Cracker Gains Access to 2.2 Million Credit Cards

Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."

It's probably a matter of time...

[billstr78]

I doubt the fact that none have been used will be true for very long. I'd better check my statement tomorrow.

Re:It's probably a matter of time...

[Spy+Hunter]

How on earth do they know that none of 2.2 million credit cards has been used fradulently in the last 24 hours? Seems pretty impossible to me. I'll bet some of them have for reasons completely unrelated to this hacker anyway. How can you verify something like that on such a huge scale?

Re:It's probably a matter of time...

[SystematicPsycho]

The article is pretty poor, it contains no facts and verifies nothing. It attempts to convey that it is true because of the trail of denial.

Re:It's probably a matter of time...

[EvanED]

My guess is that they haven't had any reports of fradulent use.

Re:It's probably a matter of time...

[Ponty]

From the article, it appears that Visa is saying that none of the flagged numbers have actually been used after the specified date and time.

Re:It's probably a matter of time...

Visa Techie:

select count(*) from credit_card_transaction where fraudulent = 'Y';

count
-------
0
(1 row)

Re:It's probably a matter of time...

[Read+Icculus]

No reports of fraudulent use?

It might take awhile for the 2.2 million victims to check their credit card statements.

Re:It's probably a matter of time...

Mine was stolen, but the thief's using it less than the wife did.

ba-dum ching!

Re:It's probably a matter of time...

Umm... there's a slight difference between a cracker and a hacker. If it was the second, you shouldn't worry about it. Unfortunately most of hackers have gone to the dark side...

Re:It's probably a matter of time...

[scottcha+4]

Maybe the the thief promised he didn't use any of them. ;-) Sanity is overrated...Being CRAZY is much more fun!!!

Re:It's probably a matter of time...

No time at all, really. I had to go to the Bank today to have over $500.00 worth of phoney charges reversed. So, you need to check your accounts daily, if you have used them online at all. Go back to just writing checks, no online purchases, you'll get your number stolen. Need cash when the Bank's not open? Just use the minibank (ATM). Your Bank manager will want to hear that when you do find a bad charge on your account. "Hey, I just used the ATM out front!". They'll like that, and reverse your phoney charges with no hassle. They don't like to hear that you have been purchasing stuff online, and will tell you to "not do that anymore". No more EBay, No more Amazon. One way out: Use "virtual credit card numbers" from Citi Bank. I used one of these to purchase some computer parts from Amazon, and it worked just fine. They generate one for you and it's only good one time. Just don't use your debit card (visa or mastercard) from your bank when making online purchases. Now, here's the real problem. When you send your credit card company a check, someone just steals the numbers and name and address off that in their billing center. I've been paying Chevron for nearly 40 years with personal checks, and it is a possibility that someone in their billing center gets paid $$ for information off the checks they process. My number got out somehow or another, and my Bank has to pay. Whew! Send Money Orders paid for by Cash? Or just get in the car and go there and pay in Cash? Just Cash your paycheck and go from there? Bad idea there: One of my co-workers was robbed of his paycheck/cash when he stopped in a sleazy gas station to buy a pack of cigarettes.

All this happened, I'm not making any of it up, take heed Slashdotters.

"old age is not for sissies" - Jack Palance

CC# generators.

[laymil]

pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....

Re:CC# generators.

[Chester+K]

pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....

Pfff... I could even make them by hand, before they started cracking down on correlating expiration date to card number. Ended up having a nice interesting talk with the FBI about that a couple years later, unfortunately.

Re:CC# generators.

[bozojoe]

since loads of people dont even use AVS I'll bet you still can "swipe" bogus cc#'s ....just do at mod10 check, and somebody's bound to win the lottery

Re:CC# generators.

[prockcore]

Pfff... I could even make them by hand, before they started cracking down on correlating expiration date to card number.

Up until about 4 years ago, you could use the CCtest# (4111-1111-1111-1111) to use the credit card phones in LAX and a few other major airports.

What?

[batboy78]

Damn white boys need to stay away from them computers!!

Re:What?

[Anonvmous+Coward]

"Damn white boys need to stay away from them computers!! "

I was wondering what Chef was up to these days.

Re:What?

[neema]

Article is called "Cracker Gains Access to 2.2 Million Credit Cards".

Cracker...

Get it?

Eh.

Crackers

[harks]

I dont like the use of racial slurs like that on /.

Re:Crackers

...and you probably use other non-words as well, like "normalcy", "nucular" and "fucktard".

You fucktard!

Re:Crackers

[SN74S181]

No, it's not being used for that meaning.

A Cracker is someone who is good at defeating copy protection in games. Back in the day crackers used to NOP over the passwords, the non-standard diskette reads, etc. and give us the game in a form that we could enjoy without encumberment.

That's what a cracker is.

There are, of course, people trying to change the classic meaning of the word. Kind of the same as the people trying to change the meaning of the term 'hacker.'

Re:Crackers

[buck_wild]

Kind of like those people who tried to change the meaning of the work 'carriage' to mean 'car'?

Bastards.

Re:Crackers

No, I don't call cars carriages, do you? A carriage is a carriage last I knew. Stupid Engrish:)

Re:Crackers

I thought it was funny. And I'm a white guy. So I hope your kidding. Everyone needs to fucking calm down.

Re:Crackers

[tweakt]

Why was this modded up as funny? He's not being funny, he's being serious. That previous was a troll, and not appropriate or relevant in any way.

In fact, why was the previous post modded up in the first place?

Re:Crackers

[kent_eh]

racial slurs like what?

Re:Crackers

Actually no he was not being serious, someone needs to get a sense of humor, try a little harder next time. Or did you miss the " Funny "

Re:Crackers

f-tard? -- how cuntly indeed!

Re:Crackers

Only a bunch of crackers would sit around arguing about this shit

hmmm

[Fermicirrus]

I bet this "hacker" at least bought some candy with those cards...mabye like a snickers or something?

Re:hmmm

[PetWolverine]

Or maybe he bought some cheese to go with his crackers.

Slashdot Ads

[absurdhero]

So THATs why $5 was paid to Slashdot without me remembering!

I think not.

[Latrommi]

Fortunately, none of them seem to have been used fraudulently.

And how exactly do they know that all 2.2 million credit card #'s haven't been used fraudulently? I'm sure that there are at least a small percent of any given set of 2.2 million credit card #'s that are used fraudulently.

Re:I think not.

And how exactly do they know that all 2.2 million credit card #'s haven't been used fraudulently? I'm sure that there are at least a small percent of any given set of 2.2 million credit card #'s that are used fraudulently.

Perhaps the cracker was an angel and made sure all these accounts were blessed against fraud.

Re:I think not.

[tq_at_sju]

yeah but the whole reason you have a credit card is because of fraud. If someone uses my credit card fraudulently, then i cancel the card and the charges, whereas if someone steals $200 from me then i'm screwed. It's not a big deal....

Re:I think not.

[brianvan]

No, the whole reason you have a credit card is to spend money you don't have with you at the time.

Whether that money is going to be there when the bill arrives or not is the rub. The credit card companies love that part. The whole point for them is to trick you into spending money you won't have for a long time... hence generating billions of dollars in interest and fees from stupid consumers (like me).

Re:I think not.

[mosch]

actually, they'd prefer if you pay your bill. they get approximately a 2% cut of everything you spend, so if you charge $2k a month, they're making $40/mo off of you right there.

They'd much rather have that, then the risk that you'll NEVER give back the money. Especially since the only thing they can really do if you don't pay is ask again and again if you'll please pay.

Re:I think not.

[Ryan+Amos]

No, they very much like it when people don't pay everything on time. 20% is much better than that 2%, which they get anyway. If you charge $2k then don't pay it back for a year, they get ~$400 (depending on your APR, most are around 15-20%.) Plus they still get the $40, and they get their money back (most people EVENTUALLY pay off their credit cards.) Most people ride a balance on their credit cards, which is where they make the REAL money. The credit card companies (among other financial institutions) have been lobbying really hard to make bankrupcy a LOT harder to get, so that they get all their money back.

Re:I think not.

good for you for wising up, but there are other reasons to use credit cards and fraud protection is one of them. Assume you want to buy stuff online. You could use a debit card, but that would lack the kind of protection you get with a credit card, and it would probably have a low daily limit on it. Money orders, checks? You'd really have to trust the recipient. Credit cards can be very helpful-- as long as you don't end up paying any interest or fees--and in emergency situations having some credit cards to fall back on might be worth paying finance charges.

Re:I think not.

[Zathrus]

Uh... no. People who pay their bill in full monthly (hi, I'm one) are known in the industry as "deadbeats". That small percentage they take generally just offsets their costs for providing the money and services. There's some profit involved, but not much. Most of the money goes toward covering advertising costs and bad debt (see below).

On the otherhand, they really love people who never pay in full, but still make regular payments. A bit more than the minimum payment is best, since while they bleed you for more with minimum payment, it also increases risk. But 10-20% interest is better than 2% any day of the week, especially since it's compounding interest. Gotta love paying interest on unpaid interest. At least if you're the lender that is.

I used to work for a company that contracted with a sub-prime credit card company - they really wanted the accounts that garnered interest (the average interest on the cards was 28% - and yes, there were entire states they didn't market to because that interest rate is illegal in those states). The entire business model was trying to identify more consumers that had poor enough credit to need a card like this (did I mention the average $50 annual fee? Or the card with a $300 credit limit that had $250 in fees put on it when you signed up?) but wouldn't go delinquint -- which was a problem. The average prime lender has to right off 15%... which is why about a year ago they slashed their IT budget and my company laid off 60% of their staff. Last I heard they were going into debt collector status - buying up bad debt from other credit card companies to turn around and sell it to debt collection agencies. They're still in business last I checked, but barely.

Oh well... better job now anyway.

Re:I think not.

[mosch]

I'm also one of those people who pays their bills in full every month. If I'm a "deadbeat", then why does it seem that every single credit card company on the planet is fighting to get my business? Why do I never get turned down on credit applications? I mean... if your theory was true, wouldn't I have a harder time getting a line of credit than the guy who pays $800 in minimum payments every month? Wouldn't I have a lower credit rating?

Yes, there are companies that like dealing with the dregs of the earth, but there are a lot more companies that prefer a reliable profit to the huge likelihood of default which occurs with people who don't pay their bills each month.

Re:I think not.

[Zathrus]

why does it seem that every single credit card company on the planet is fighting to get my business

Because your credit rating is (most likely) excellent. I did filtering on credit bureau data, and nearly all of it is done based on scores (and, no, FICO isn't the only one - there's a half dozen or so standard scores and companies can request the bureaus to build custom scores as well - for a price).

Wouldn't I have a lower credit rating?

No. Have you ever looked at a credit report? It doesn't say how much you've paid for the past N payments (for N>1... very often the last payment amount is reported), it merely says how often you've paid on time, how often you've been late in 30, 45, 60, etc. periods. Which is a pretty good indicator of whether or not you're going to become bad debt or keep paying.

One of the other key bits used in scoring is debt load... if you have a single credit card with a $5000 limit and regularly keep it at $3000 in charges (even if you pay it off monthly), then it's viewed as being worse than having 10 credit cards with a $50,000 total limit and $20,000 in charges - because your debt load is over 50% of your credit available. (Ok, this particular example is a bit extreme, but a debt load of over 50% is viewed as very bad). Yes, it's silly, but not having enough credit can actually hurt your score more than having too much credit. The last thing a creditor wants to do is extend credit to someone who's already over their head -- and a lot of people don't apply for additional credit cards until their old ones are nearly at the limit already.

The prime lendors (which is most of the cards, with interest rates under 20% and often under 10%) do like having more stable clients. They have much tighter criteria for pre-approval (the company I worked for looked for FICO scores in the 500s and low 600s -- a prime lendor won't touch anyone below 650 (score tops out at 800)). But they still like having interest, because the slim transaction fees simply don't cover the costs.

Pre-approval solicitations are pretty meaningless. Companies apply the shotgun effect - get a data pull from one of the three bureaus, do their scrubs, and submit them for solicitation. Getting a pre-approval letter doesn't even mean you can actually get the card.

Here's a question - how often does your credit card company raise your limit? Personally, I think I've only ever had one or two increases without requesting them. I have friends that run high balances though, and they get them regularly... whenever they appear to be approaching the limit, it would get increased. Why? Because the credit issuer would much rather you run a high balance (and pay the interest) with them than open a credit line with another company. There's always a stop point, but it's soft, not hard. If you start missing payments, it gets real hard, real fast.

Re:I think not.

[arkanes]

Statistically, the more credit they give you, the more likely you are to use it. You can look at it as the company rewarding you with more credit for being responsible with what you have, or you can look at it as an attempt to sucker you into spending more now that you have a larger limit. It depends on how cynical you are. The actual answer is probably both, depending on which executive you talk to.

Re:I think not.

[Creepy]

I'm a deadbeat, then (guess I need to start saying dude...).

I agree with you on the credit limit thing - my wife had almost $33000 in debt, most on a single card (a Discover card) when I met her, and she only earned $32000/yr at that time. She was making minimal payments (yet nearly equal to my house payment) monthly and paying off very little principal.

I was just the opposite - I've only paid one interest payment ever, and that because mail took nearly two weeks to get to the CC company because of the Halloween blizzard of 1992 (and no, they didn't let it slide because of the weather - even though I bitched about it). I got my first and only increase ever about 4 months after that - from $3000 to $4250. My brother, with the exact same card and usually a standing balance, has the maximum $50000 limit. My credit rating is outstanding (when I applied for my home equity loan, the lady said she'd never seen one that high), so they sure aren't basing it on that.

Re:I think not.

[mosch]

As I matter of fact, I have looked at my credit report, and while it doesn't show whether or not you've paid in full, some of them do show things like 'current balance' and 'highest balance'. While it doesn't indicate that I always pay in full, the fact that I have a number of revolving charge accounts, all indicating $0 current balances and non-zero highest balances seems like a fairly strong indicator that I'm either a person who pays his bills in full each month.

As for credit card limit raises, it's a bit hard to say. I carry two American Express cards, and while AMEX doesn't tell you what your limit is, neither of them has ever denied, despite some extremely large purchases. The closest to a problem they've ever given me was them sending me a new card because of suspected fraud which actually consisted of the expenses associated with unplanned travel.

My VISA just had its limit increased without my asking last week (which actually annoyed me, since they cancelled my old card to upgrade me from gold to platinum, something I didn't give a fuck about), and it's tended to get an increase about once a year, same as my MasterCard.

As far as other credit goes, my car is financed at a whopping 0.0%, so there's not even a potential for interest profit unless I fail to pay them, which seems unlikely given the fact that I didn't finance that much money.

This influx of credit, combined with the fact that as of December 2002 I had an 810 FICO score, tells me that credit card companies are perfectly happy scraping 2% of a couple grand a month, and likely prefer it to chasing around people who will likely default on their accounts if they lose their job, or have large unexpected expenses.

Re:I think not.

[tq_at_sju]

yeah i agree, you have it for that reason too, but i definitely have a credit card also because of fraud and so that i can dispute a charge non-fraudulently too. I.e. if a store sells me a defective product and refuses to refund my money i can do a chargeback too, whereas with money i would have to go to court without the ease of a chargeback.

Kewl

damn kevin mitnick!

Re:Kewl

No -- you're done.

How do I know that YOU didn't steal the numbers ... Mr. Coward!

Oh. Wait, I am him too.

Re:Kewl

[Kevin+Mitnick]

Sorry!

Clearly

[Doctor+Sbaitso]

This is a great security threat for our nation! Just think of all the plastic explosives terrorists could create with 2.2 million credit cards!

Re:Clearly

[TopShelf]

Either that, or they plan on cornering the duck tape & plastic sheeting market...

Re:Clearly

[blurfus]

Omg, clearly the terrorists have won!!!! =o)

Excuse me, I must run off to chop off my cards....

Re:Clearly

DUCT TAPE goddamit! Unless you're actually talking about the crappy brand of duct tape called "duck tape".

Re:Clearly

[uptownguy]

Just think of all the plastic explosives terrorists could create with 2.2 million credit cards!

I know I'm going to be modded as a troll for this, but...

So we know that some terrorists were devoted enough to the cause of causing chaos that they actually enrolled themselves in flight school to learn how to do what they did. Is it that much of a stretch to think that they aren't aware that it is possible to steal credit cards numbers off the Internet? And do you think that by devoting the same amount of time to googling and reading some paint-by-numbers script kiddie how-to-steal-credit-cards blog someone dedicated to doing "very bad things" couldn't find a way to pull something like this off?

I'm not sure why everyone chose to mod the parent post as Funny. I find the prospect of Very Angry People stealing millions of credit cards quite frightening, myself...

Re:Clearly

[Master+Bait]

Is this what a Good Citizen thinks about these days?

