Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Privacy Security Businesses IT

Security Breach Exposes 40M Credit Cards 304

Posted by Zonk from the consider-the-planet-hacked dept.
The Good Reverend writes "MasterCard International announced today that a security breach at CardSystems Solutions, a third party processor of payment card data, potentially exposed more than 40 million cards. Mastercard is aware of the specific card numbers affected, and is giving its member financial institutions the numbers that may have been compromised. Unlike many of the past high profile cases this one involves a hacker rather than lost packages. CNN Money, the New York Times, Reuters, MSNBC, ZDNet, C|Net, and the Washington Post are also covering the story."
This discussion has been archived. No new comments can be posted.

Security Breach Exposes 40M Credit Cards More

Security Breach Exposes 40M Credit Cards

Comments Filter:

  • Proves that the hackers... (Score:5, Insightful)

    by bpuli ( 654182 ) on Saturday June 18, 2005 @07:48AM (#12850383) Homepage
    will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream? Wonder how many more of these transactions processors have been compromised and don't even know it yet.
    • will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream?

      Agreed. One wonders how to trust your contractees and outsourcees. It would argue for the most data-secure companies to cut out the middleman and do their own processing.

      The cynical side of me says that there lurks a propaganda campaign to be pushed here by those in favor of introducing new credit card feature, perhaps RFID or biometrics. I cannot say whether those
      • The UK has recently introduced PINs with their credit cards, and my credit card (with Dutch bank ABN-Amro) was just replaced, the new one also has a PIN with it. I haven't tried it out yet, but apparantly the ONLY way to authorize payments with it is to supply the PIN.

    • Re:Proves that the hackers... (Score:5, Funny)

      by Ian Jefferies ( 605678 ) on Saturday June 18, 2005 @08:41AM (#12850544)
      Just wait for the spam social engineering angle to kick in:

      "Just enter your credit card details into this site to see if your credit card number was one of those stolen"

      (Answer: not until 5 seconds ago)

    • Re:Proves that the hackers... (Score:5, Informative)

      by Anonymous Coward on Saturday June 18, 2005 @08:47AM (#12850571)
      Have to agree here. I work for a large mailing house company which processes client data and sends out bank statements and tax details and all sorts of other private information.

      Having a in depth security background, I can safely say that the security of this place is shocking. The guys handling this sensitive data are just kids straight out of uni. The banks etc themselves can go to great lengths to protect their clients data, but then they outsource to 3rd parties and hand over all their data to be processed.

      Posting anonymously for obvious reasons.

    • Re:Also proves that.. (Score:4, Insightful)

      by Curtman ( 556920 ) on Saturday June 18, 2005 @09:06AM (#12850649)
      Even on Slashdot hackers get a bad name. Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".
      • Yes and gay people walk around happy all day (actually, they might, but the usage of the word has changed)

        Deal with it.

        • Re:Also proves that.. (Score:3, Insightful)

          by Curtman ( 556920 )
          Yes and gay people walk around happy all day

          That would be a good analogy if only there was a culture of straight gay people that was upset about being associated with homosexuals.
          • Yes and gay people walk around happy all day

            That would be a good analogy if only there was a culture of straight gay people that was upset about being associated with homosexuals.

            The issue is that the word "gay" was hijacked by a group of people who don't want to be called (are ashamed of????) what they are: homosexual.

            Homosexual isn't an evil word. Why try to obfuscate what you really are?
      • By now, most slashdot hackers should be aware of the differences between the media use of 'hacker' and the proper use of hacker. Just like being desensitized to violence on TV.

      • Re:Also proves that.. (Score:3, Insightful)

        by raehl ( 609729 )
        Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".

        Hackers are people who love to play with technology, who *MAY* also like to cause carnage and destruction.

        White or black, a hack is a hack.
    • (I work in the payment processing industry, but other than the article I don't know any more about this incident than you guys do.)

