the sale, a transaction fee of a few percent of the sale price in both directions (one for the sale, one for the chargeback), and a chargeback fee of at least $35 per item being forcefully refunded.
So as you can see, it is the merchants that people are abusing, not the CC companies. The CC companies pocket the chargeback fee as well as double the transaction fees, without having to pay out a cent to the merchant. The customer gets their free item and all of their money back, and the merchant is out one item and probably $40 or more, depending on that items cost.
I'm not suggesting that people should withhold from reporting fraudulant use of their cards, but it is easy for people to get away with stealing from merchants, and neither the theifs taking the CC numbers, nor the people abusing the situation and getting free stuff are hurting the CC companies at all.
Re:Lesse (Score:2, Insightful)
The basic liability for consumers under MasterCard and Visa is $50 (probably per incident). Now, that could be a problem, except for the fact that MC and Visa waive that liability. So, what are your responsibilities when it comes to reporting fraud? Simple: you report the unauthorized charge to your bank, usually via the 800 number on the back of the card, within 24 (or possibly 48) hours after discovering the fraudulent activity. This means that if you don't open your bill for two months, and so discover the charge six weeks after it happened, you can call in the next day and have ZERO liability. The best part is, since it was a credit card, it's not YOUR money that is lost - unlike a debit card. Hint hint: always use a credit card to buy stuff, not debit or ATM cards.
The real losers here are the merchants, who get stuck with the ~4% per transaction fee and often have to eat the cost of the fraudulent purchase. OTOH, how many merchants can afford NOT to honor the major credit cards?
Re:I think that we'll see more of this (Score:3, Insightful)
When fradulent charge is made, you call them. They call the merchant and say, "Sorry bud, you just got pwned."
The merchants take the hit. So credit card companies could really care less.
~X~
Re:Also proves that.. (Score:3, Insightful)
Hackers are people who love to play with technology, who *MAY* also like to cause carnage and destruction.
White or black, a hack is a hack.