Re:Clearly

[uptownguy]

Actually, yes, I'd hope so. Or is it out of vogue and too cool to admit things are bad and think about ways to head off real problems while still keeping your head and not buying into the hysteria?

Re:Clearly

OMG TERRORIST!! AHH EVERYBODY RUN!!! BE AFFRAID!! (very affraid) fear for your lives they have your credit cards it's only a matter of time before they....

Re:Clearly

[skillet-thief]

This is a great security threat for our nation! Just think of all the plastic explosives terrorists could create with 2.2 million credit cards!

Especially when you think that credit cards themselves are plastic!

But seriously, I believe those Al-Quaida boys do often participate in CC fraud. Don't know if it's over the net or not tho.

Yet....

[Neck_of_the_Woods]

2.2 million...it will be interesting to see what happends when who ever did this starts to sell them in bulk. Who is going to be responsible? The Credit Card companies or the site that got hosed?

Should prove interesting as these numbers start getting used. 2.2 is a little large of a block to just re-issue.

Re:Yet....

[Huusker]

Who is going to be responsible? The Credit Card companies or the site that got hosed?

It will be the merchant who gets hosed. Those 5 million cards will be used to stiff merchants across the world. And when it comes to credit card fraud the merchant always gets the short stick.

To add insult to injury, if a merchant gets a chargeback rate of more than 1%, Visa/MC has the right to start charging the merchant up to $10000/mo for 'research fees', that is if they don't drop the merchant entirely (and thereby put them out of business -- a not uncommon event for smaller businesses).

Re:Yet....

[IvyMike]

2.2 million...it will be interesting to see what happends when who ever did this starts to sell them in bulk. Who is going to be responsible? The Credit Card companies or the site that got hosed?

My credit card has been re-issued twice due to it being stolen en masse from a web site. The first time it was stolen from CD Universe and the second time it was, ahem, another company. In both cases, it was just an incredible pain in the ass to me.

In the first incident, I was in Best Buy, and my card was denied because it was marked as stolen, which is a good thing, except when the people are all looking at you like you're the thief. The second incident, I had ordered gifts from a bunch of sites when I was told my card was being rejected, and I had to call each site and get them to use a different card. Not the easiest thing in the world to do for some sites.

In any case, in both incident, hundreds of thousands of numbers were stolen, and both victims just told the issuing companies, and most issuing companies cancelled the numbers. I suspect even though this is 10x as many cards, they'll still do the same thing. The potential liablity is too great to do otherwise.

On the other hand, this might be enough to get the companies thinking about coming up with a better, less theft-prone system.

Re:Yet....

[Pastis]

If we were living in a normal society I would guess the person who cracked the site would be held responsible ?!
Sean Connery said in Rising Sun something along the lines:

"in Occident we spend our time trying to find someone to hold responsible for the problem. In Japan, they find the cause of the problem and fix it."

Re:Yet....

[Ryan+Amos]

Interesting little fact.. 2.2 million cards is .33% of outstanding cards in the US. Yes, you read that right.. one third of one percent. In the grand scheme of things, that's really not THAT many cards. I would assume that the credit card industry is a multi-trillion dollar a year business. They can afford it.

Re:Yet....

[Neck_of_the_Woods]

Wish I had mod points for that post. I see one problem with this, which is the person responsible for it will no doubt have anywhere near the money to pay for this if busted. That leave someone somewhere on the hook for it. Alas, I agree that it never crossed my mind, but I think that was because I never figured that the thief would have enough to cover it.

Re:Yet....

[TClevenger]

It will be the merchant who gets hosed.

If the merchant doesn't bother to check ID, it's their own fault. Run the card, get the receipt, check for the buyer's name on the receipt, and ASK FOR ID to verify. Then COMPARE SIGNATURES.

Online business? If you're not verifying CVV, you're asking for it.

Re:Yet....

[ivan256]

Interesting little fact.. 2.2 million cards is .33% of outstanding cards in the US. Yes, you read that right.. one third of one percent.

I don't know why you find that so surprising. In a country with 300 million people you'd expect there to be a significantly larger number of existing credit card number out there than 2.2 million. Especially considering that they're used on things like gift cards issued by Novus and on check cards.

Re:Yet....

[Cruciform]

I used the best anti-fraud option available to credit card users out there. I just kept the damn thing maxed out. If someone stole the number they'd just have to make a payment on it first. :) Of course the second they'd do such a silly thing I'd change my billing address to someplace else where I could still be reached and close the account. :) Not that a thief would actually pay into a card.

The address change is handy though, if you're closing off a card and don't want any charges to follow you. Normally, if you get a new card and close off the old one the credit card company can forward new charges to the old card to your new card. It sucks, but I found out when trying to cancel a card in order to stop Sympatico for repeat fraudulent billings. As long as they provided valid information about the account, Visa said that it was considered to be pre-authorized payments. So I tested another monthly payment by changing my billing address and postal code, and lo and behold, next month that transaction didn't go through because the site info no longer matched Visa's information on me in the database. (Note, if you're going to test this with a company that legitimately bills you, do it with a company that gives you a grace period to fix your billing info or it could reflect badly on you)

in the news tomorrow?

I guess tomorrow all the online pr0n stores will be sold out of everything!

Re:in the news tomorrow?

My card was used fradulently to purchase concert tickets that could then be sold at the door for cash. Check your account daily at your Bank's online or dial-in site to see what' being stolen, and report anything out of the ordinary to your bank manager the next morning. If you have an out-of-state credit card, check your account on their web site often, and follow that up also.

-------------

Don't think it won't happen to you.

Thus Far

[rela]

You mean 'none of them seem to have been used fradulently YET'

Re:Thus Far

[$$$$$exyGal]

Both card companies have zero-liability policies, which protect cardholders from being held responsible for unauthorized or fraudulent charges.

With that in mind, both Mastercard and Visa are going to do everything in their power to make sure there are no fraudulent charges made. At this point, I doubt if there'll be any fraudulent charges made. It would have been more likely that a ton of charges would have been made immediately after the numbers were stolen.

--naked

Re:Thus Far

[rela]

With that in mind, both Mastercard and Visa are going to do everything in their power to make sure there are no fraudulent charges made. At this point, I doubt if there'll be any fraudulent charges made. It would have been more likely that a ton of charges would have been made immediately after the numbers were stolen.

Oh, yes. It doesn't look good for them, and it looks REALLY bad for the issuing banks, if nothing is done about it. But I still think that at least some people are going to be filing disputes on bad charges because of this.

Re:Thus Far

[civilizedINTENSITY]

Quick!
1) MC and Visa a cluster of P4s UPS-ed to a rented store address.
2)Deny all knowledge.
3)Buy portable gas generator to run cluster in basement.

"Yes, I really can image a beowulf cluster of these things!"

Re:Thus Far

[Surak]

It would have been more likely that a ton of charges would have been made immediately after the numbers were stolen.

And that probably *has* been done. It's not all that easy to verify that some cards out of 2.2 million weren't used fradulently. I mean, hey, if *I* grabbed 2.2 million cards, I'd use a couple *really* fast before anyone found out. :-P

*Stop* looking at me like that! :-P

Re:Thus Far

To be honest, I doubt that either would acknowledge that any was used. I am sure that they will do so with the FBI, but to the public? I doubt it. I have noticed that for the last year, the cracked boxes notifications are going away.
I would love to know what the system was. I doubt that companies that run netscape on their main site would use IIS. So the real news is, most likely, that a none- MS box was broken into. The last Sun box broken into was either Saddam's (no updates) this year or Playboy's (bad admining) from 2 years ago.

oops, missed the credibility express

[nomadic]

Fortunately, none of them seem to have been used fraudulently

Uh, yeah, because it's so easy to verify that two MILLION credit card numbers haven't been used fraudulently.

I mean, come on, just through coincidence I'm sure some of the physical cards themselves have been stolen recently and used fraudulently.

Re:oops, missed the credibility express

[T-Ranger]

CC companies are constantly scanning there databases for "weird" purchases. Like buying gas in NYC at the same time as buying a DVD player in SF. Companies will respond from terminating the card, or trying to phone the (rightfull) owner..
Im sure they have prety good mertrics on what normal background fraud is. I doubt the statement means that each and every account has been hand checked, but just that that block of accounts dosent have a abnormal rate of fraud.

As others have pointed out it dosent realy matter for card holders, but its like any theft from a big company. (shoplifting, insurance fraud, etc) Eventualy it trickles down to the consumer...

Re:oops, missed the credibility express

[C0LDFusion]

CC companies are constantly scanning there databases for "weird" purchases. Like buying gas in NYC at the same time as buying a DVD player in SF.

My dad and stepmom have a shared CC#. Last month, my dad went to San Diego on business, and she stayed home. If she went to Giant at the same time he was getting his rental car gassed up, that'd suck if they termed the card.

Re:oops, missed the credibility express

[MrDelSarto]

yeah but even if you have a shared account the numbers on the cards are different, so you can see who is spending what. at least that's the way it is with my amex card that is shared with my g/f.

Re:oops, missed the credibility express

[mosch]

Well, I'm betting that they checked to see if those 2.2 million cards had a stastically differing fraud rate, or statistically irregular purchasing patterns (an unusual percentage had bought some porn or something) Not a perfect system, but it'll give you an idea if somebody is trying to get $50 out of every card.

Re:oops, missed the credibility express

[JWSmythe]

Wells Fargo Bank cancelled my debit/Visa card with no notice.. Why? Because I purchased groceries in Los Angeles, and then there was a $300 purchase in the mid west for a plane ticket a few hours later.

Unfortunately, the $300 ticket was to get my 13 year old step-daughter on a plane to see her dad. We didn't know til we got to the airport and Delta told us my card was stolen..

I pulled out my card, and my ID, and showed it to them.. Didn't matter.. I called the bank. They had no record of who did it, only that it was reported as stolen.

Took me 8 hours on the phones with the bank, airline, and every vendor I had bought from in the surrounding days to find out what happened.

When the airline called to verify the card, the bank took the fact that I was buying a ticket for her to be fraud, and cancelled my card immediately.

I went to the bank to get it fixed. They said they tried to contact me. They had my correct number on file (my cell), but said it was disconnected. I had them call my cell from their desk. Amazingly enough, it rang, and I answered.

I've had banks call me before to verify transactions. I have no problem with that. But, lying about it pisses me off.

I wonder how badly they'd handle me on a road trip. I drive from Florida to California and back on a semi-regular basis.. It takes me three days, with very little sleep. That would probably get the card cancelled too.. I'd hate to be stuck in Kent Texas with no gas and a cancelled credit card, because they thought I had traveled too far.

I had a whole stack of returned items, and a whole lot of merchants to apologize to for the bank's error. I never received an apology from the bank.

A month later (a week before xmas), they accidently closed my bank account. I didn't find out til the ATM took my new card.. Their system said there was fraudulent activity. Another bank error. They put all my funds on hold til Jan 6. Good thing I have friends who would loan me money over Christmas. It really sucks to ask your friends to buy everything.. But, they all got paid back after I got my money back.

Every bill check I had sent out previous got bounced. Wells Fargo *ALSO* charged me $25 per check for NSF, even though the funds were in the account, but they erroniously put on fraud hold by them.

You wouldn't believe how pissed I was when I got to the bank. I was polite at first.. They continued to tell me how they were keeping my money.. So, I got louder.. They threatened to call the cops. I told them to. I *WANTED* a cop to hear them saying that they made a mistake and took my money, and wouldn't give it to me.

The bank security were the only nice people working there. One of the guards told me how they screwed him over too, so he was completely sympathetic. He was just standing around to make sure I didn't get physically violent. No problem there, I don't get physically violent, he doesn't have to do anything but stand there. :)

Warning! Never Use Wells Fargo Bank!

I finally got the second set of NSF fees dropped after a few hours of screaming.. Hopefully the customers who overheard the incident had second thoughts of keeping their account at Wells Fargo.

[Rant Mode Off]

I'm now using a nice small bank, that doesn't have the same problems. I told them all about it when I opened my new account. They had heard similiar stories before about them. I'm on a first name basis with the new bank, and they love me.

Re:oops, missed the credibility express

[smoondog]

Actually, I bet it is quite easy. Due to the good statistical data (2e6 data points), I bet that fradulant use sticks out like a sore thumb. Asking "is this specific credit card being used illegally?" is probably harder than asking if there is a trend of fraudulant use in a group many cards.

-Sean

Re:oops, missed the credibility express

[Gyorg_Lavode]

A little insite into credit card monitoring: As a college student, at the beginning of every semester, roughly 1,000 at least in transationcs moves across my card in the span of 1, maybe 2 days. I can consistently rely on my credit card company to send me a letter asking them to call and verify the charges about 4 days later. The hundred/thousand dollar transactions probably represent a huge rate in spending increase outside of the normal distribution of my spending fluctuations which is probably what triggers the warning in my case.

Re:oops, missed the credibility express

What kind of moron are you or do you just enjoy getting screwed by banks? Get out a yellow pages and look under "banks" and find a new one. I recomend one that has the name "bank and trust" after its name and limits most of its activities to one county. Its a plus if its owners live in the same town as you.

Re:oops, missed the credibility express

[SethJohnson]

Duly noted. I will not bank with Wells Fargo.

Sounds like a lot of slacking off was going on within the company. Lying about trying to call you to verify the charges and saying your phone is disconnected is reprehensible. I hope you wrote a letter to the bank to draw their attention to the problem and the effect it had (your account moved to a competitor). Letters like that can get people fired, believe you me.

Re:oops, missed the credibility express

[modecx]

A CC company has denied my purchase of gas whilst doing something as innocuous as traversing Wyoming. I had to dial the 1-800 number, and they set everthing straight.

It was the first time I realized they watch stuff so closely.

Re:oops, missed the credibility express

[Ian+Bicking]

I had problems with Wells Fargo ATM/Visa cards as well, several years ago, not long after they acquired my bank. It took me a while to figure it out, but my parents' ATM card was sometimes withdrawing from my account. Different ATM card numbers and unassociated accounts, though my mother did happen to be listed on both accounts. It was while I was in college, so it was easy enough to spot what charges were from whom.

While it's a different error, it's a sign that their systems must be really fucked up. It's just not the sort of thing that should happen.

Re:oops, missed the credibility express

[JWSmythe]

Already did it.. The first time, I accepted banks can have errors.. The second time, I took it personally..

I wasn't very far from the choices of lawsuit or showing up with gun in hand.. I'm all about using force to get my way. If I have to set a gun on someone's desk to get what's mine, it may be done. :)

Re:oops, missed the credibility express

Don't get me started - Wells Fargo Bank is EVIL EVIL EVIL EVIL!!!!!

Re:oops, missed the credibility express

[nachoboy]

This makes me think that this wasn't just a simple human error by a $6/hr data entry clerk but in fact a serious flaw in some programming logic somewhere. Same thing happened to me in reverse. I got a new ATM card in the mail, started withdrawing money within a few days. I was using online banking so I realized by the end of the week that none of the money was coming out of my account. Called them up but they wouldn't tell me whose account my card was linked to for security reasons (despite sending the card and PIN to my address...can you spot which one is the real security risk?). In talking to the family, found out it was actually coming out of my (teenage) brother's account. They eventually straightened everything out by crediting his account but it wasn't easy. Could see a bad SQL statement causing something like this but not being detectable because it only happens within families...? The moral is find another bank.

Re:oops, missed the credibility express

[Mikey-San]

This happened to me last year.

Four weeks go by with me purchasing $10 or $20 on my card in total.

Suddenly, a big-ass purchase for a digital camera and some CF memory.

My card stopped working right after that. My bank had been paying attention to my spending habits, and saw an anomaly, so they suspended the card.

While I was happy that they were looking out for me--and themselves, since CC fraud hurts them, too--it still bothers me that someone (or something, if it was a computer program watching along at home) was tracking my spending habits.

Ups and downs, I suppose.

-/-
Mikey-San

Re:oops, missed the credibility express

[Nexx]

I wonder if my .jp-issued Visa will do the same. *months* go by with me putting all of $30 on the card, total. I recently bought a suit and an overcoat. I'm now curious :)

Re:oops, missed the credibility express

[mirko]

CC companies are constantly scanning there databases for "weird" purchases. Like buying gas in NYC at the same time as buying a DVD player in SF. Companies will respond from terminating the card, or trying to phone the (rightfull) owner..
What about online purchases ?
If they manage to find something odd in a bunch of online payments, then they are obviously abusing your privacy by profiling your consumption...

Re:oops, missed the credibility express

[uptownguy]

This happened to me about a month back... not with a bank but with Netflix...