      That makes me wonder: how does the security of different payment processors correlate with their processing rates and operational cost? It seems to me, as a First National employee, that our fancy well-designed computer systems, our multiple security-related departments, etc., increase our cost of doing business, so we get beat on price by a lot of other processors. We're no
    • It's about time for the financial services industry to step up and take responsibility for designing a payment infrastructure that can accomodate the current threat environment. A sixteen-digit reuseable number can't provide adequate security, even when coupled with real-time billing address and CVV2 tests. Payments need to be authorized individually by the accountholders, and these authorizations need to be tied to a specific date, time, merchant, and amount (or in the case of recurring payments, a time sp

  • A bit over 1/4 were mastercard branded... (Score:3, Insightful)

    by the packrat ( 721656 ) on Saturday June 18, 2005 @07:51AM (#12850394) Homepage

    But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet.

    So when is the other shoe going to fall?

    • Re: A bit over 1/4 were mastercard branded... (Score:5, Insightful)

      by Black Parrot ( 19622 ) on Saturday June 18, 2005 @08:01AM (#12850416)


      > But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet. So when is the other shoe going to fall?

      The news has been reporting for the last 14 hours (at least) that the four major credit cards are all affected.

      Also, this has been known since May 22, but everyone was keeping it quiet.

      If there's another shoe, it's going to be that the breach was even larger than reported, or that they got more information than we're being told.

      • It may have been known abt since 5/22, sure. But how long was this "script" running undetected on CardSystems' equipment?

        Two possibilities spring to mind immediately (and of course others are possible as well):

        1. An insider did this.
        2. Unpatched boxes were subverted and this really is a break-in.

        Either way, these folks had unauthorized, undetected code running and snarfing up some of their most critical data. That isn't good for the company image. Moreover, we *know* that the snarfed data made its way

  • RTFA PEOPLE (Score:3, Informative)

    by Anonymous Coward on Saturday June 18, 2005 @07:52AM (#12850396)
    About 25 MILLION of the 40 WAS NOT a MasterCard, so there are a WHOLE bunch of credit card providers who like leaving you in the dark here people.
  • And in other news, the WidgetCard from the WidgetCard corporation, breaking tradition from the main Credit Card corporations, are proud to announce that they have not lost any cardholder's data. This is an especially newsworthy event due to its rareness.

    More news at five.

  • US numbers only? (Score:2, Interesting)

    by mr_tap ( 693311 )
    I wonder if it was only US CC numbers or if we all have to worry?

    • Re:US numbers only? (Score:5, Informative)

      by Curtman ( 556920 ) on Saturday June 18, 2005 @09:24AM (#12850746)
      I think we all have to worry anyway. This kind of shit happens all the time [www.cbc.ca]. They're going to find the people responsible for these, and the corporations that allow it to happen will get off with only a bit of bad publicity. That's the real tragedy. There ought to be a law that if you are going to retain someone's personal information then you are responsible for keeping it safe. Same as I'm responsible for keeping my PIN number safe.
    • No it wasn't just US cards.

      This is a 3rd party processor that I expect processes payments from someplace like retail stores. Anyone that used any credit card at those merchants may have had their card recorded.

  • Lesse (Score:4, Funny)

    by yotto ( 590067 ) on Saturday June 18, 2005 @07:52AM (#12850400) Homepage
    Interest rate: 20%
    Annual Fee: $40
    Randomly being declined because the machine is on the fritz: $1-$1000 purchase down the drain.
    Being the target of fraud through no fault of your own: Priceless.

    • There are some numbers hackers can't steal. (Score:5, Funny)

      by game kid ( 805301 ) on Saturday June 18, 2005 @09:03AM (#12850628) Homepage

      there are some numbers hackers can't steal

      for everything else there's MasterCard

      (Accepted all over, even if it's not yours.)

    • Re:Lesse (Score:2, Insightful)

      by StupidKatz ( 467476 )
      I fail to see why this is made out to be such a big deal by the consumers. Have any of you read the service agreement/contract for any of the major credit cards? Do you know what you are liable for in the event of a fraudulent/unauthorized charge? If you did, you'd probably be unable to care less about stories like this.

      The basic liability for consumers under MasterCard and Visa is $50 (probably per incident). Now, that could be a problem, except for the fact that MC and Visa waive that liability. So, what
  • I've always wondered why credit card companies don't simply cancel and re-issue cards when somthing like this happens. I read in the MSNBC article that it costs $10.00 per card to do that, which means this particular incident would cost the credit card companies about $400,000,000.00 to reissue cards. That is a ton of money!


