VISA, MasterCard Warn of 'Massive' Breach At Credit Card Processor 164
concealment writes with news that VISA and MasterCard have been warning banks of an incident at a U.S. card processor that may have compromised as many as 10 million credit card numbers. From the article:
"Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area."
According to the Wall Street Journal, the breached company is Global Payments Inc.
Really, no fucking article? (Score:5, Informative)
And slashdot gets increasingly pathetic. Well, if anyone cares to RTFA:
http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html [wsj.com]
Not a whole lot of info from any source, Krebs seems to be the best though:
http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/#more-14393 [krebsonsecurity.com]
Re:No Source? (Score:5, Informative)
Krebs is all over it:
http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/
Re:No Source? (Score:5, Informative)
Sketchy source is sketchy (Score:4, Informative)
That said, a window of 21 Jan to 25 Feb...that's quite a big window...
Re:No Source? (Score:5, Informative)
One of these perhaps
https://www.networkworld.com/news/2012/033012-visa-mastercard-breach-257824.html [networkworld.com]
http://www.cnbc.com/id/46904168 [cnbc.com]
https://www.google.com/news?ned=us&q=VISA%2C%20MasterCard%20Breach&btnG=Search+News [google.com]
Credit Card Fraud generates profits for banks (Score:3, Informative)
because each time when there is a chargeback, the bank will take back the money from the merchant + $25 per transaction as a penalty. They have no incentives to make the system more secure.
Re:Credit Card Fraud generates profits for banks (Score:2, Informative)
$25 is overstating it (at least in my experience) but yeah, you don't get the % back you had to pay to take the transaction in the first place, and if you get too many you get dropped by the processor or penalized with a higher % charge.
Keep in mind that the banks don't want merchants doing any kind of ID checks or anything that makes it harder to use the card (how could they have ads where the guy who pulls out his checkbook causes the whole line of people to crash into each other?)
Re:Thankfully! (Score:5, Informative)
What do you expect when the parties that can best improve security (banks, VISA, Mastercard) have made sure that merchants (who can do very little about security) carry most of the liability from security failures?
Banks, VISA, and Mastercard make tons of money from transaction fees, so they want to make transactions as easy as possible. They don't have to pay much for security breaches, so they are willing to sacrifice security for more transactions and more fees.
If a buyer goes into a store with a stolen card, there is practically nothing a merchant can do to detect the fraud and stop the buyer from walking out the door with merchandise. Who pays for the fraud? The merchant.
Until banks are on the hook for this fraud, nothing will change.
Re:No Source? (Score:3, Informative)
You aren't on the hook for the fraudulent charges.
Unless they can prove you actually made them, they have to pay for the charges.
If it's all on them, why do they need to give you a detailed breakdown?
Re:No Source? (Score:4, Informative)
From the link, Global Pay seems to be the processor, and it appears that only 26,094 VISA cards were affected. It did not mention how many MasterCard cards were affected. While that is a lot, it is nowhere near the 10 million speculated.
Re:Criminal (Score:4, Informative)
Re:Thankfully! (Score:3, Informative)
Never mind that the merchant can utter the words "can I see your ID?" and then, in one brilliant move, authenticate AND authorize the user of said card...
Actually, Visa prohibits merchants from asking to see your ID. Lots of stores do it anyway, but it's a breach of their Terms of Service.
Re:Thankfully! (Score:4, Informative)
Re:Thankfully! (Score:2, Informative)
Merchants are not allowed to refuse credit card purchases because of ID. For example my wife can use my credit card, even though my name is on it. Visa wants to make sure that purchasing is as easy and frictionless as possible. The amount lost to fraud is miniscule compared to the profits made.
Re:No Source? (Score:2, Informative)
So feel free to throw the baby out with the bath water, but it's might be just as likely that the retailer you want to disown actually helped the credit card company identify the fraudulent transaction before it appeared on your credit card statement.
As an online merchant, I can tell you from experience that this is highly unlikely. When fraud was committed through my site, I used to proactively contact card issuers to let them know that their customer's card details had been stolen and were being used to commit fraud. Just about every one of them was dumbfounded by a merchant calling them to report fraud. There had even been a couple of cardholders that called to inquire about the transaction on their card, and every one I asked said that their card issuer had not contacted them about the fraud. It eventually became apparent that reporting the fraud to the issuers was a completely pointless waste of time.