Mod me offtopic if you want, but there is something WEIRD about it. My brother and I have totally different addresses, we haven't lived together in over 12 years now -- and that was back in WI -- and now we even live in different states. I've never had an account at Netflix, never even been on their mailing list ...and for some reason, they mailed a DVD with HIS name and account number to MY address and zip code.

Weird.

The only thing we have in common is our SSN being almost identical... but seeing as how I shouldn't even have been in the Netflix DB in the first place, THAT couldn't be it...

Hmmmmm..........

Re:oops, missed the credibility express

[evilviper]

This is a very interesting story. I would recomend sticking it on a website, so that search engines will index it, and people looking up info on Wells Fargo will find it.

Personally, when I was looking around for a bank, I checked out Wells Fargo. There were three warning signs that prevented me form using them:

1) To enter or exit you have to go through double-doors. Presumably, this should trigger an alarm if someone has a gun, and possibly lock them in. The doors didn't work well normally, and customers had a difficult time going in and out. I asked if the glass on the doors and windows was bullet-proof... When the answer was "no", I realized their double-doors were no security at all, and merely to lull customers into a false sense of security, and possibly deter moronic bank robbers.

2) I overheard a discussion, that one of the employees had refinaced a customer's home loan, but had simply not used the computer properly and signed the contract with the wrong percentage. The contract was signed, but the customer was going to get an unplesant surprise quite soon.

3) When I walked in, I glanced at a computer screen and saw the Windows NT sign-on screen... Nuff said.

I must say, for one single ~10 minute visit, that was more than enough to have me out of there as quickly as possible.

Re:oops, missed the credibility express

[sct]

Ironicly, I just got a call from Discover on Sunday. It seems someone tried to use my number at an on-line store. They thought it was odd for two reasons. One the expiration date was wrong, and second it has been about 2 years since I have made *any* purchases with that card. They canceled the current number and are sending me a new one this week. Now I am glad I kept my phone number up to date with them when I moved... I should just cancel the darn thing.

Re:oops, missed the credibility express

Not always. Every shared account I've had has used the same numbers. What's important and different, is the name on the card.

Re:oops, missed the credibility express

While I was happy that they were looking out for me--and themselves.

They aren't looking out for you. Just themselves. Still, I'm also happy they do it. I just wish they would block the big purchase, instead of stopping me from buying gas for my car the next day.

Re:oops, missed the credibility express

[Jobe_br]

Your problems with Wells Fargo (as I'm sure you've realized) aren't isolated. I have a student loan through Wells Fargo (out of school now, so I'm just paying it off) and I had electronic funds transfer enabled to my checking account. I checked my Chicago Bank One account online one day to notice a debit of almost $500 to my account - from a check. I called asking about it, got a copy of the check in the mail - lo and behold, it was an EFS check from Wells Fargo with some lady's address from California, posted to my account. The mistake was clearly on Wells Fargo's part, since the routing & acct. number on the check were mine, but the name was someone else ... Bank One accepted the check on those grounds. It took over 2.5 months working with Bank One and filing fraud charges, signing papers, going to notaries and various other things, to finally get that money back ... Bank One wasn't all that great about it, either, so now I'm with a different bank entirely.

Re:oops, missed the credibility express

[Mikey-San]

Ah, but they are looking out for me.

Why?

Because looking out for the customer /means/ looking out for themselves. ;-)

Don't take my word for it. Go ask any successful business owner, local or non-local. (I know my bosses would tell you it's the truth.)

I try to have the same attitude with my clients, 'cause a happy client is a return client.

-/-
Mikey-San

Re:oops, missed the credibility express

[JWSmythe]

Share what you know.. The more people that share their experiences, the more people we can save from making the same mistake we did (dealing with Wells Fargo Bank)

Re:oops, missed the credibility express

[phallstrom]

It doesn't even need to be "out of area" purchases... it's happened to me twice. First time my girlfriend came back from studying abroad and I took her on a shopping spree... they wanted to know if in fact I had purchased almost a *lot* of women's clothes :)

Second time was when I bought her wedding ring with a card I rarely use...

Re:oops, missed the credibility express

[Jah-Wren+Ryel]

In the USA banking laws are so massively tilted in favor of the banks it is unbelievable. If the average consumer knew what their bank could do to them with impunity (essentially seize all available funds because they think you look funny and NEVER return them with NO RECOURSE - try to sue, you'll lose and any good lawyer will tell you that) there would be a whole lot more money stuffed under people's matresses.

Using a small bank can help, but even they can suffer from the "our clients are not our customers" attitude of a big bank. So far, the best bet I've seen is to go with a credit union - credit unions are owned by their members, so they are ultimately responsible to their members, not a bunch of rich, nameless fat cats. Not to say that a credit union can't go bad and start acting like a bank (CEFCU - construction employees federal credit union, aka Caterpillar's CU is one example of a CU that started thinking it was a bank and sticking it to their poorer members with excessive fees, as a not-so-poor member I voted with my feet and that was ~5 years ago, I don't know if they've reformed since) - but for the most part even a so-so CU will beat a good bank for service AND interest rates.

Re:oops, missed the credibility express

Unfortunately, this is a common theme among large banks. I won't go into how Fleet fleeced me for $400 and change, or how Bank One screwed my mother-in-law for almost $1000 in the fine print of a car loan. End result is that we are both with local or work-related credit unions now (along with other family & friends that were luck enough not to have lost money to giant, corporate, greedy, blood-sucking, ...) oops, didn't mean to go off on a rant :)

Bottom line is join a credit union, or at the very least a smaller, local bank.

purgamentum init, exit purgamentum

Re:oops, missed the credibility express

[JWSmythe]

Hmmmm.. The Slashdot Credit Union. How would that be written? /.cu :)

Re:oops, missed the credibility express

[Perky_Goth]

he... i've seen that post, maybe he posts often enough so people will always remember it... ;)

Re:oops, missed the credibility express

[evilviper]

Are you refering to my post, or the parent to mine?

Re:oops, missed the credibility express

[Perky_Goth]

i was replying to you and referring to the parent.
better?

Re:oops, missed the credibility express

[evilviper]

Thanks for clarifying.

Re:oops, missed the credibility express

[two_socks]

The credit card #'s are the same, but the info on the magnetic strips is different. CC companies can tell which card is used, even if they have the same account number.

I Worked in a CC company, in customer service, for 4 years. (I mention that only to say that I have experience here, and am not just using my best guess.)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Is there a name?

[Thaidog]

That article was not written with many details... What credit group... who's the hacker?

Re:Is there a name?

[billstr78]

I heard on TV that they have contacted the issuing banks. I am going to call tomorrow and find out if mine was hijacked, then if I can get these charges to CompUSA removed

Re:Is there a name?

[The+Notorious+ASP]

You've been buying from CompUSA? Sir, you've probably lost much more money from the ridiculous markups than fraudulent credit card use...

Re:Is there a name?

the names have been omitted to protect the morons so that you do business with them. chances are its a clearing house, so even if you get the name you'll never know if you use them. amazon won't say 'oh ya we use them to process your order'. having the name and going 'I dont use them' will just give you false security.

Re:Is there a name?

[JWSmythe]

I'd really like to know which morons we're dealing with, that we shouldn't be..

What if it wasn't Amazon, and turned out to be a regional grocery store that records all card numbers? Lots of people use debit/credit cards for groceries. Maybe "Von's" in California.. or Albertons (national)? Or Publix or Winn Dixie(South East). I'd bet a grocery store has weaker security than a web company.

Re:Is there a name?

It's ironic that this is post is going to show up as written by "Anonymous Coward", because that's exactly what they (the company that lost the numbers) are.

In fact, I'm more than a bit miffed at one of my credit card companies ( Universal Card), because, possibly in connection with this case, a couple of weeks ago they called me and told me they needed to issue me a new card. Seems some web site had screwed up and leaked a bunch of credit card numbers. They did give me a new card, and in fact, they sent the new card by FedEx and even paid for Saturday delivery (not cheap if you've ever priced it), so I have a new credit card number and feel sort of safe. BUT, they refused to tell me who had compromised my card, although they did say it was a web site.

Needless to say, I strongly encouraged them to tell me who it was that gave away my credit card due to incompetence, but they wouldn't divulge the info. The particular person I was speaking with said they themselves didn't even know, which I think may have been true. I suggested that it would be beneficial for BOTH of us for them to tell me, so that we don't have to go through the same procedure again in the near future, but that didn't work, so I gave up on finding out, for now.

I don't have much of a point other than to agree that it sucks that they won't give out useful info, and also maybe to explain that hiding the info seems to be a very intentional thing. Which sucks.

Re:Is there a name?

[isorox]

I am going to call tomorrow and find out if mine was hijacked

Being a good citizen, I'll do it for you

Everyone email their credit card details to me, seedy.ron@bobsden.com, and I'll check them against my list of stolen numbers

Not yet

[Vidmaster_Steve]

No, I haven't done anything yet. I'm going to wait until this whole thing blows over, then... and only then... do we get a Free Ass 17" Powerbook, a Free Ass 12" Powerbook and a Free Ass dual G4 1ghz machine with two or three Free Ass 23" Cinema Displays.

Only in America, friends... Only in America

How do they know?

[WIAKywbfatw]

With 2.2 million credit card numbers to check, how do they know that the cards haven't been compromised?

Sure, their owners might not have reported any fraudulent use yet (and the card issuers themselves may not have spotted any) but all it takes is for this hacker/cracker to have made one copy of the records which he then disseminated to one or more friends for a problem to occur.

At the very least, the owners of the system that was broken into should be contacting their customers to let them know that there is a small but real risk that their cards numbers might be out there and that they should double check their statements for any unusual items.

But, given that most companies would see something as proactive as this as marketing suicide (rather than use it to enforce the fact that they do everything to protect the security of their customers), I doubt that they will be so bold.

Re:How do they know?

[Flamesplash]

Well even if the cards are used the Credit Card company will not hold the card owner accountable, so the consumer is safe in that respect if the actually notice....

Re:How do they know?

[thatguywhoiam]

With 2.2 million credit card numbers to check, how do they know that the cards haven't been compromised?

Of course, they don't know. They won't know for a while. But the answer is Nothing Stolen, and the answer will always be Nothing Stolen.

Credit card companies are like insurance companies, it's all about playing the odds, and statistics, and consumer behavioural models. Personally I've stopped trusting them a long time ago. While the public meme is that credit card theft is on the rise due to Internet transactions, I really wonder sometimes. As seen with other examples, the Internet is actually becoming an invaluable tool for revealing nefarious activity (patterns of activity that is) that would have been otherwise obfuscated by natural physical barriers. The media are hardly reliably objective in this sense.

Re:How do they know?

[GoofyBoy]

How can you not trust a credit card company?

Check your statement, dispute if you get anything that doesn't match your records/recipets.

Its like saying I don't trust my grocery store. There really isn't that much trust thats needed.

Re:How do they know?

The media are hardly reliably objective in this sense.

Are you suggesting that the media are reliably objective in some other sense???

Re:How do they know?

[Nexx]

And the merchant who provided services to the holder of the fraudulent card will be held accountable. Still a good enough reason to cancel those cards.

Re:How do they know?

I don't agree.

I feel I need to trust both my grocery store and credit card companies. I do and they've never given me any reason to lose that trust.

Maybe I just don't understand what you are trying to say, but my credit card company can ruin my credit report with the click of a computer key. My grocery store can kill me very easily. But I trust the system enough that I don't seriously worry about these problems.

For example that shrimp Sunday wasn't very fresh. I didn't trust that fish counter for sushi grade fish anyway, but now I have to consider the quality of fish for cooking. If I get poor quality again, I'm going to ask to start smelling it before I buy it. A clear sign of distrust, but something I learned to do before sushi grade fish was available.

Re:How do they know?

They are very objective when they say, "News at 10!"

So....

Let's say this cracker e-mails off these credit card numbers to everyone in the world (those lists of e-mail addresses are only $20, ya' know), can you imagine the offices of Visa and Mastercard?

Actually, things probably wouldn't be that bad.

Who in there right mind would use credit card numbers fraudulently on such a high-profile case? Surely jail time or fines would ensue, and that alone would keep most Americans from jumping to use the numbers.

Then again, there is the chance that many Americans would use those numbers. How about a program that automatically used those numbers to make fraudulent purchases? It would take weeks or months just to sort out bills. Would Visa and Mastercard even be able to handle that amount of traffic? No, something like this could destroy these two companies; it would be almost impossible for them to handle.

Re:So....

[bfree]

Well, I can imagine that if EVERYONE in the world got a list of a few million credit card numbers, you would suddenly see an awful lot of fraudulent purchases! I for one would be tempted, not to do something to get me in trouble (well they can try), but more likely a visit to my local net cafe to send some presents. Let's see:

1. A full compendium of all O'Reilly Free software books, Debian DVD sets and an X-Box with the LinuxBios Mod installed for Bill Gates, Steve Ballmer, Scott McNeilly, Michael Dell and anyone else on those lines who took my fancy and whose address I could find. I might even send one to every elected official in my country while I'm at it!
2. Amazon's entire porn collection (they have one I presume) for every censor on the planet.
3. A cross sending of every spammers products I could come up with to all the other spammers.

God only knows what else could take my fancy, and god only knows how many orders would actually be filled. Heaven forbid anyone found a well known persons card in there, say Jack Valenti, I think he would find himself making some massive (or massive numbers of) donations to Mplayer, Freenet and any projects people could find which he campagins against.

Do you REALLY think that people would hear on the radio about the 2.2 million credit card numbers 100 million people just recieved and think, "oooooooh they're gonna catch me if I touch them!"

The far more probable outcome is that an email of about 4 Mb (2,200,000 CC# * 20 bytes @ 90% compression) sent to 100 million people (or whatever the latest net use figures are) would be stopped at most ISPs very, very, very quickly as it would be lauching a large spam based DDOS against them (unless I underestimate the backbone out there). Sure it would get through to a lot of people, but unless it gets through to 10+% of hotmail or something similar, most users will have the fear you describe put into them.

A far more interesting prospect would be if instead of plain e-mailing the list around, a virus was used to propagate the data covertly by infecting web and/or email servers. If you get a web-server, you get it to gather the list and take part in attacking more hosts and passing it onto them, you also get it to add a link to every page at the trigger time so all visitors to that site gain access to the list. If you get an e-mail server, you just need to get the data there once and explode it out to all local mailboxes at the same trigger time (aswell as using the host to propagate). Then it comes down to a question of trying to balance the timings to maximise the number of boxes unchecked by the time of revelation.

Of course is there anything to stop the crackers from just dumping the data into all the P2P networks and letting it spread from there?

Finally I have to point out that I have no interest in obtaining these numbers (or any others, except my own :-) and I am certainly not advocating credit card fraud. Just saying that if an opportunity like you described (every email box got the list) came my way, I would be very tempted to try and enjoy myself with some humourous (to me) exploits from a safe place and that there would probably be tens or hundreds of thousands of other following suit. Damages would rack up pretty quickly.

Re:This is OSS at its finest.

[tkny]

credit cards aren't exactly open source now are they?

We should be moderately safe

[kruetz]

Remember, Credit Cards companies use neural networks to analyse transactions and decide whether or not they may be faulty, and the success-rate of these babies is higher than you may suspect (okay, I don't have a web-link, I read it in a pop-sci book on maths, biology and AI). So you may be short a few dollars, which isn't good (don't get me wrong), but unless you normally spend $hitload$ of money, they won't be able to buy a Ferrari or anything (mind you, if they only took a few cents from each credit card account, they COULD buy a Ferrari ...)

Re:We should be moderately safe

2,200,200 x .03 = $66,000

Re:We should be moderately safe

2,200,200 x .03 = $66,000

ahhh, but 2,200,000 * .05 = $110,010

Re:We should be moderately safe

2,200,200 x .03 = $66,000

ahhh, but 2,200,000 * .05 = $110,010

Aaah ahhh, aaaaah but if we take a to be the number of credit cards stolen and b to be the number of those credit cards with a high rate of use and c to be the amount of people in high debt on those credit cards, then

x = (-b+SQRT(b*b-4*a*c))/2a or

x = (-b-SQRT(b*b-4*a*c))/2a,

which I think you'll find is a ferrari, or possibly an imaginary ferrari, depending on the number of people with a high use on their cards compared to the number of people in debt.

Re:We should be moderately safe

[phutureboy]

Yep.

My dad lost his card visiting relatives about 100 miles away in Virginia and didn't even realize it. When he got home he got a call from the credit card company, who said their software flagged a $600 purchase made at Home Depot in Virginia which didn't fit his profile, and asked whether he had made it. Sure enough, he checked his wallet and his card was gone. He realized he had left it sitting on top of an ATM or something. He did not have to pay for the Home Depot purchase.

I was impressed with how well all that worked.