    • > I read in the MSNBC article that it costs $10.00 per card to do that, which means this particular incident would cost the credit card companies about $400,000,000.00 to reissue cards. That is a ton of money!

      One story I read on this said that it would cost banks a billion dollars to replace the cards, which is why people weren't being sent new cards already. (They've known about this for several weeks now.)

    • Compare that to the $0 dollars they have to pay on fraudulent charges (merchant has to cover it).

      I don't think they'll be rushing to reissue cards.

      ~X~

  • What I would like to see (Score:5, Interesting)

    by Timesprout ( 579035 ) on Saturday June 18, 2005 @07:57AM (#12850410)
    since people here (Ireland) and the UK are basically being encouraged to rack up debt is some one to crack Mastercard/Visa and wipe out all the amounts owed on credit cards. Might encourage the financial institution to be a little less carefree with their lending policies.
    • I wonder if some unscrupulous people will do this on a smaller scale. Most credit card companies have fraud protection. Usually in cases where an individual's card is stolen the companies refund the person whose card was stolen and then try to track down whoever stole the card. However, with 40 million of these stolen, it is going to be very hard for the companies to figure out who really was victimized and who is trying to get some free stuff.
      Well, consideringi the way CC companies abuse interest rates

      • Of course, the CC companies DON'T CARE if you are trying to get some free stuff. They will happily issue chargebacks and give you your money back. The only person hurt here is the merchant, who loses the amount of the sale, a transaction fee of a few percent of the sale price in both directions (one for the sale, one for the chargeback), and a chargeback fee of at least $35 per item being forcefully refunded.

        So as you can see, it is the merchants that people are abusing, not the CC companies. The CC co
    • On the other hand, we could always ask the "responsible" adults who take out these credit cards to actually take responsibility for once and only take out and use credit they can afford to pay back?

      My father has many many credit cards which give him potential credit facilities to the tune of over twice his annual salary. His credit file is near perfect with the exception of a few late payments to cards (by a few days) and he has certainly never taken on more credit than he can afford.

      Yes, maybe credit card

      • I agree with your common sense post.

        Just thought I'd add that your father's credit might be better than he thinks. You don't appear to be in the U.S., but the big credit reporting agencies in the U.S. don't even have a record of "a few days late". Typically, one must be 30+ days, 60+ days, 90+ days or 120+ days late on a payment for it to fall into one of the negative slots that affect one's credit.

        Of course, that doesn't stop the credit card company from penalizing you for being a few days late with
      • It's a double-edged sword....what responsiblity should the card companies take for thier irresponsible lending practices. For goodness' sake, if you can fog a mirror, you can get credit. If fact, the way the rates are structured on credit cards, the credit card companies EXPECT to write off a percentage of the portfolio. This write-off is insignificant (in relative terms) to the profit they make on the poor saps out there paying 21+% on their accounts. The overnight rate on this money is what, 4%? And

      • Re:What I would like to see (Score:4, Interesting)

        by timeOday ( 582209 ) on Saturday June 18, 2005 @09:46AM (#12850861)
        On the other hand, we could always ask the "responsible" adults who take out these credit cards to actually take responsibility for once and only take out and use credit they can afford to pay back?
        It's counterintuitive, but I don't think this is what the creditors want, really.

        Yes, they would like everybody to be in debt up to their eyeballs and still get 100% repayment, but the simple fact is some percentage of people who borrow to the max will have a period of unemployment, or divorce, or health problems, or simply get discouraged and choose to flake out.

        Getting closer to 100% repayment would require significantly lower levels of personal debt and higher savings. It works out better for creditors, and perhaps even for the GDP of nations, to keep individuals highly motivated - on the edge of financial disaster. The ocassional losses are more than compensated by high balances at high interest.

        Creditors like to take on this victim complex whenever somebody fails to repay. But in fact, all investments have risk, including loaning money to people through credit cards. That level of risk is already reflected in the high interest rates that borrowers pay on the cards. Why do companies offer these risky "payday loans"? Because the usurious interest rates and penalty fees more than make up for the losses.