Re:We should be moderately safe

[ddent]

and if you add credit card processing costs you remain in the red :)

Re:We should be moderately safe

[grumm3t]

30k limit is not exactly "a few cents". I'm gonna have to check the statement myself.

Re:We should be moderately safe

[spacefight]

The same goes with mobile operators. At least Orange does exactly the same thing. If you step over the usual treshold, they ring you up and ask if everything is ok. IIRC, Swisscom did the same thing but that ended in a nice story in the press where someone used his mobile abroad above common use because his wife had a heart attack. He was organising everything by phone and wamms, he was locked of the networks... beeing in the big mess he didn't see the short message from his operator warning him...

Re:We should be moderately safe

Yeah. And the problem there is that I can't go buy that Ferrari (or in my case, Subaru) with my own money because the stinking, interfering bank decides that it doesn't fit my normal spending patterns. BTDT had a row with the bank on the phone from the car lot.

Re:We should be moderately safe

[Spunk]

Though of course there are false positives.

When I was on vacation my credit card just stopped working. After calling the credit card company several times I got an answer: making multiple phone calls in Indiana doesn't fit my pattern! I asked him if he could tell where I was calling from. Guess what, I was in Indiana. Didn't they have a record of my gas purchases along the way too? It did finally take a few more calls but we got everything straightened out. Now, I call the credit card company before any vacation. Whee.

Still, it's better to be over-secure than less so.

Re:We should be moderately safe

[nolife]

That is interesting. I travel around in spurts and sometimes fly to two or three non connected states in one day. I use my Visa check card for everything online and offline (except airline tickets which I do not buy myself). It's always worked and I've never had a problem. For security reasons, I'd assume that a bank would not openly discuss the conditions they use to flag a purchase but it would be an interesting read.
I checked with my bank regarding the policy for fradulent check card useage, it is the same as their regular CC policy which states I may be responsible for the first $50. At least with a CC you would still have your cash in the bank and could dispute the bill when you got it, the check card comes directly out of your account. That's the chance I take I guess.

Re:We should be moderately safe

[Sabalon]

I dunno.

A few years back, someone charged $500 to my card - to a phone # in california. The kicker was about a week before (being near xmas) the company called to verify a charge at a local Cracker Barrel that we go to on a regular basis.

Go figure.

Re:We should be moderately safe

[Alsee]

mind you, if they only took a few cents from each credit card account, they COULD buy a Ferrari

In related news...
Visa and Mastercard have each reported over one million customers making one cent purchases every day for the last week.

-

In other news..

[_marshall]

Fortunately, none of them seem to have been used fraudulently.

In other news, it seems that slashdot's favorite non tech related website had a surge of 2.2 million account signups in the span of a week.

Mitnick...

[jbwiv]

New leaf my ass. Welcome back, Kevin ;-)

Re:Mitnick...

[cyb97]

I guess this explains why 'the art of deception' sold 2.2M copies so fast...

Re:Mitnick...

[mackman]

That wasn't cool man. Thanks to your comment, he's been declared an "enemy combatant" and has already been returned to solitary confinement. Of course, I would hope that a Slashdot comment wouldn't be enough evidence to hold you without access to a lawyer... BRB, gotta get the door...


Human Rights News

Re:Mitnick...

[Imperial+Tacohead]

Wait, why did your computer make a clicking noise? IBM hard drive, right?

Re:Mitnick...

Nice. Yours and the parent.

I just finished filing my corporate and personal taxes and needed that smile.

Thanks

Other news coverage.

[WeThree]

http://www.cnn.com/2000/TECH/computing/03/13/credi tcard.steal.idg/

Re:Go away, Negro.

you know...this really isn't anymore flame-bait that the parent.

think about it.

I wish mine were stolen...

[grahamsz]

I like those odds - not a single fradulent use in 2.2 million cards.

Hell i've had 3 fradulent transactions and only own 3 credit cards and two debit cards.

One thing i've noticed is that my card company seem good at stopping me from spending when they think i'm fradulent. Just put 7 currencies on your card in as many days and alarm bells seem to ring somewhere.... but catching real theives is a little too tricky

Re:I wish mine were stolen...

[MacAndrew]

Just put 7 currencies on your card in as many days and alarm bells seem to ring

Who are you, Jason Bourne?? I thought I liked to travel fast and light.

More seriously, I'm surprised they haven't typed you to avoid bothering you. I've only been contacted once, and they were dead on. What was odd was that the 2 suspect online purchases for like $20 and $15 dollars in the wee hours of a Saturday morning. I'm curious what exactly tripped the algorithm. But one true positive and no false trips, well, that's pretty impressive -- or I'm pretty predictable. :)

They'll have a lot of phone calls to field as they freeze all those cards. I hope they nail Kev--... I mean, whoever did this.

Re:I wish mine were stolen...

[Ponty]

Perhaps you should review your credit card policies.

Re:I wish mine were stolen...

[grahamsz]

Who are you, Jason Bourne??

I like to think so :)

British pounds, american dollars, norwegian somethings, swedish krona, finnish marks, estonian marks and euros.

The biggest problem was that the instruction to confiscate my card went to someone in (i think) estonia who didn't speak more than a few words of english. Caused me a little aggravation.

Re:I wish mine were stolen...

Geez, I've tripped a couple of warnings on far less. One was purchasing a few hundred dollars worth of something from one place and then a few hundred more from another in about six hours. They explained that one reason they called was that I also filled my gas tank during that time span. The other incident was a weekend in New York (I live in Florida).

Both triggered a polite phone call from the bank asking if I had made a couple of suspect purchases. Being paranoid, I didn't want to tell them, but when they gave me amounts and vendors I verified them. No muss, no fuss. I would think seven currencies in a week would make screens flash at a few banks.

Obligatory correction on "[ch]racker"

The correct term is GNU/hacker and GNU/cracker. btw, let's use the term chracker from now on for clarity, please.

Not used fraudulently?

How do you verify something like that? And are they going to reissue 2.2 million credit cards to prevent the cracker from using this information two weeks from now?

And what about the problem? How did the cracker get in? Wasn't Mitnick just allowed back on the Internet - how is his VC funding situation anyway? :-)

It's all about the trust

[Vidmaster_Steve]

I used to work at an incredibly busy CompUSA back when I was putting myself through college, I worked behind the register and had to put up with any number of fucking (A)Assholes, (B)Jerks, (C)Fucklickers (D)Cunts and/or (E)Wastes of Meat every day of my miserable existance there. Every day, these pricks would come in, verbally abuse me and then give me their credit card number.

I cannot believe the amount of trust these dickheads put into me, a lowly redshirted laser-slinger. These were people who would verbally abuse me, harass me, scream, yell, pester and generally treat me as something beneath the lump of Fluffy's late night cat puke that they caked off of the designer argyle socks that cost more than they make in a day.

Every time one of those shits oh-so-respectfully tossed me their credit card (They'd never hand it to me, oh no... never just hand it to me) then get all indignant that I ask to check their ID, even though it says in big, block letters 'CHECK ID' on the little 'sign here' strip on the back... I'd just smile... You know the smile, the one that a pudgy Vincent D'Nofrio shot at the sergeant before putting one in his chest while I simply took their reciept and folded it in half and stuck it in a little slot on my register.

Had I been just a little dumber or a bit ballsier, I'd be rolling in all the pre-Pentium 3 generation hardware and pre-Kazaa generation illicit software that I could have purchased on their dimes.

Point being: Why why why do these people who are so abusive to those of us who (A)Handle Their Credit Cards and (B)Handle Their Food treat us in such a manner?

Re:It's all about the trust

[billstr78]

Dude, you have some issues to work out. If you hate people that much, why not quit your job and get one that does not require you to interact with A),B),C) or D)?

If you were a little dumber, you'd not only be dangerous, but in jail. Credit companies keep a close watch on fradulent purchaces. You would be amazed at the ability to mine data and make fast correlations between fraud claims. A couple of interviews with the clerks who sold you the pre-Pentium 3 generation hardware and pre-Kazaa generation illicit software that you would have purchased, would have ended in an arrest within a week.

The guy who pulled this off will not see the light of day for years to come once he is caught. Credit companies are like the mob, they are one of the only organizations you really don't want to f#ck with.

Re:It's all about the trust

[Mike+A.]

There's a reason retail has one of the highest employee turnover rates of any profession. I can't imagine that anyone works as a retail clerk for long if there's any readily available alternative. Besides, if you'd read his post closely, you'd have seen that he "used to work" at CompUSA.

Nevertheless, you are right about the fact that credit card fraud is harder to get away with than most people appreciate.

Re:It's all about the trust

[Myuu]

dude, that was one of the best posts i have read in awhile

where are my mod points when i want them

Re:It's all about the trust

Just sell all the damn numbers to the local organized crime syndicate for $20 a pop. Not only do you get sweet revenge but are much less likely to get caught.

Re:It's all about the trust

[Scumbag+Tracker]

Congratulations, you've made foe #2 on my known Slashdot scumbags list.

Re:It's all about the trust

come on now. everybody who ever tried before knows that they cc companys dont give a shit 99% of the time. you could order 10 computers right to your house and they probably wouldn't even call you. the cc companys are way to busy selling your buying habits to spys to track down a couple stupid kids.

Re:It's all about the trust

[evilviper]

Sure, it's flamebait, but pretty good at that...

Why why why do these people who are so abusive to those of us who (A)Handle Their Credit Cards and (B)Handle Their Food treat us in such a manner?

Simple, because it will only happen twice, so the odds are on their side. The first time you put something in someone's food, or defraud the CC company, you will likely get away with it. The second time you do it, odds are firmly against you.

Besides, as for CC fraud, what do they care??? The CC company has to pay for the fradulent purchases, not them. It's nothing more than an occasional, small, inconvience.

Re:It's all about the trust

[NFNNMIDATA]

While perhaps unnecessarily foul, the poster has a point. I have never understood people who get irate at restaurants. I mean, come on, if someone was being a dick to you and you were making/serving their food, wouldn't you give them a little "something extra?" Heck, I have known people that would befoul food in advance just for the laugh, independent of any customer.

Bottom line, if you act like a jerk, you are basically demanding that someone blow their nose into your food.

Re:It's all about the trust

it's your job. you work in retail. let me repeat that again. it's your job. YOU WORK IN RETAIL. get over it and get over yourself.

Forgive us consumers for not realizing that YOU are the end-all -be-all of our shopping experience. No, we're not trying to go to the store and buy something, we are going there to specifically please you. How thoughtless of us to have forgotten.

Which processor?

[murphj]

Nice informative article. No mention of which credit card processor this was. It'd be nice to know if it's one that one of my clients uses. Anyone know the identity of the victim?

PIN numbers?

[one9nine]

Can anybody explain to me why credit cards don't have PIN numbers like my ATM card does? Wouldn't this stop a tremendous amount of fraud? All someone needs is someone's card number and expiration date and they can do whatever they want.

I do notice that sometimes, very rarely though, that sites will ask for that extra three digit code on the back of the card, to verify that you do in fact have the card in your hand. This the same concept as a PIN and I don't see why more web sites aren't doing it. It's not like they have to completely revamp their way of accepting credit cards, it should be a very simple fix.

Makes me want to go back to barder. Do you think ThinkGeek would accept two dead chickens and a half wheel of gouda for one of those mini tanks with the camera?

Re:PIN numbers?

So, then crackers would steal the CC# and the pin, and we'd be back where we are now.

Re:PIN numbers?

[Zaffle]

In New Zealand, you can get a PIN number for your card, but this number is only used at EFTPOS (Electronic Funds Transfer at Point Of Sale) systems (where you swipe your card at the store). If you use the ol' fashion card imprint thingy, or if you use it online, the PIN don't mean diddly.
As for the CSV (the num at the back of the card), a number of clearing houses use it. Its not *suppose* to be stored by the clearing house/site, but who's to say.

PIN #'s do stop fraud occuring over the counter, but not mail-ordering, web-site. Actually, it doesn't even stop over the counter, since all you need to do is wipe you card with a magnet and demand they do your card the old way, stating it works in every other store. (Most stores will relent if you pressure them).

Re:PIN numbers?

[Kamel+Jockey]

Can anybody explain to me why credit cards don't have PIN numbers like my ATM card does? Wouldn't this stop a tremendous amount of fraud?

No, because the PINs would probably be stored in the same unsecure manner that the other credit card information was. This is why PINs in general and/or 3 digit auth codes will be ineffective. What's needed here is better site security, not better credit card security.

All someone needs is someone's card number and expiration date and they can do whatever they want.

Kinda... You can actually specify any date in the future and the transaction will validate (if you use a system like Cybercash or Authorize.Net). If however, you have a human on the other side who checks the entered credit card information against what they get from the credit card company, then that human can manually disallow the transaciton.

Unfortunately, the only real way to secure information is to store it in an encrypted form such that the key needed to decrypt the information is physically separated from the machine which contains the data. However, many websites currently use the "key under the doormat" approach to security, which in theory is no better than storing the data unencrypted and hoping that no one hacks into the system and sees it.

Re:PIN numbers?

I'll take a wild guess, is it because the cost of implementing pin numbers is greater than the money lost from fraud?

But with the cost to law enforcement because of sloppy credit card security... it's the public paying a lot of that.

Re:PIN numbers?

[one9nine]

No, because the PINs would probably be stored in the same unsecure manner that the other credit card information was.

No, no, no, you wouldn't store the PINs, that would defeat the purpose. You would have to enter it every time like you do when you buy groceries with your ATM card. Nobody would know it unless you gave it out.

Re:PIN numbers?

[Stonehand]

Um, he's talking about the database needed to VERIFY the PIN numbers. When the merchant runs the transaction, it needs to be checked against *something* to see if it's the right one.

Even if you used one-way hashing, it'd still be weak, because with a typical 4-digit pin there aren't that many combinations -- so the hashes wouldn't be secure. So, since the hashes and the numbers would likely be colocated, it wouldn't add that much unless you made people use really long PINs or seriously modified credit card hardware to allow other inputs besides digits.

Re:PIN numbers?

[Kamel+Jockey]

No, no, no, you wouldn't store the PINs, that would defeat the purpose. You would have to enter it every time like you do when you buy groceries with your ATM card.

If you order something from an online site at 3am, that site will not have someone there waiting on the other end to capture the PIN. It will definitely be stored somewhere, just like the rest of the credit card information. this is why the focus must remain on site security and not the credit card transaction security. Also, most online vendors do not process credit card information in real time, they usually process each day's transactions in a single batch during off-peak hours by reading the stored credit card information. Credit card information is usually put into these batches once things like inventory and shipping is verified.

Re:PIN numbers?

[PetWolverine]

Actually, almost every time I've bought anything online I've had to give either that three-digit code you mentioned or my "credit" card issuer's phone number, also on the back of the card. (Quotes because it's a debit card.)

That makes me feel a little safer, but if that information is being stored unencrypted alongside the number and expiration date, those companies deserve to be taken out and shot.

Re:PIN numbers?

[SirSlud]

I refuse to believe a credit card company cannot hire programmers decent enough to build a transactional system capable of supporting real time verification, 24/7.

Maybe they should hire some dudes who work on online advertising servers .. high load, mandatory uptime. The 3rd party site should be able to connect to the credit card company with an API or library that is audited, so that 3rd parties could not possibly be storing PINs.

Re:PIN numbers?

[kiolbasa]

I don't think there's any reason to store the 3 digit number in a database. It's only used during transaction approval. I can see why merchants store accounts numbers, to keep records of transactions and such (though it's just lazy and insecure the way they manage that data sometimes). There really is no need to add a field in their dastabases for the extra 3 digits, since the account number already serves its purpose, and is guaranteed to be unique.

Of course, then the problem is not every merchant verifies the 3 digit code, so a theif doesn't even need it for some transactions. It is in the merchants' best interests to use the code, however, since the merchants foot the bill in fraud claims.

It's still not the greatest system, but it has some potential to curb fraud. Needs refining, but it's better than nothing.

Re:PIN numbers?

[c0d39uru]

As far as why more websites don't ask for them, I know for a fact that if you do collect the CSC (card security code) number, and your server side code passes it to the CC processing company's server, even if the number is wrong the transaction will still be allowed. I know of at least one of the big 5 credit card processing companies that this is true for. I will not name them here. But you can probably guess who it is.

Re:PIN numbers?

[shird]

As others have said, the sites will store this number along with the card no and expiry date - making it pretty pointless.

Smartcards will hopefully change this situation however. Type an amount on a keypad on the card, plus the companies code number - and it can generate a number to use for withdrawing the given amount by the given company. Anyone who steals the data wouldnt be able to use it because the authentication code will only be valid for a given amount and company.

Kinda sketchy on details I know, but you get the idea.

Re:PIN numbers?

[Bishop]

Even if such a machine were created, an attacker could trojan the entry system and capture the PINs as they were used.

Re:PIN numbers?

Think more creatively. Don't just hash the PIN - that's pretty useless since there are only 10^4 possible PINs and you can enumerate all of those (on paper even!). Hash the concatentation of the PIN and the CC number. There are lots of possible CC numbers (too many to generate) and if the PIN is generated using a completely independent process from the CC number (eg, chosen by a human), the likelyhood that someone has a correct CC number along with the correct PIN approaches the likelyhood that someone guessed the correct PIN for a particular CC number. In other words, if someone gets your CC number but not your PIN, they would have to make an average of (10^4)/2 guesses before getting the right PIN and that would surely be noticed.

Problem is that this requires some sort of protocol: bank has to keep a secure central repository of PINs for each CC number issued and you need a protocol to query "is this PIN correct for this CC?" Bank would respond "yes" or "no." Needs some sort of secure channel to ensure hashes aren't intercepted mid-stream (x509 would serve nicely for this). Hopefully merchant won't store the PIN or hash, but that's too much to hope for.

Possible, but ain't gonna happen.

Re:PIN numbers?

[cuban321]

That's not true. Just yesterday I placed an order on buy.com and it wouldn't allow the order to go through. Turns out that number on my CC was faded and I misread it. As soon as I put in the right number, BAM it went through. cuban

Re:PIN numbers?

Don't use a debit card on-line!!!!

If your debit card number is stolen, YOU are liable for any and all purchases. That means you are liable for the total amount of money in your checking account.

There is a maximum $50 liability for fraudulent credit card purchases. You do the math.

Plus, less importantly, you will get charged debit card transaction fees. Merchants get charged for credit card transaction fees.

Re:PIN numbers?

[styxlord]

Yeah but there's no reason for CC#'s to be stored anywhere either. Can the CC companies please hire someone who knows how to use a hash function.

Re:PIN numbers?

These people appear to have been snooping the data real time from inside the "trusted" system. They would have gotten the CVC codes too.

Re:PIN numbers?

There is typically a $50 liability for debit card purchaces (through Visas or MasterCards networks) but the problem is that you have to convice the bank to give you your money back while they deal with the transaction. I prefer to have the crooks play with a large banks money rather than my own.

Re:PIN numbers?

Most small vendors use dial-up based credit verificaiton. Imagine the cost of holding a phone line open 24x7 for each merchant.

Re:PIN numbers?

[Mugs]

The 3 digit number on the back of the card is called the Card Verification Value 2 or Card Security Code. AMEX have a similar 4 digit code on the front of the card.

The idea of this value is to cut down on "Cardholder Not Present" fraud i.e. mail order. In theory, if you've skimmed a card or stolen a database you won't know the CVV2 (merchants and acquiring banks are not allowed to hold the value, it's the issuing bank's risk so it's up to them what they do). In the UK, the banks are offering discounts to merchants who use it.

PIN at POS for all card types is coming in at point of sale in the UK using EMV (i.e. smartcards). The pilot starts this spring in Northampton. The PIN will be stored on the card and kept synchronised to the online PIN. This targets counterfeit and stolen cards.

The UK also has an address verification service for Card Not Present. It's different from the US scheme and doesn't depend on "correct" formatting of the address.

Re:PIN numbers?

[bigsteve@dstc]

Unfortunately, the only real way to secure information is to store it in an encrypted form such that the key needed to decrypt the information is physically separated from the machine which contains the data.

Surely, it would be better to redesign the system so that the merchant doesn't get to keep any information that could be used by a hacker.

Re:PIN numbers?

[Ian+Bicking]

Think more creatively. Don't just hash the PIN - that's pretty useless since there are only 10^4 possible PINs and you can enumerate all of those (on paper even!). Hash the concatentation of the PIN and the CC number.

While this would be typical for hashing, it doesn't alleviate the problem that given a credit card number there's only 10^4 hashes you have to go through to find the PIN.

It's presumed that the attacker already has the credit card number -- the PIN is meant to increase security in this circumstance. If the PIN is stored together with the number -- even in any hashed form -- it will be easy to find by an exhaustive search of all possible PINs.

Re:PIN numbers?

[whoopass]

Umm... Anyone remember those sliding machines that copied your card number onto a carbon paper slip and you wrote the amount on it and signed. You got the top copy the merchant got the other copy. Anyone?

None of the technological solutions will solve the manual card transaction problem, which really is the beauty of a CC. It's like a check, but the merchant doesn't have to trust you, rather he needs to trust the CC company.

Re:PIN numbers?

[Ian+Bicking]

PIN #'s do stop fraud occuring over the counter, but not mail-ordering, web-site. Actually, it doesn't even stop over the counter, since all you need to do is wipe you card with a magnet and demand they do your card the old way, stating it works in every other store. (Most stores will relent if you pressure them).

But if you make a big fuss they're much more likely to remember you when someone comes to investigate. Plus if using a stolen card you're often under a time pressure to use the card before it is cancelled.

Re:PIN numbers?

[rabidcow]

This would be good IF you had to verify online purchases with the PIN number through your bank's web site.

Like this:
- fill out the cc order form at wetakeyourmoney.com
- you click the submit button
- they record this information and send a request to the card company
- at the same time, they redirect you to the card company's web authentification form, which lists unverified transactions
- you send your PIN to your bank to verify them
- the bank sends the money to wetakeyourmoney.com

If someone breaks into the db at wetakeyourmoney.com, they won't have the PIN and can't validate any transactions. (if they break into the card/bank db you're screwed anyway)

Of course, someone will try to trick you into entering your PIN into a site that looks exactly like the official one, but that's a different problem.

Re:PIN numbers?

[Frizzle+Fry]

This the same concept as a PIN

The number on the back is sort of the same concept as a PIN, but not quite. The difference is that if someone were to get physical access to your credit card (e.g., if someone stole your wallet), the number on the back wouldn't provide you any protection from them using it, whereas a secret PIN would.

Re:PIN numbers?

[neuroticia]

You actually should never use a debit card. If the number is stolen and used fraudulently you don't have the best of chances getting your money back, whereas with a credit card you just deny that the charge is valid. Giving someone your debit information is like giving them temporary access to your bank account. They basically walk away with cash. Banks don't offer much protection against this.

-Sara

Re:PIN numbers?

[andbutso]

PIN numbers?

Person Identification Numbers...numbers...

Re:PIN numbers?

[WiPEOUT]

You can actually specify any date in the future and the transaction will validate

This may be true for poorly-designed sites, but certainly not for all sites.

A good website will do the actual card authorisation online in realtime. This way there is no need for storage of credit cards details on Internet-connected systems. I've built such sites. It's not cheap, and certainly requires some development, but it's reliable and can be significantly more secure when properly implemented.

Of course, it's the cheapo sites that need to store credit cards that are most likely to have poor security, so your chances of suffering from credit card fraud are much higher when shopping on the dodgy sites than on the good.

Re:PIN numbers?

[Nexx]

It's all about cost-benefit analysis. If, by credit card company, you mean the likes of Visa, then there is no benefit; all the risks of fraudulent charges are held by the merchant.

If, by credit card company, you mean the companies that will actually forward the CC data to the likes of Visa, then it's a little more difficult. However, doing this in batch fashion is far more economical for the CC, in terms of fees, than is to do so in an transactional manner.

Welcome to 2003. We still can't get it right.

Re:PIN numbers?

[caluml]

The ideal solution would be a credit card that works like a SecureID token. The credit card number changes every 60 seconds, AND you need a pin. In fact - any venture capitalists want to start work with me on an, er, secret new project? I reckon 5-10 million should get us started. Oh, and your chances of return are slim.

Re:PIN numbers?

[dotgain]

Umm... Anyone remember those sliding machines that copied your card number onto a carbon paper slip and you wrote the amount on it and signed. You got the top copy the merchant got the other copy. Anyone?
Carbon is not ferrous, so it records no magnetic information. It is simply carbon paper, which stamps the name and number of the card onto the paper slip as the slider goes across. All there was left after you ripped the carbon paper off was a light piece of paper with CC's of the number, signature date and transaction amount. All except for the first are handwritten.

Re:PIN numbers?

[jrumney]

The PIN will be stored on the card and kept synchronised to the online PIN.

You're joking? Time to read my contract carefully and make sure the bank is taking full responsibility for the smart card being cracked by someone who is able to work on a pile of cards completely free of any chance of detection.

As posted above, credit and debit cards have used PIN at POS in New Zealand for years (about 15 years IIRC, maybe even 20). This is old technology, and the way it is done is to encrypt the PIN in the keypad and send it directly to the bank for verification. Real-time transaction approval was reality 15 years ago in New Zealand and Australia, I cannot beleive that the rest of the world is still coming up with schemes to avoid it.

Re:PIN numbers?

[Zaffle]

But if you make a big fuss they're much more likely to remember you when someone comes to investigate. Plus if using a stolen card you're often under a time pressure to use the card before it is cancelled.

True on the first point. However as for the 2nd, if you wipe the magnetic strip on the card, the reader won't read it, and if they imprint it they won't know till they do their banking. (Of course, I know NZ eftpos setups allow you to manually type the CC#, and therefore know if its stolen, so the whole issue is mute).

On a related note, there is also the industry of creating fake CC cards, where all you need is to swipe the real CC through a magnetic reader, and you can generate your own CCs, magnetic strips and all, though the captial costs of such a setup are rather high I imagine.

Re:PIN numbers?

[cygnusx]

> Can anybody explain to me why credit cards don't have PIN numbers like my ATM card does?

Most credit cards *do* come with a PIN (at least the ones here in India do) -- but you need it only if you're withdrawing cash at an ATM, not at shops.

Too bad our credit-card-readers aren't geared up to use the PIN as well. It would be interesting to design a card+reader combo that could be easy to use and yet be 2/3-secure using the (has, knows, is) metric.

Re:PIN numbers?

[mousse-man]

At least in Switzerland, when I refuel, I have to type in a PIN now with my VISA card.

Re:PIN numbers?

[blibbleblobble]

"However, many websites currently use the "key under the doormat" approach to security"

Perhaps worse is that the public have been led to believe that "HTTPS" and a padlock icon mean that a website is secure.

I've chatted to plenty of ecommerce website operators, and they really are clueless. People who wouldn't know what a hash was if you slapped them with one. They buy a Verisign certificate, and that's the end of that. Post a big notice on the front page saying "your transactions are protected by unbreakable security"

People believe it.

Read 2600's credit-card ordering page for comparaison:
We do not save your credit card information after your order is complete. We also do not share ANY of your information with anyone. If you've ordered a subscription, your name and address reside on our subscriber database which is located on a machine that is never connected to the net and which is protected by two levels of encryption that even the NSA would have trouble with. We will also NEVER send you unsolicited mail. In other words, we know a thing or two about privacy and we will do everything possible to protect yours.

If that's what a policy should look like, why do we even let amazon and yahoo get away with their "your credit card is secure with us" lies?

Re:PIN numbers?

[esarjeant]

Some of my local merchants are now validating credit card transactions using your zip-code.

While certainly not bullet-proof, there are quite a few postal codes in my area and one can assume the card thief may / may not know all of them.

Of course this doesn't do you much good if your database of CC's gets stolen. Here everything about the customer is available, and even with something like an encrypted PIN it could be fairly easily brute-forced.

Re:PIN numbers?

[Patersmith]

Unfortunately, the only real way to secure information is to store it in an encrypted form such that the key needed to decrypt the information is physically separated from the machine which contains the data. However, many websites currently use the "key under the doormat" approach to security, which in theory is no better than storing the data unencrypted and hoping that no one hacks into the system and sees it.


Or don't have the data to begin with. In a former life, I worked for an ISP who does some online sales for small and medium businesses. The product they were using was an off-the-shelf e-commerce product with a SQL server on the back end to store product and transaction information.

I didn't have oversight of the project but I was asked (due to my role as unix and network admin) to modify some perl scripts that control the tax calculation. At some point, I became aware that the product, by default, was set to retain customers' names, addresses, and credit card numbers with expiry dates! I expressed my concern to the person managing the project but it was made clear that I shouldn't be concerned because it is a commercial project and is quite secure.

A few weeks later, I was asked by the technical lead on the project to allow access through the firewall to UDP and TCP SQL ports on the ecommerce box for one of our partners. The technical lead wasn't sure about the exact addresses that should be allowed so I was directed to open the ports up to ALL external addresses. A few days after that, I did some routine security checks and found the SQL box had a blank SA password.

Even after explaining the danger of retaining credit card numbers in a server with no System Administrator password, with SQL ports open to the entire world, it still didn't quite sink in. Apparently I was overreacting and trying to embarass the technical project's technical lead, and trying to make her look bad.

I don't work there anymore, thank God.

I'm no technophobe, but I have been leery of internet credit card transactions since that experience. At the end of the day, you are could be entrusting your financial information to people who are either too stupid (careless? naive?)or too apathetic to appreciate the seriousness of the decisions they are making.

Re:PIN numbers?

[Sly+Mongoose]

No, because the PINs would probably be stored in the same unsecure manner that the other credit card information was. This is why PINs in general and/or 3 digit auth codes will be ineffective. What's needed here is better site security, not better credit card security.

They could combine the CC# and PIN, generate a hash, and store that. When a PIN was entered for a CC, the hash could be re-generated and checked against the hash on file. If the hashes were compromised, it would not give up the PINs. Not exactly a new idea, is it?

Re:PIN numbers?

[smartfart]

Um, the PIN (if it is indeed one) printed on the card is even more of a security lapse than some secretary's password on a post-it, stuck to her monitor.

Re:PIN numbers?

[sparty]

Doesn't Paypal keep the CVV2 on file? (I ask because I know they ask for it but I don't recall ever having to re-enter it on a subsequent card use)

Re:PIN numbers?

[jafuser]

I just started using the Vasco system, it's a very impressive piece of work. Smart card credit cards are already available, so why not generate a unique number? What would be even more interesting would be if such a device could generate a unique number for a particular charge at a particular merchant. Why not a system like this: 1. You get a code number from an online merchant. 2. You type that code and the amount to pay into a smartcard device. Optionally select if the merchat can charge this to your card more than once, every n week(s), n month(s), n year(s). 3. You get back a code from the device. 4. You type that code in to the merchant's website. 5. Now the merchant has access to charge you the amount you specified and optionally at an interval which you have chosen. They can store this number in their database safely because nobody else can use it but them. Is this a bad idea?

Re:PIN numbers?

[Creepy]

Most sites that accept PINs, including ATMs will reject any card where the user has failed to enter a valid PIN number a certain number of times. The ones that suck in the card will "eat the card" and you won't even get it back. Others will just reject the card after that point (on any machine - the card won't validate at the central office). Basically, you get to make 3-5 educated guesses... Now since you'd have 2.2 million cards to work with, you should guess about 22 cards with each pass using just dumb luck, or about 60-100 cards in your 3-5 stabs at each password.

As for hashing a PIN number, you could even hash it into random data and give positional information for the true key as part of the hash.

Re:PIN numbers?

Comming soon. Google Verified by Visa.

Re:I heard -

[letxa2000]

Do you blame him? He needs to get the money somewhere to pay back the French since they're obviously opposing war in the hopes of seeing some debt repaid.

If your credit card was stolen, the terrorist have already won! :)

Gee, thanks CNN

[bigneight]

I, for one, would like to know WHICH credit card processor it was that got hacked so that I know not to use them in the future. Leave it to CNN to leave out the important stuff.

To bad...

[95_gst_al]

Yeah he gained access to 2.2 million cards, but to bad they are all probably overdrawn! Just about everybody I know complains that their cards are maxed out. :D I also agree, that out of 2.2 million cards, it's impossible for them to know that all of them are ok and haven't been used.

Re:To bad...

There is a place called "Bad"...who's going and why...ohhhh, you meant Too bad....c'mon, it's easy to learn how to use these words folks.

Re:To bad...

[95_gst_al]

Sorry Teacher. I will start to write my pages now.

Re:To bad...

Very well, but pay attention this time.

this report says 5 million cards

this report says 5 million cards

http://www.forbes.com/markets/newswire/2003/02/1 7/ rtr881826.html

Re:this report says 5 million cards

[MeanMF]

this report says 5 million cards

Some of them were gold and platinum cards, so you have to count them more than once.

Re:this report says 5 million cards

[srvivn21]

Thanks for making the segue into the RIAA. I have a question:

How where these numbers "stolen"? They are just information, just copies. If they where music files on Kazaa, they wouldn't be "stolen", they would be "duplicated without authorization". Sure, Slashdot is made up of lots of people, and some feel that music file sharing is theft, but I did a search at -1, and I didn't see a single post making this connection. Not one. What's the difference here?

Hmmm... Offtopic? Troll? Flamebait? Insightful? Funny? Where's the moderator's dart board when you need it?

I can't believe nobody has said...