        Creditors also like to blame deadbeats for placing an extra burden on the rest of us good, hardworking and honest citizens. But this too is mostly false, since people are placed in different pools depending on their payment history. Those with significant credit history blemishes are already paying sky-high interest rates - a sort of security against the credit, which they will never get back even if they are perfect borrowers for the rest of their lives.

        And in case you're wondering, no, I don't have bad credit. But I do have only so much pity for the credit card companies, with their crocodile tears, as they demand bankruptcy reform (favorable to themselves, of course) while socking away truckloads of profit. If our law were really putting creditors in an unfair disadvantage, credit would be hard to get, and that would be a problem. Instead, payday loan outfits are sprouting on every corner like mushrooms, and college students with no income can get as many credit cards as they like. That doesn't sound like an under-profitable industry to me.

    • Credit, like electricity, is provided to people to use as a tool. One can use that tool responsibly. For instance:

      1. Don't buy things you can't afford
      2. Don't stick your finger in a light socket

      Or one can use such tools irresponsibly and think that consequences don't apply to them.

      I wonder which type of person you are?

    • While I think society's general attitude towards borrowing (and putting problems off until later, in general) is terrible, and the media's encouragement of this (it seems every time lending goes down, they panic about the economy is slowing), I've got to agree with the people that talk about personal responsibility.
  • everyone here will be proposing a technical solution

    but let me posit my own nontechnical solution: the processor must pay for a replacement card for every single victim

    • Re:being a site full of geeks (Score:5, Insightful)

      by gweihir ( 88907 ) on Saturday June 18, 2005 @08:03AM (#12850421)
      the processor must pay for a replacement card for every single victim

      An one more: Processors should have mandatory insurance against this event. Then the insurance company would check their security with a keen eye....
      • That's a fabulous idea, except currently they have no liability that would necessitate insurance! Fake charges are pushed back on retailers.

        Considering the credit card companies are paragons of individual responsibility and have no qualms about charging a $40 late fee for a payment 1 day late, what should their liability be for this sort of collosal screw-up?

    • Being that this is a credit card company, most likely they will do this already. Of course, they probably won't do it until the person with the number requests a new card, but all it takes is a phone call to get one.

      Since pretty much all credit card companies are under contract to research fraud on someone's card and not charge their customer for fradulent charges, it's FAR, FAR cheaper for them to send out a new card and cancel the old number than it is for them to wait and get stuck covering those frau

    • Or at least receiving a fine from each of the credit card companies that were breached - the various agreements companies sign do include fines (that could apply to either party) for various performance and compliance failures. Also, I suppose the banks could sue if they felt so inclined, which would probably end up in some sort of settlement.

      Dunno if there are potential government fines or not.

  • The card number / expiry-date system is stupid (Score:4, Insightful)

    by mukund ( 163654 ) on Saturday June 18, 2005 @07:57AM (#12850412) Homepage
    Banks and financial institutions need to start using public-key encryption to authenticate a user rather than a card number and expiry date. Many visa/master cards already come as smart cards these days and it should be easy to upgrade them to operate as a JavaCard for example. Couple this with a USB card reader issued by the bank. A website can then ask for a signed payment (to be signed in a chip inside the card) valid for a short time period and only usable once in the transaction only. You verify it by looking at the reader, or a display on the card itself and reading the name of the store you're making the payment for, and press a button on the card or on the reader to grant/deny it. In this way, no external software outside the card is involved with granting money which can be tampered with. The signature takes place in the card. No credit card numbers stored. Payment made. Everyone's happy.
    • Don't forget the super-duper-high-security last three digits on the back of the card!

      I'm sure it's no problem at all that many online vendors ask for those last three digits and then store them alongside your credit card number and expiration date. Security problem solved. Done, and done.
    • My bank over here in holland uses a similar system to authenticate it's online banking. You have your card (with a chip on it) you know your PIN (very weak password IMHO) and you get a standalon reader that you have to put your card in, punch in your pin and a 8 digit number generated by them. It generates a 6 digit code that you have to enter in the webpage.
      It has no connection to your computer, so no inpompabilities for mac/linux users and no chances of spyware/keyloggers making off with valuable password

    • Agreed. There are numerous known techniques that credit card companies could use that would prevent this type of theft and fraud.

      Corporations manage to exchange lots of data without it being routinely stolen: internal cost analysis, detailed product analysis, planned bids on oil rights, plans on how much they will pay for another company, real estate investment plans, trade secrets on how their products are built.

      The very simple solution to making businesses treat personal data as valuable is to make

    • Well, not really stupid, just outdated.

      The system you're describing is called Finread [finread.com].

      Finread is more secure than previous solutions because its smart card reader is "smart". It has a pinpad, a screen, a Hardware Security Module and a smart card reader. It is designed to work with EMV smart cards (a public-key scheme). You put your card in the reader, the screen displays the amount and the recipient, you type your secret pin on the pinpad and voila, payment's made.

      Since the reader "smart", the remote pay
  • Jeez, even the mainstream newschannels have been reporting this since at least 9am local time (6 hours ago) and creditcards are hardly even used over here.

    Seriously, news like this is important and should be spread as quickly as possible. It's a sad day when major international tech-related sites of slashdot's size take this long to report these things.
    • i look at about 5 news sites (drudge, abcnews, newsmax, cnn, foxnews).

      this was an interesting event as i saw this first about a day/day-and-a-half ago on one site. sometimes a news item will maybe hit 2 or three of these sites. one by one, this became a major news item on all five.

      this is starting to capture peoples attention.

      eric
    • That's because a lot of the times articles on these are submitted to the slashdot editors but they reject them for one reason or another (too much other news, editor doesn't think it is interesting, etc.) I know I submitted this yesterday but my submission was rejected, but now someone else resubmitted another day and it was accepted. It's just the way the system works.
      • Sometimes I think slashdot saves the jucier stories for busier times of the day/week. It's no fun to join a discussion that fissled out 4 hours ago. The news sites don't have this problem.
        • Sometimes I think slashdot saves the jucier stories for busier times of the day/week. It's no fun to join a discussion that fissled out 4 hours ago. The news sites don't have this problem.

          Timing, unfortunately, has become a major component of the news release cycle. Here's how news timing works:

          1. If a pretty white woman goes missing, (or is dying) it's instant news all the time on the U.S. cable news channels. The news channels will instantly increase the cost of advertising on a sliding scale based on

    • /. is for the discussion, if you want up to date news read the news sites. its the same with people who use slashdot for security holes in software, go read a security site.

  • Let's slashdot the economy! (Score:4, Funny)

    by Black Parrot ( 19622 ) on Saturday June 18, 2005 @08:03AM (#12850424)


    To ensure that no one places any fraudulent charges on our credit cards, let's all run out to our favorite toy stores and run up our cards to their limits.

  • From what I recall, debit card transactions don't give you the same protection as credit card transactions, even though they're both 'mastercard' or 'visa' branded and have identical looking numbers.

    • Yes, that is true from a legal point of view (AFAIK). However, most banks - in US at least - will provide the same type of protection. The downside is, in some instances, you don't get the money back until the dispute is resolved in your favor, which can take a couple of months. With a CC, you simply don't pay that portion of the bill. That is why I use my Debit/ATM card only for cash withdrawals at ATMs. I'm also seriously thinking of giving it up and getting an ATM only card.
      • Debit cards are governed by Reg E, not by Visa or Mastercard. You have low liabilities on the fraudulent debit card transactions (like any other electronic transactions) on your deposit account if you report the transactions to the bank in a timely manner!

        Credit cards are governed by the rules that Visa and Mastercard make - and have a little bit less liability resting on the cardholder.

        The big difference (and the thing that kind of sucks) is that if you have a fraudulent debit card transaction - it'

  • My Card? (Score:5, Funny)

    by valjean78 ( 92139 ) on Saturday June 18, 2005 @08:04AM (#12850429) Homepage
    Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised? :p

    • Re:My Card? (Score:5, Funny)

      by arose ( 644256 ) on Saturday June 18, 2005 @08:10AM (#12850450)
      I'm setting one up right now... :-P
    • Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised?