[Tsar]

"Imagine a Beowulf cluster of those!"

Still, this might leave some folks short on cache.

Re:I can't believe nobody has said...

Ouch. Punishing. Hope someone else enjoys it. :D

Re:I can't believe nobody has said...

[buck_wild]

A beowulf cluster of WHAT, dumbass?

Exactly how is this supposed to be funny, anyway?

Re:I can't believe nobody has said...

I think he meant a Beowulf cluster of other people's credit cards. Get it, dumbass?

Re:I can't believe nobody has said...

[buck_wild]

Soooooo how is that supposed to be funny, dumbass?

OUch

[IanBevan]

Citizens Bank, a financial institution serving the Northeast, shut down the accounts of 8,800 customers whose card numbers had been accessed after being notified by MasterCard on Friday, bank spokeswoman Pamela Crawley said. All of those accounts were safe, she said.

I'll bet those people are just *thrilled* to have their accounts locked out. How many people are going to find their card mysteriously declined when doing their weekly grocery shop then ? I'm betting the bank hasn't made 8,800 phone calls to explain their position.

Hell of a way for VISA/MC to limit their liability - just cancel their cards ??

Re:OUch

[eDogg]

Unfortunately, I hold one of those 2.2 million cards. I was thoroughly frustrated when my card was declined Friday, Saturday then again on Sunday. What was even odder is that I could take my bank-issued card to the ATM and withdraw $100 and get a balance statement that showed positive numbers. Finally got the "scoop" from my bank today. They gave me a different story though, said MC alone had 7 million cards compromised. Ended up having to call the "fraud" department at MC, verify my vital information and have my cards re-issued. They also took the time to verify all transactions in the last 4 days to make sure none were fraudulent. On a side note, they did try calling me, but my number had been changed.

Re:OUch

[mosch]

That wouldn't bother me so much, I carry a few cards from different issuers, so it's unlikely to happen to all of them at once.

And it'd certainly be a hell of a lot less annoying than what AT&T Universal Card just pulled on me last week. They upgraded me to a platinum card without asking me (I didn't want or need the upgrade, the old credit limit was already more than I'll ever need). This made it so everything that was auto-billing to the old card suddenly needed to be changed. Oddly enough, I changed them to bill to American Express instead of the VISA.

Then the most annoying part of all, when I called to activate my card, instead of just being a computerized thing, they had a person answer the phone, and that person tried to sell me additional services.

Honestly, if the credit card companies are willing to inconvenience their customers on the incorrect theory that I care whether my cards are gold or platinum, why shouldn't they inconvenience me to keep my card safe? Hell, I'd actually be appreciative of that.

Re:OUch

When did this happened?
One of my VISA cards was fraudulently used 10 days ago.

Re:OUch

Do you have any idea which store(s) you used which the card was taken from (which might clue us into which credit card processor had the intrusion)?

I'd guess it's probably not your local gas station or retail store.

If the thread doesn't get stale to much and if we got enough other reports, we could do a little correlation and figure it out ourselves.

--LP, curious whether any gateways he uses was compromised

Read the article

[DrMrLordX]

If you had read the article, you'd know that the cardholders are not liable for any purchases that may be made with the stolen CC data. Visa and Mastercard have already been contacting banks to let them know which CC#s were stolen.

It's better to troll than karma-whore. It's better to troll than do ANYTHING, in fact.

Testing fraudulent use is easy I'm sure

[mesach]

My Friend recently bought something online for his motorcycle from a place in Spain, the bill came to something like $70, not to much I personally think.

within 10 minutes of him hitting the submit button he got a call from someone at his CC company asking him to verify the sale. We both thought that it was very cool for them to be monitoring apparently all the sales, even the small ones.

"Cracker Gains Access to 2.2 PIN NUMBERS"

[tha_mink]

You get the idea.

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

[one9nine]

No, "Cracker Gains Access to 2.2 million ACCOUNT NUMBERS". If he doesn't have the PINs (which one would have to enter each time when they make a purchase) then nothing could be bought with them.

Think of it this way, if I stole your ATM card, I couldn't empty out your checking acount without your PIN which, hopefully, only you know.

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

[SirSlud]

> Think of it this way, if I stole your ATM card, I couldn't empty out your checking acount without your PIN which, hopefully, only you know.

I'm pretty sure the machine knows it too (however briefly as it checks with the bank's servers) ..

However, retail websites wouldnt have to store your PIN, just authorize you briefly. That makes discovering PINs from 3rd parties impossible. You'd have the crack the credit card company, and thats the most 'logical' party to trust with the data that you need to use the account.

I agree with the parent post .. a centrally secured PIN number repositority accountable to the company that issues the card would probably prevent alot of fraud.

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

[Dun+Malg]

Cracker Gains Access to 2.2 PIN NUMBERS

You get the idea.

I don't think it works that way. With ATM cards the PIN is stored on the card using a one-way hash or some such (like unix passwords, yes?). A cracker gaining access to 2.2mil one-way checksums isn't very useable. Of course, just because *I* wouldn't store the un-encrypted PIN somewhere with the number doesn't mean the CC co's wouldn't.

P.S. I wish people would stop saying "PIN number". What do you think the "N" in "PIN" stands for, huh? While we're at it, quit it with the "ATM machine" thing too. And if I see one more form asking for my "SSN#", I'm gonna go postal! (just one of my petty foibles)

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

no way, the pin can't be on the card even as a hash. brute force only takes 1,000,000 tries!

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

[punkmanandy]

Every credit card number has what is called a "natural" pin number. This is a hash of the whole card number in some complicated way, probably with some key from the ATM also. if you have a different pin number, the offset from the natural pin is in the clear on the card.
breaking the pin is infeaseable, much easier to buy something. The pin discourages you from trying to get cash, which is hard to mark as "inconsistent".

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

[shepd]

Too bad that isn't so secure after all. 1 in 150 of those cards can be guessed by simply testing them in ATM terminals.

So, if it didn't require an ATM terminal... wow. We're talking microseconds here?

" We found it astonishing that our MCI and AT&T calling cards had the PIN number stored in the magnetic stripe WITH NO ENCRYPTION! "

Yes, there's a lot of crappy PIN security out there. Best to avoid it.

Check if your card has crappy PIN security! Next time you swipe it through a POS debit machine at your local small store (which doesn't have a full-time linkup to the bank) enter the wrong PIN. If it tells you it's wrong without dialing out, and your bank is like mine and only supports PIN sizes between 4 and 6 digits, there's less than 1 million combinations to try. That shouldn't take a good computer more than a couple of minutes, and unless the debit machine has a demagnetizer, I don't think it can hurt your card. Of course, a smart person wouldn't take chances and would clone it first. Oh, look, now I can't enter the US. Oh well.

I think I'm going to buy the used POS debit machine I saw at the local junkshop. Could be piles of fun. I'll charge myself a dollar on it and see what happens...

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

[morie]

I think they will have access to max. 10000 unique numbers! (given a 4-digit PIN)

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

[Kompressor]

I shot the last guy who asked me to help troubleshoot his NIC card.

:P

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

Christ it shits me when people use the word 'foibles'.

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

[flink]

Hey, you gotta forgive the hoi poli their foibles. ;-)

Re:"Cracker Gains Access to 2.2 PIN NUMBERS"

[arkanes]

Well, there's very little reason for anyone to store the CC number for any length of time, and certainly not in an un-encrypted format, but they still do. It's a moronic policy and if the card issuers insisted on some sort of security auditing from anyone accepting credit cards, then we'd be alot safer too. Yes, we do it here too, and yes, it's still moronic.

CNN Reports:

[nfotxn]

CNN reported today that everyone should panic. PANIC NOW. PANIC! You're not panicing, PANIC DAMMIT! Panic Code Red. PANIC PANIC PANIC AND TUNE INTO CNN AND PANIC!

When will they learn?

[ic3p1ck]

I think its time the whole CC system is overhauled!

The lack of authentication is the biggest problem with it. And no, the PVV is not good enough for authentication either, its also printed on the card and some online stores require that number but store it with the CC# anyway.

I'm sure the banks have a huge amount of fraud on cards and eventually these costs get passed on to the customers.

Debit cards with PINs / Smartcards are the way to go.

Re:When will they learn?

[NaDrew]

Debit cards with PINs / Smartcards are the way to go.

Um, no. Your liability if someone steals and uses your credit card and it's provably your fault: $50.
Your liability if someone steals and uses your debit card and it's provably your fault: every cent in your checking account, every cent in your linked savings, CD, brokerage accounts, and as many overdraw fees as your bank can stick you with.

Re:When will they learn?

>some online stores require that number but store it with the CC# anyway.

Thats the problem with online stores. There is no need to 'store' the credit card# in the online stores database in the first place.

An online store could send the transaction details, plus the dollar amounts to the 3rd party credit card processor, get a confirm# back for the transaction (in case it needs to be cancelled) and simply not store the credit card#.
I have worked on website where we have done just that.

But nooo! Why not store the customers card# so we can have something like '1-click shopping' and have our sloppy security expose our customers card #'s to the world.

Re:When will they learn?

[bastion_xx]

CVV/CVC2 numbers are not be physically stored by the merchant, acquirer, or any 3rd party processor. Same holds true for PIN numbers.

Re:I heard -

LOL!!!

No Encryption?

[PetWolverine]

Why are so many companies so foolish?

You encrypt the number like crazy when it's traveling to your server. You protect it with all the firewalls and whatnot you can muster. You limit who has legitimate access to it. And you don't encrypt it when it's stored on the server?

I don't get it. Passwords are stored encrypted. Why not credit cards?

For all the time I've spent reassuring my parents that it's okay to pay for things on the Internet because the encryption is impossible to break, things like this make me really nervous. I think we need legislation requiring all company databases that store credit cards to store them encrypted.

That way, if someone does break the encryption and get our credit card numbers, at least we can prosecute them under the DMCA!

Re:No Encryption?

I don't get it. Passwords are stored encrypted. Why not credit cards?

Or how about his: Why does the webserver box have the appropriate privileges to run a query on the database for all credit card numbers. Name one situation where the credit card's website would have to query and output an entire credit card number to an outside connection. Why are the systems for public access and confidential access on the same subnet and able to directly communicate.

Sounds like a stupid admin set-up an IIS box and had it access a database server with database administrator privileges. First, you'd have to be a moron to still be using IIS. Second, you'd have to be a total moron to not apply a security patch. Don't give me that "our administrator doesn't have time" bullshit. You do the five-alarm, red-alert security stuff first, the people who complain about lock-ups while playing solitaire can sit and spin. If the management doesn't understand that, fuck 'em. Might as well leave and go elsewhere, since you'll be canned anyway when the network is compromised.

It's pretty apparent to me that "easy to install and configure" is tailor-made for those who are fucking lazy morons who don't do any planning before implementation.

Re:No Encryption?

You don't get it.

Passwords aren't stored "encrypted." They're stored using a one-way hash. When you type in your password, it's hashed and compared to the stored one-way hash. Idea being that if someone has access to the hashes, they can't (easily) get back the password and you actually need the password, not the hash, for authentication (assuming the authentication system/program hasn't been comprimised, which is really necessary).

You'll note that you always have to type in your password when you log in to your system. You'll note that when a credit card processor wants to make a transaction with a bank, they don't send a hash, but rather an account number. Therefore, they store the account number somewhere, cleartext. It wouldn't help if they stored and tramsmitted hashes - then someone could just steal the hashes and use them just like account numbers.

It would be possible to set up a trust system which uses public key crypto: a concatentation of (CC number + transaction amount + name of parties involved + timestamp) is encrypted using the bank's public key and only this ciphertext is stored and transmitted to the bank. Well, that would require some sort of infrastructure where the processors, merchants and banks interchange keys, and a really fucking big clue stick to convince merchants and processors not to store any of the original information, but instead just record the hash (bye-bye one-click patent). That ain't gonna happen.

Re:No Encryption?

[realdpk]

A lot of companies (even non-porn) offer subscription services. They could still encrypt the credit cards (and should) but they need to be able to decrypt them to send them to the processing company.

The answer here would be for the processing company to offer their client a one-way encrypted hash of the card/exp date/cvv2 so the merchant doesn't need to keep it. It'd be tied to the merchant account number. Hell, could work for non-subscription services too. Doesn't prevent that merchant from draining the account, but at least if it gets out, it won't of much use.

Re:No Encryption?

[caluml]

I don't get it. Passwords are stored encrypted. Why not credit cards?

I'll tell youwhat I don't get :)

You advertising your rather nice large mp3 collection on Slashdot. I tested an MP3 for download, and it came down fast, and correct. Are you mad? ;)

Re:No Encryption?

Must be mad - no pr0n!

Re:No Encryption?

> the encryption is impossible to break

You really are naive. The encryption is almost meaningless, because you have to use the unencrypted version! For example to buy something over the web, your parents type in the number on an unsecured computer (can you say virus keyboard logger? do you trust the company that wrote the browser they use?), it gets used unencrypted by the web server, it's passed unencrypted via stdin or environment variables to the CGI program, it has to be used unencrypted by the CGI program, it has to be used unencrypted by whatever CC library the company is using, it gets sent unencrypted to the bank, and if it is for a recuring charge, it has to be stored in a way the company's software can use it unencrypted. The number can only be encrypted in only a small portion in the lifecycle of a transaction. Yes, in what's the most vulnerable part, the transmitting it over a public network, it is encrypted, but for the vast majority of the rest of the time, it has to be unencrypted.

> at least we can prosecute them under the DMCA!

Doh! I just wasted time replying to a troll.

White hat

or black and maybe even other, it'll be interesting to see who.

Re:Go away, Negro.

[batboy78]

obviously the humor in the use of the word "cracker" in the article title was lost.

why bother with millions,

[Erris]

when just one stolen credit card will buy more box cutters than you and all your friends can carry?

c'card fraud....who you gonna call

[djupedal]

"...none of them seem to have been used fraudulently."

What, we should expect a stolen c'card ## to be used legally? ...sheeseh.

The way things are going, I'd say my c'card info is safer in the hands of the [insert your favorite eastern block country name here] mafia, then with so called legitimate companies.

I just learned that some outfit was making unauthorized charges, based on the sole fact that someone answered the phone when they supposedly called! They seem to think this amounts to a second contact, the first being some junk mail the postperson brought, and this second contact equals opt-in??!!

I'll say it again...I beginning to trust crooks more than business...and don't make me agree that they're one and the same :) Let's place bets on how much longer c'cards survive, until another scheme comes along to shift the balance of buying power once again. I'm fed up with all the time I have to put in when it comes to monitoring for fraud like this.

Re:c'card fraud....who you gonna call

[eggnet]

If someone stole your credit card number, and you used it afterwards, you would be legally using a stolen credit card number.

Re:c'card fraud....who you gonna call

[djupedal]

Are you saying that 2 million people stole their own c'card data? joke

Re:Go away, Negro.

...or just never there in the first place.

Re:mmmm gay sex not as good as Ninnle!

Cracker gains access to 2.2 Million Credit Cards

/me shakes his fist in Mitnicks general direction...

Doesn't suprise me one bit.

I work at a company that contracts out some IT stuff to a bank, USBANK in fact. Let me tell you, the fact that they are not hacked on a daily basis has more to say about the generosity of hackers than about the security that large banks use. It would be trivial to get into thier machines through ours (not that we do security any better) and completely wreak havoc inside thier networks.

one way to know.

[Erris]

You could just cut them all off. Are there any places left that don't call in credit card purchases? Of course, that would leave 2.2 million credit card users high and dry and they would have to issue 2.2 million new cards. It would cost hundreds of thousands of dollars and do incalculable PR damage. So what to do?

Re:one way to know.

[Cuthalion]

It'd probably cost millions. I mean, $0.50 per credit card replaced seems quite low.

Re:one way to know.

[civilizedINTENSITY]

"So what to do?"

Don't they have to replace them? I mean they can't just ignore this, can they? Probability fraud * probable theft = replacement, then bullshit... They would have to replace the cards...right?

Re:one way to know.

[radish]

Are there any places left that don't call in credit card purchases?

We talking bricks & mortar or online here? If the former, most places don't call in charges below the "floor limit". In the UK this is usually around £50 - depending on the store and the nature of the transaction. This is simply because it takes a while to do a verify even when it is all automated. Of course all online places call in every txn, because the time is less critical.

Re:one way to know.

[Cyberdyne]

We talking bricks & mortar or online here? If the former, most places don't call in charges below the "floor limit". In the UK this is usually around £50 - depending on the store and the nature of the transaction. This is simply because it takes a while to do a verify even when it is all automated. Of course all online places call in every txn, because the time is less critical.