      Sure, if you post your name, card number, and expiration date to slashdot, an automatic check will be run, and the results will be displayed.

      If you receive the message "Comment Submitted. There will be a delay before the comment becomes part of the static page.", then this means you have been comprimised (sic). It's a perfectly fool-proof system, I primise.


    • > Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised? :p

      I see that you :p'd it, but one of my first thoughts was that someone could probably set up a phishing page for "enter your card number, name, and social security number (for verification purposes only, of course), and our database will tell you whether your card number was harvested".

    • Yeah.
      They should post a huge list on their websites with all numbers that arent compromised. Just so you can be sure...
    • Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised?

      Sure is! Just go to www.giveawaymyccnumber.com
    • Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised?

      Yes, just click here [we0wnyu.cmo], enter your credit card number, PIN, and mother's maiden name (or other passphrase), CVI# if applicable, and they will confirm that your card has fallen into the hands of identity theives.

      Good luck.

  • This is simply the price of outsourcing. (Score:5, Interesting)

    by 0xdeaddead ( 797696 ) on Saturday June 18, 2005 @08:06AM (#12850437) Homepage Journal
    See in the banking industry we run these "penetration scans" all the time, that are TOTALY WORTHLESS. I cannot emphasize this enough, that running the weakest setup possbile will pass their "tests" with flying colours. The people doing these tests (Some certified security specialists!) Think that firewalls are magical devices that know how to stop the pesky hackers. Bottom line is that people are involved, they are out of their element, and simply placeholders. Management in general needs to get out of this "placerholder" mentality when it comes to jobs, and just fire people that are not doing their jobs.

    Ok enough ranting, but trust me, in the late 90s banks were trying to outsource as many things as possible from customer service, to invoicing, bills, credit collections, applications and so on. As you can see when the "Credit card company" becomes nothing more than a brand, and a board of execs, everything is out of their control, not to mention every peice of the old credit empire is open for attack.....

    If anything the question is why did it take so long to find them?!

    • See in the banking industry we run these "penetration scans" all the time, that are TOTALY WORTHLESS.
      What!? I thought they paid Robert Redford good money for high-end penetration testing employing exotic technical and social engineering attacks with a crack team including minorities and handicapped individuals.
  • Could someone be so kind to check if my credit card number was exposed?
    My cc number is 5122-5655-1459-0444.
    Reverse code: 444

    If it was exposed I want to cancel it so the hacker cant use it.

    Thanks. ;-)

  • Weakest link (Score:5, Interesting)

    by hellfire ( 86129 ) <deviladv@gmTOKYOail.com minus city> on Saturday June 18, 2005 @08:26AM (#12850497) Homepage
    It's not surprising someone other than MasterCard actually had a list of card numbers stolen. I have customers all the time tell me how they don't like what they feel are draconian measures to protect the credit card numbers people have in their own systems. What they fail to understand is that Visa and Mastercard require us to do this, and the protections we have are customer service.

    But they still complain, because their customers and they themselves don't ever notice. Hell at one point I was told by a demanding customer to remove the protections because he said "I'll risk it." I was tempted to show him how insecure he was by remotely accessing his system, getting his list of customer phone numbers, and telling all his customers that he was careless with credit card numbers and their numbers could have easily been stolen from his system.

    People are pretty careless about credit card security. It's usually in the name of convenience and visible customer service. Credit card security is invisible service. Being able to purchase something conveniently flies right in the face of having security which just might prevent you from selling something to someone, so some people don't care, as long as they are selling. Owners care once they find out that they'll be issued chargebacks, but individual salesreps will write down every credit card number on a piece of paper if it means making money for them personally.

    Visa and Mastercard have the right idea, and in the press release I like how they said that they gave cardsystems a "limited amount of time" to basically get their act together so this doesn't happen again. Education and enforcement of regulations... nice to see an organization, especially one that is a corporation, actually give a damn.

  • Reset the Debt (Score:2, Interesting)

    by jvmatthe ( 116058 )
    Remember how a notable movie (based on a notable novel) a few years ago had, as part of its plot, a plan to reset the credit card debt of the world? With the rate of security breaches we've seen, I have to wonder if the system won't lead to such a problem on its own, not through someone wanting to reset the debt but rather from a massive case of distributed fraud as the result of these kinds of security breaches.

    I mean, what do you do when something like 40 million transactions could be legit ... or could

  • The only way (Score:5, Insightful)

    by BCW2 ( 168187 ) on Saturday June 18, 2005 @08:35AM (#12850527) Journal
    To end this kind of thing is to make the companies handling records financialy responsible for any problems. Triple the amount in damages to each misused account. They won't do anything until it affect the P&L severely. It's the only thing big corporations understand.
    • Won't work unless there is some perimeter of "privacy defense". I think we need to change the law around to say that our personal data, including such things as credit card information, belong to us, and theft of such information is the same as any other kind of theft and should be prosecuted directly. That should also include retention of personal information after the transaction is completed. The information should be stored on *MY* hardware, and if you need to see it again, you tell me why, ask for my p
  • Unlike many of the past high profile cases this one involves a hacker rather than lost packages.

    Wouldn't that be a 'cracker' not a hacker?

  • they'll have fun trying to use it... there's zero credit left at the moment... if they like, they could always put some back on it first...
    • they'll have fun trying to use it... there's zero credit left at the moment... if they like, they could always put some back on it first...

      Actually, that's fairly common... let's say I get your card and it's got a five grand limit on it but only a grand is left...

      I can take my thousand bucks and run OR I can pay off four grand, call the credit company, and get "my" limit increased (FYI on a full payoff most companies will gladly increase your limit)... then instead of a grand I've got six grand (assuming

  • Good thing I have online banking! (Score:3, Interesting)

    by MtViewGuy ( 197597 ) on Saturday June 18, 2005 @08:51AM (#12850580)
    That way, I can closely monitor all my bank's account activity to make sure somebody isn't trying to hack into my accounts to steal my money. That was how I was able to find out somebody did an inside job identity theft of my checking account and they stomped out that fraud (and got the "perp" pretty quickly).

    However, before you do online banking, I would recommend you have both antivirus and firewall programs active and run anti-spyware programs at least once a day to keep out keystroke loggers.

    • However, before you do online banking, I would recommend you have both antivirus and firewall programs active and run anti-spyware programs at least once a day to keep out keystroke loggers.

      Or you could use an OS that's secure enough that you don't have to worry about software installed with your permission.

      Seriously, if you're too cheap to buy a Mac Mini, you can at least burn a Linux Live CD. Using that, every time you reset your computer all unauthorized software is removed, 100% guaranteed.

  • It's worth mentioning that they're hiring people with VMS and WindowsNT experience. Small wonder the malicious code got in there.
  • from Mastercard's Newsroom | Global Press Releases "Upon receiving notice from MasterCard, banks are able to take the appropriate steps to protect their cardholders from potential fraud. No highly sensitive information, such as social security numbers or dates of birth or the like, are stored on MasterCard cards. "
    No idea how Mastercard could think that account details aren't classed as highly sensitive information - perhaps this is the reason for the lax security!

  • imagine a similar disaster (Score:5, Insightful)

    by e**(i pi)-1 ( 462311 ) on Saturday June 18, 2005 @09:24AM (#12850744) Homepage Journal
    Now imagine a headline in 10 years: "120 Million biometric data stolen" It seems that the technical challenges to keep data secure has sunk [theregister.co.uk] in [theregister.co.uk] already [bbc.co.uk]. This credit card data breach could support these concerns.
  • That if a company loses personal information, then that company is libal for $1000 fine per person affected, plus any additional fees, fines, moneys to pay to correct the problem(s).
  • I was in the public sector for a while. People always would look at me for poo-pooing direct deposit. Little did they know that the bank involved had them running the data over on a weekly basis on a floppy disk. The program to generate that disk was the biggest chunk of crap I've seen in my software days (from my coding and all the 2 bit shareware I've seen) Scary stuff.

    Now I'm in a bigger corp, that not only demands that you are direct deposit, but is not trying to get you to give up the paper copy they

Slashdot Top Deals

Ummm, well, OK. The network's the network, the computer's the computer. Sorry for the confusion. -- Sun Microsystems

Close