Personally, I can't even remember the last time I bought something on CC using anything other than an EFTPOS terminal - which automatically verifies every transaction with the bank operating it, as well as keeping an internal 'hotlist' of stolen cards, updated nightly. (Done properly, the call costs somewhere around 1p - at which point, even on a 50p transaction, the 2.5% cut will cover it. The modem racks and servers will cost more, of course, but you need most of that infrastructure in place anyway...)

Are you thinking of the "manual" verification procedures used on suspicious or very large transactions, where the store telephones the bank, who then ask you questions to confirm your identity??

If I were the issuing bank, I'd put a 'verify' flag on the cards immediately (vendor must confirm identity directly, i.e. have you call the bank to check it's really you), and rush a replacement card out to each cardholder. That way, the cardholders are only inconvenienced for the day or two it takes to FedEx (or whatever) the new card out - yes, it's expensive to repeat this for 2.2m people, but compared to the cost of having to honor a string of dishonest transactions you can't bill the cardholder for?

Re:one way to know.

[radish]

That's exactly what I'm talking about - EFTPOS. There is a myth that they clear every txn - they simply don't (I've worked in shops using them, and more recently in the financial sector). As I said, most shops (particularly large department stores and supermarkets) cannot clear the required number of txns quickly enough, so they set a limit - anything below that is just approved automatically provided the card is not on a watch list. The actual value of the limit varies by shop and by day and is secret (as knowledge of it would be useful to a fraudster).

Re:one way to know.

[battjt]

I think my wife's card was part of this. She got a call from the bank last week telling her that her card was dead.

My father runs a men's wear store. Last month sometime, he was told that any transaction that he didn't call in would result in a $50 fee.

Joe

Re:one way to know.

You're wrong. An auth on a card is the basic function of all those Verifone terminals in all those supermarkets and department stores, and they most certainly do get an auth before they capture the final charge.

Re:one way to know.

Still - if the link to the card issuer is down, the processor might stand-in up to a certain amount. If the account hasn't been hot carded yet, the charge will go through.

Re:one way to know.

If I were the issuing bank, I'd put a 'verify' flag on the cards immediately (vendor must confirm identity directly, i.e. have you call the bank to check it's really you), and rush a replacement card out to each cardholder. That way, the cardholders are only inconvenienced for the day or two it takes to FedEx (or whatever) the new card out


try BLOCK the card immediately and then force the cardholder to call the card issuing company, to cancel the card personally. THEN, after 10 business days, the cardholder can then access his/her account via card again. This is the way I was treated as a check card user at a certain financial institution. I don't know if this is the way everyone treated it, but I felt violated by this treatment, as I get paid direct deposit, and use my card for every transaction.

I guess this is the price we pay for convenience. I remember having to run to the bank after being paid and depositing or cashing the check, and then either writing a check for purchases or going back to the bank to get the money. Man I've gotten lazy :-D

Is it a cracker

[jasonditz]

I know slashdot's really into using the term cracker for malicious hackers and all, but how malicious can this person really be if he didn't actually use the cards for anything?

Re:Is it a cracker

[CaptainPhong]

The fact is that the motive of the cracker is unknown. A non-malicious hacker would have informed the company that they were vulnerable without breaking into the system. At a minimum, the accounts comprimised will have to be shut down and account numbers re-issued for all the affected cards. It is certainly not an insubstantial cost for the number of comprimised cards.

Re:Is it a cracker

[buck_wild]

That crazy talk. Say a guy was really good at taking people's wallets. He gathers up between 2 and 5 million, but gets caught before he can use any of the stuff in them. He didn't really do anything wrong, right? He's just misunderstood, right? I'm sure he's not a bad guy...

Re:Is it a cracker

[jasonditz]

Right, but the guy in question hasn't actually been caught, has he? He's just not using any of the stuff.

I'm not saying he didn't do anything legally wrong, I'm just saying it doesn't sound like he actually stole anything.

Re:Is it a cracker

[buck_wild]

Say you have a skylight in your house, and it's open. This guy drops a rope through the skylight, hangs by the rope, and takes pictures of your credit card statements and bank statements.

He didn't actually break in, right? He didn't steal anything, right?

Wrong.

That's funny

[kfg]

When CompUSA comes up on /. as a topic it's usually trying to figure out which one of your possible selections the staff belong to.

Go figure.

KFG

Crappy journalism

[MacAndrew]

Having read it :) I suspect this CNN article isn't much more than a paraphrase-the-press-release sort of thing. ("A hacker has gained access to as many as 2.2 million Visa and MasterCard accounts, the two companies announced Monday.") Someone else here cites an article saying FIVE million numbers were stolen! I think more probing work is needed.

Also, I love "Both card companies have zero-liability policies, which protect cardholders from being held responsible for unauthorized or fraudulent charges" -- as if they're so generous. For one thing, I think that "policy" is required by federal law, and if not it would be legally insane (and unenforceable) to hold subscribers liable for 3rd party mistakes. An interesting Q might be how long you could wait or fail to notice an ongoing fraudulent use of the card, assuming it didn't get maxed out within minutes.

Anyway, look for more probing articles. I'd like to know what *other* sensitive information might have been accessible? Wouldn't a list of social security numbers be nice? How'd you like to have to go get that number changed? I assume (hope, pray) SSN's weren't stored in the same sloppy way as these CC #'s, but it's perfectly possible at some other institution.

Damn mathematically-challenged journalist...

[MoThugz]

From the article:

The affected accounts make up about one-third of 1 percent of the 560 million MasterCard and Visa cards in the United States. Spokesmen for the two companies said they have notified the banks that issued the affected cards.

Can someone tell me what's so wrong about saying it is "slightly more than 0.3% of bla bla"...

Re:Damn mathematically-challenged journalist...

From the article:

The affected accounts make up about one-third of 1 percent of the 560 million MasterCard and Visa cards in the United States. Spokesmen for the two companies said they have notified the banks that issued the affected cards.

Can someone tell me what's so wrong about saying it is "slightly more than 0.3% of bla bla"...

because it's traditionally been considered bad journalism and bad writing. I forget the exact rule, but you are supposed to write out numbers under a hundred or something, so its like sixty-nine or 1776, but not 69 or seventeen seventy-six. Got it? Good! Same thing applies to writing out things like percent symbols and dollar signs. But I think that this rule was perhap not ever used one hundred % of the time, and may see increasingly less notice in the future...

Re:Damn mathematically-challenged journalist...

[eggnet]

Do you have something to say about the difference between the two statements?

"Working to find them"

[Snover]

The security would have had to have been REALLY weak for an inexperienced cracker to get in, and somehow I'm doubting that was the case, so... how exactly are they planning on catching the person (or more likely, group) that did this?

The sad part is

[Com2Kid]

• The affected accounts make up about one-third of 1 percent of the 560 million MasterCard and Visa cards in the United States.

2.2 million

~280 million people in the country;

2.2
--- = one serious bunch of financial problems.
280

Because of technology...

[leeet]

Credit cards weren't invented last year. Back when they were invented, this was some major technology. Can you imagine? A piece of plastic with a magnetic stripe on the back? Totally un-hackable! How could it possibly be hacked when most people didn't even have magnetic tapes at home? Most people were still using records to play music. This was state or the art technology. And to fake the card? No way, an "embosser" was probably something guarded as close as the mona lisa painting.

These days, you can buy blanks, printers, mag-stripe writers at most stores. Easily hackable. Too easy in fact.

Like the article mentioned, there are 500 millions cards in the US alone. If you calculate the cost to replace each card at $1, you've got 1/2 a billion $ fee. Companies are slowly going to the "smart (yeah right) card" but that just doesn't cut it. The whole system sucks, but companies don't really care because we're actually paying for it..! Wonder why you have a 21% interest fee while you can borrow at around 5-6% at the bank? The credit card companies simply balance their #'s every year... "ok we lost $X dollar, let's charge X% to customers". It's no magic... So why bother changing the system? It's perfect to the credit companies...!

Re:Because of technology...

[thogard]

What store can you buy a mag-stripe writer? I know exactly two people have writers in their collection of stuff. People doing creative writing on their cards is rare compared to the millions of fake "smart" cards used by the cable TV compaines every year. smart card fraud is way ahead of mag card fraud and its getting larger every day.

Re:Because of technology...

[_xeno_]

Wonder why you have a 21% interest fee while you can borrow at around 5-6% at the bank?

I could have sworn it was because the bank usually loaned me the money on condition of collatoral (ie, if I don't pay my car loan, I don't keep my car), where as the credit card company just loans me the money on faith that I'll pay them back eventually. Hence I pay around 14% interest on my credit card and about 6% on my car loan - through the same bank (er, federal credit union).

Likewise, when most people "borrow" from the bank, what they're really doing is mortaging their house - so the house acts as collateral for the loan. Looking at the rates table I'm looking at, loans without collateral go from 13%-16%, whereas loans with collateral go from 3%-11% (depending on the depreciation of the collateral among other things).

Of course, I may be wrong, but that's the way I understand it - credit card companies are taking a larger risk in loaning out money than most bank loans are. Hense the rates are higher.

That's not to say that the credit card technology doesn't suck right now, but...

Re:Because of technology...

[_xeno_]

How about this? It's the first thing I found off Google (yeah, it's an MS-Windows based security system, I'm not endorsing it or anything).

A lot of companies use magnetic swipe cards that are very similar to credit cards for their physical security system. I know that they have a writer where I work - I broke my card, and watched them write the new badge before handing it back to me. Although since they've switched over to the cool RFID thingies... so now instead of swiping it and checking to see if the LED is blinking, I get to wave the card madly in front of the LED, and then back so I can see if it's blinking, then again because it didn't f#!@ing work, and again... why can't it BEEP or light up one of the TWO OTHER LEDS ON THE PANNEL once it's accepted the card?!

Er, anyway, try looking for "magstripe writers" or "magstripe security" on Google and you might find better links. They aren't common and are expensive, but it's possible to get one. (Although most small buisnesses just get the cards pre-written, and assign the IDs off the cards to the people given the badges. Break or lose your badge? They reset your ID to the new ID for your new card. But it is possible to get the writers.)

Credit card security is a joke

[koreth]

I used to work on the billing system for a company that took credit card payments, and I have to say the security in the system is just laughable. I have no sympathy whatsoever for the banks losing billions a year to fraud; there are so many simple ways to plug the system's gaping holes that I think it borders on criminal negligence they haven't done so yet. A few examples off the top of my head -- with the caveat that this was all true a few years ago and may be less so today. All of what I'll describe here is pretty rampant already, so I don't think I'm revealing any state secrets.

• Address/ZIP code verification (AVS) is fine and dandy. But for the major US credit cards (Visa, MC) it only works with US addresses! So if you have a Visa card with a Canadian or British billing address, address verification is a no-op. It didn't take our fraudulent customers long to figure that one out.
• And even if you want to use a US ZIP code, all you need to know is the card prefix for a small regional bank (the first 4 digits of a Visa card are a bank ID) that only serves a few ZIP codes, and you can get a pretty good hit rate with random card generation.
• Depending on the issuing bank, you can often use any expiration date you want as long as it's in the future. We used to have an option to automatically bump the expiration date forward by a year when the expiration date on a monthly-billed account went by, and most of the time it worked without any errors even in cases where we knew the bank had issued a new card with a two-year expiration time.

Here are a few things I'd like to see in the credit card infrastructure.

• More strict address verification. Standardize the format of street addresses such that the actual address can be verified on mail-order or online sales, rather than just the ZIP code. Some banks do already support street address verification, but it's not universal and it's pretty unreliable since there are so many different ways to format addresses and they don't always match what's in the bank database. (#10 101 1st St., 101-10 First St., 101 1st Street Suite 10, etc.)
• Require a photo on every credit card, a la Citibank. That plus better AVS makes physical credit card theft a lot less worthwhile.
• Smart account closures. Right now when an event like the one in the article happens, 2.2 million people have to scramble to clean up the mess of recurring payments suddenly failing through no fault of their own. The letter from the bank is followed a couple days later by a nastygram from the cable company or whatever. The infrastructure should be able to shut down a card for new transactions while allowing familiar ones to go through, where "familiar" means a vendor that's charged to the card more than N times over a period of at least M months where the amount of the new charge is within X percent of the previous charges. This one might not appear to benefit the banks at first glance, but it does: when there's a big theft of card numbers, it will cut down on the number of irate customer phone calls they have to field from people whose utilities just got shut off.
• Single-use card numbers. I should be able to call a phone robot or hit a web site, enter my card number, and get back a virtual card number that's good for either a limited amount of time (American Express offers that) or, better still, that's only good for the first vendor who uses it. That way I'd give a different card number for each monthly payment (cable bill, Netflix subscription, etc.) and if the number was stolen, I'd only have to give a new number to that one vendor and the bank's exposure to fraudulent transactions would be negligible.
• PINs. Again, this is more helpful for physical card theft than online theft since the PINs would be in the online databases right alongside the card numbers, but it's an obvious thing that'd make it next to useless to grab someone's wallet intending to use their cards.

Some of these things would be a major overhaul. Some of them wouldn't. But any of them has to be doable for a lot less money than the credit industry claims it loses to fraud every year. I cannot comprehend why they don't do some of these things.

Re:Credit card security is a joke

[maswan]

Sincgle-use card numbers with all that you describe are already here. My bank here in Sweden offers this for their bank cards, and if your normal bank card includes a Visa function, your one-use number also is a Visa card number.

All the functions you say, first vendor, N transactions, N months. And also a charge limit, so that you can't lose too much money from a bad company either. I'm actually not afraid to give out a credit card number to companies I've never heard of anymore.

The bank? Föreningssparbanken in Sweden. /Mattias Wadenstein

Re:Credit card security is a joke

[IanBevan]

banks losing billions a year to fraud...

Who do you think is paying for that exactly ? Higher interest rates, bank charges etc etc. They don't lose anything, believe me.

Re:Credit card security is a joke

[koreth]

Yes, those costs are passed on to us. But on the other hand, if a bank instituted fraud reduction measures, it wouldn't have to reduce its charges and interest rates by the same amount as its savings, so fraud reduction should still be a profitable activity.

Re:Credit card security is a joke

[g_attrill]

banks losing billions a year to fraud...

Banks don't lose out - they merely do a chargeback to the merchant, and unless they can prove the transaction was authorised they are the ones that lose the money. Since most fraud is mail-order or uses signatures clearly nothing like the one on the card 99% of the time they lose out.

Gareth

Re:Credit card security is a joke

[dbitter1]

but it's not universal and it's pretty unreliable since there are so many different ways to format addresses and they don't always match what's in the bank database. (#10 101 1st St., 101-10 First St., 101 1st Street Suite 10, etc

Actually, it isnt. The ole USPS has addressed this, and there _IS_ a standardized format. You can purchase software to "sanitize" your lists and make them match any other sanitized list. It's actually mandatory for bulk mailing rates.

If you are a true sadist, you can read about it here

Small portions

[EnsilZah]

Hmm.. I wonder... If you had 2.2M card numbers and you took $0.2 from each card, would you be noticed ?

grain of salt

[newsdee]

After that story with the RIAA claims about number of seized CD burners, I'm seriously wondering whether this "dangerous cracker" is not in fact some script kiddie who stumbled upon a computer that stored 275,000 CC#s, and the data is mirrored in 7 other computers... ;-)

Re:grain of salt

[ShooterNeo]

Or found one cc number (his mom's) and spread it via trojan or worm to 2.2 million comps...

Hello??

[miketang16]

It's CRACKER not HACKER if anyone would read the headline. God, even on slashdot...I wonder how hackers get the bad name...

Re:Hello??

Actually, it's not a CRACKER or a HACKER... Those are both lame media words. In reality it's an attacker, thief, or intruder.

There is no point in glamorizing computer crime by inventing vocabulary.

Re:Hello??

[SuperMario666]

NEW YORK (CNN) -- The hacker who breached a security system to get into credit card information had access to about 5.6 million Visa and Mastercard accounts, far more than originally announced, the two card associations told CNN Tuesday.

Monday, Visa and Mastercard said the hacker could look at as many as 2.2 million accounts after breaching the security system of a company that processes credit card transactions on behalf of merchants.


Just because our sub-culture invents a word, it doesn't mean the wider culture as a whole is in anyway obliged to adopt it.

So who is it?

[LinuxParanoid]

This implies to me that a credit card payment gateway was compromised. Who was it?

• Authorize.Net
  
• Verisign
  
• Intellipay
  
• WorldPay
  
• iTransact
  
• QuickCommerce
  
• or someone else?
  

Inquiring minds want to know...

Re:So who is it?

Maybe paypal? Though a lot of paypal users don't have CCs if that is the case (they claim to have > 20 million members).

Re:So who is it?

[bovinewasteproduct]

They said third-party processor. Third party processors are companies that can legaly process YOUR sales on THEIR merchant accounts. Most people can not do this, it's called factoring, which is a big no-no.

Look for the companies that process for pOrn sites... No regular site will pay the 10 to 15% fees charged (not if they are selling a real product).

BWP

How did they know ?

[billcopc]

If they don't know who did it, not even the tiniest little hint, then how can they know it even happened ? There was a similar 'accident' some time ago where a disgruntled tech ran off with a hard drive full of bank account numbers from his workplace, but they knew who did it and they had the missing hard drive as 'proof'. The trouble was just finding the guy who had skipped the country or something. Much different.

Uncle Kracker stole credit card numbers?!?

[cheeser]

Maybe he couldn't sell enough CDs...

Re:mmmm gay sex not as good as Ninnle!

lol!

He was chatting in #linuxwarez on efnet last night, but not about cc hacking.

Panic.

[Myuu]

Its because they don't want to create mass panic. Same reason that sci-fi shows say they hide aliens. If people would know that they were affected, they would act inrationally and cancel their cards or whatever. (I dont have a CC, I hope not to either, so I dont know the system well)

I not sure that I agree with the policy, I, of course, believe the whole "Information must be free thing", but I can see their logic.

Sure am glad I'm not the 'hacker'

[eniu!uine]

By the Mitnick precedent this guys gonna be in jail for over 400 years. Probably over a hundred of it in solitary. I was happy about one thing.. the writer of the article didn't include a grossly exagerated damage figure. On a serious note though, what was he going to do with all those numbers anyway? It's easy to get the numbers, but how easy is it to come up with all those fake mailboxes.

Re:Sure am glad I'm not the 'hacker'

Maybe he won't fuck up and refuse his first trial date like dumbo did.

No wonder!

[Tablizer]

I thought the line item for "500 Britney Spears Collector Plates" looked suspicious.

Not Me!

[The-Perl-CD-Bookshel]

I'm proud to say that, so far, it wasn't my debit card! The balance still reads $6.95, just like the last time I checked.

I don't know ...

[DaemonGem]

If I got 2.2 million credit cards, I might not do anything with them. That would keep the authorities guessing, no one would find me, and it would just prove that I could do it. Plus, after a new mansion, several big LAN parties, and the new European suit, someone might start asking questions.

Time frame?

[gmuslera]

I have not seen yet when the problem was noted and for what amount of time the hole was open. In Forbes article they said that Mastercard started to warn their users the 3/feb. For how much time this had been going on?

And how the stolen cards will be managed? put them in a list of banned card numbers? emit 2Millon free cards for each one of the involved users? What if anyone in that big number says that some buying was done by the cracker and not by him?

In the other hand, 2 Millon CC numbers that can't be used could be used to make jokes to Nigerian scammers... if they still don't learned which key is caps lock maybe they can be fooled with this big time.

I bet I know

[Tablizer]

Somebody collected 2.2 million AOL disks (not hard to do), and needed CC's to activate them all.

Re:I bet I know

[AntiNorm]

Somebody collected 2.2 million AOL disks (not hard to do), and needed CC's to activate them all.

Most of the AOL CDs (no apostrophe in a pluralized acronym) I have seen lately state pretty loudly on the packaging that a CC is no longer required for activation of the trial account.

Security? NO way

[KamuZ]

We (IT People) need to achieve more security, maybe more strict guidelines could help, because a importar part from our industry depends on CC trasactions. USA have a privileged seat on this, because people are used to buy with CC, but for example, in Mexico people are afraid to make an online trasaction, even if it's more risky doing this in person. The people needs to be educated and we need to stop this, crackers are a menace, but i bet lots of sysadmins, security experts now how to crack a server, we need to use this knowledge to get better security, i know it can't be 100% secure, but we need to minimize this problems. Don't get me wrong, i'm not angry, but i live in a country where this kind of problems scare so hard, that they don't want even to check their account balance online, they go to an ATM to do that.

maybe BOA

[Indy1]

cart.bamart.com is another payment gateway i believe

CC security will improve rapidly...

[karlm]

... as soon as CC companies foot the bill for fraud. Smart card technology is very slowly being adopted, but it would be adopted within 6 months if the powerful CC companies rather than the pwerless merchants pad for the fraud, or at least split the cost of fraud with the merchants.

Re:CC security will improve rapidly...

[cookiepus]

Pardon me, but who foots the bill now?

Are you saying that if my MasterCard is among those 2.2 million, and this guy decides to use it - and I dispute the charges - that the merchant from whom he bought the stuff, rather than the CC company, will be responsible?

Won't this situation last only as long as the first lawsuit takes to perculate through the courts?

Re:CC security will improve rapidly...

Credit card companies are owned and run by their member banks. Credit card companies are (in theory)non-profit organisations. Any profits are put back into the operation and/or used to reduce the charges to the members.

Blame the member banks, not the credit card companies.

smart card technology is another issue. There is a standard - EMV - developed by visa and mastercard. it is being introduced in Europe and Asia, albeit slowly.

Introduction in the US is another matter entirely. One of the biggest barriers is the fragmentation of the market - there are so many banks in the US. Another barrier is the cost - it takes mucho bucks to swap out old ATM machines for new, then there is bank staff training and merchant staff training, and no least the cost of the cards themselves. Billions and billions and billions of dollars.

In Other News

[JWSmythe]

In other news, iBill reports record earnings this week, with 4 accounts charging $9.95 to 2.2 million users..

Mmmmm.. What I could do with $21,890,000.. hehe.

BTW, anyone looking to buy a nice slightly used list of 2.2 million credit cards, Email me..

(just kidding)

Credit Card Identification Code

[BadDream]

Thats called a credit card identification code. As long as they haven't worn off, they can be usefull. Vendors can also use address verification checks. Problem is, the more strict you are with these checks, the more false negative checks you get. The vendor must balance thier fraud tollerance against lost sales do to over complicated checks.

Re:Credit Card Identification Code

Address verificaion only works in the US as far as I know. The system isn't allowed in most of Europe and Australia because of "privacy concerns" and the house numbering can cause issues. The US system works fine because most house numbers are 4 or 5 digits long in areas that have unified addressing. In most cities in Europe the house numbers start at 1 on the street and go up till the road changes name and it starts over again.

Re:Credit Card Identification Code

yeah, but the 3 digit code isn't REALLY a PIN, as i'm sure most of us would agree. ATM security banks on 2 things. Something you have, Something you know. It works well for ATM cards, since you use your card always in private, at a standard place.
You can't really do this with credit cards (not in MOST situations, anyway) online, i can see, yeah. But in the real world, you can't exactly pay for someting (dinner comes to mind) with a CC in this way. Are you gonna hand your CC to the waiter/waitress and say, yeah, $8 on this card, and my pin is xxxx. ??? Oh, wait, let me just bring the card machine to your table, you can swipe it and enter your pin. ehhh

You dont need to know!

[QuantumG]

Because remember, it's not the credit card processor's fault that your credit card got stolen, it's the evil hacker who bypassed the security. If we told you which credit card processor it was you might take your business elsewhere, therefore ensuring that security of your credit card is taken seriously -- and we don't want that, do we? I mean, that would be like punishing the credit card processor for the evil hacker's crime!

Re:You dont need to know!

I think in addition to "Funny" and "Insightful", there should be "Amen Brother", as in:

You don't need to know! (Score: 5, Amen Brother)

If there were, I'd've just used it. That is, I would have used it if it weren't for the fact that I'm too stubborn to join Slashdot despite having used it for years. (I feel that if I join, I'll be rewarding whoever thought of the truly lame idea of using "Anonymous Coward" to goad people into registering.)

One more thing

[uptownguy]

...one thing I should have added to my trollish sounding post above...

So what? Well, just because you think that "the same logic could be applied" to so many other things doesn't mean that a lot of average, reasonable people won't come to the conclusion above. Other people will pose the scenario ("...if this is a big security hole, then the terrorists could exploit it, too...") -- and they will present their own solutions to this problem. Once a problem is pointed out -- and people really start to perceive it as a problem -- people want answers... quick.

I'd say if anyone in the tech community has creative, non-intrusive, technical solutions to the holes that obviously exist in the credit card/online credit card number database model, now would be the time to start getting them talked about...

Which credit card processor fscked up?

[Huusker]

The hacker breached the security system of a company that processes credit card transactions on behalf of merchants, Visa and MasterCard said.

Ok so which CC processor got hacked? I am assume that when Visa/MC says 'processor' it means specifically a credit card processing network that receives and authorizes charges from merchants, not a consolidator like PayPal, and not an e-commerce gateway like CyberSource or VeriSign.

Was it Nova, Wells Fargo, Vital, BankAmerica, EFS, or ECHO? These are the only big non-regional credit-card processing networks in the US (AFAIK).

<Begin speculation>

Note that there was no mention of the Internet in the press release. This leads credence to the theory it was a private processor network (not TCP/IP or a web site) that got hacked somehow.

It must be a big processor, otherwise Visa/MC would finger them (and therefore shift the blame). It obviously wasn't Amex or Novus as they both offer competing plastic. And I doubt it was a bank-level processor like US Bancorp (again because they are smaller and would have been fingered.)

The people victimized are not just e-commerce shoppers but also customers at the grocery store, the shopping mall, etc. My worry is that it was a really big processor like Nova, which means that 2.2 million could be the tip of the iceberg.

<End speculation>

Re:Which credit card processor fscked up?

[Huusker]

New information: Forbes says 5 million cards were hacked.

Neither Visa nor MasterCard would disclose which institution were involved.

''This is not something regional, it was throughout the nation and could be any bank,'' Abrams said.

[Han Solo voice] I have a bad feeling about this..

Just checked my cc online..

[bearclaw]

..turns out I had unauthorized charges of around $21 on my cc last week.

I am just plain unlucky.

Would Be More Interesting If ...

[handy_vandal]

This story would be more interesting if every last one of the stolen credit card numbers had been used fraudulently. Now that would be an exploit!

Sucks to be them...

[w3svc_animal]

It's not easy to get your money back.

I recently noticed a double charge on my account, except that one charge was in LA and the other was in NY...hmm.. I haven't been to either place in the last six months.

So I called the Credit Card Co, they said "Based on our records, it appears the card was swiped at both locations."

"Interesting..cause it's right here in my goddamn wallet", came the reply.

I was then told to contact the merchant for the fastest resolution -e.g.10-20 business days. Or I could file a fraudulent activity claim with the Credit Card Co, which could take up to 4 months to be resolved.

At least I wouldn't have to pay interest on the disputed amount... BA!

Moral of this story...well...I gues you're screwed either way...

In other news...

[mrselfdestrukt]

500 kg of explosives have been stolen from the police evidence warehouse, but none has exploded yet so there's no danger.
And crackers and other salty biscuits are making plans to take over the world.

Dodged another Bullet!

[Mulletproof]

Whew! It's a good thing employers don't use your credit history to determine employment, or we'd really be in-- um, guys? Guys..???

Re:ATTENTION WOMEN OF EARTH

Yeah of course if you are a fat, slobby, sweaty geek having sex (for 1 minute) with a fat, ugly female geek, of course you are going to wonder what the big deal is. Just because it sucks for you (not literally of course, ugly chicks probably won't do that), doesn't mean you have to be a little bitch about it. Other people are enjoying it. (shock!)

Re:Because of technology...AND GREED

[xmark]

"Credit cards weren't invented last year. Back when they were invented, this was some major technology. Can you imagine? A piece of plastic with a magnetic stripe on the back?"

No offense, but you have to look back a little farther than that for the roots of credit card technology.

Back when credit cards were REALLY invented (1950), there was no mag stripe, just the embossed account numbers on the plastic. When you presented your card to a merchant, they were supposed to check a book of closed/fraudulent account numbers to make sure yours wasn't listed (I think they mailed these out monthly). The account numbers, like many state's driver's licenses or physician's DEA numbers, could also be checked for internal validity by using an algorithm. (Big flaw in that system was that your clerks had to have passed ninth grade math -- digital calculators were still decades in the future.)

I agree with your point that credit card companies pass costs through rather than absorb them. Fraud is simply a cost of doing business to them, and they make a hell of lot more money if they paper over fraud and ID theft. Why? Because the key to the credit card issuing game is, well, issuing. If publicity about stolen accounts give potential new card holders the willies, then the pyramid starts to fall apart.

Credit cards are the crack cocaine of the financial world, and the card issuers are the guys selling the rocks. They know it's a statistical certainty that x-percent of people who get cards will spend them to the max and then be unable to pay the cards off, and so, prevent being kicked to the highest APR bracket. Your first rock is usually free, too... ID theft and computer fraud are simply a tax the card issuers are willing to pay to keep the crack house open.

So we hear about this cracker who stole two million numbers or whatever. For every one of these guys, how many do we NOT hear about?

Cracker Gains Access to 2.2 Million Credit Cards

[dubiousmike]

Next thing you know, Nilla Waifers will be phreaking...

No cards used fraudulently?

[bigwayne]

Heh. I haven't read all the posts on this article yet, but I'm sure I'm not the only one thats thinking about this "coincidence" ...

Starting at the beginning of the month, and every 4 days since then, someone has been using my friends Visa card to buy Calcium Pills and have them shipped to his house. This is the first time this had ever happened to him.

The people made 3 orders using two different emails addresses. When the first orders arrived at the door, he called the Bank and had them put a stop on his card. There were two more attempts made, and the email addresses where the orders originated (at least the order confirmations weren't bounced back) were then delivered to the police, and our district attorney's office. We have yet to hear from anyone on the matter.

Whether this has anything to do with what has happened is beyond me, but its a little interesting that this happened at the same time.

What Operating System

[fire-eyes]

I would be curious to know what operating system these people are using.

Consumers are protected from fraud?

[edb]

The article mentioned that both VISA and MasterCard have a "zero-liability policy" so that consumers are not liable for fraudulent charges made with stolen account numbers. Well, yes and no. The federal credit law does limit the liability, but there are limitations on the limits (distance from home, etc.). Usually this is not a problem, and almost always any charge the consumer contests is credited back in full, and charged back to the merchant who made the charge.

But what usually is ignored is that while the consumer might not have to pay, the merchant who sold the goodies does have to pay. The credit card issuer doesn't pay for fraudulent charges -- they get "charged back" to the merchant who made the charge, and the merchant pays, plus a "chargeback fee" of $15 - $50 per transaction. It's one thing for a software download to go unpaid, it's quite another for a merchant to ship actual physical goods and not get paid for them.

Eventually the consumer does end up paying for fraudulent credit card charges, but just like insurance premiums, where any individual charges or payments might be small relative to the total public cost of the incident, you can be sure that in the aggregate the fees, interest, and other charges imposed by the credit card issuing banks will cover their losses and still make a profit, and the prices merchants have to charge for goods will, in the long run, certainly have to cover their losses and still make a profit.

In other words, the cost of credit card fraud is shifted away from the consumer (who is innocent of any single fraudulent charge on their particular card, so of course should not be forced to pay it), and becomes instead just part of the cost of doing business for everyone on the other side of the transaction.

It was not a gateway

[888+Geek+Help]

2.2 million cards isn't that many so I don't think it was a major gateway. I bet some vender kept credit cards on record and had lousy security. Also if there was a gateway problem we would see some missing AmEx and Discover. Lots of venders just accept Visa and Master (it's the basic package man)

We use a randomly generated code specific to each transaction, user, time, and credit card that only our bank (in theory) can track back to an actual credit card. We don't know and therefore don't have any of our customer's credit cards.

I'm Sacrificing +2 Karma To Say This....

[Bowie+J.+Poag]

How is it that a credit card company can determine (within hours!) that not a single one out of their +2 MILLION accounts have been tampered with, but yet, it takes them like 3 months to resolve a single dispute over an unauthorized charge to *my* account?

I used to have a pretty good bullshit detector.... Until this Timmy-riffic article came along and broke the fucking needle off, that is.

Re:I'm Sacrificing +2 Karma To Say This....

[The+Evil+Couch]

it really doesn't take that long to run some queries on their database or lock out a bunch of accounts. they don't have to collect any information to do it, all they have to do is hear that they have some compromised numbers and get to work.

your bullshit detector should have gone off when it took 3 months to resolve your dispute.

Your grandma's card at the supermart got taken

[Huusker]

The Visa/MC press release doesn't mention the Internet at all. It uses the words (chosen carefully) 'company that processes credit card transactions.'

The number of cards is too large for any gateway IMHO. I will bet money that a private processor network got hacked, or the central database for said network, i.e., ECHO, EFS or something on that scale.

These networks are used for dialup and leased line access for authorizations. This means your grandmother's card used at the grocery store could now be in the hand of a hax0r.

Reuters is reporting 5 million cards.

Re:Your grandma's card at the supermart got taken

[bovinewasteproduct]

Huh?

Ok, they said it was a third party processor (which means they process your transactions on their merchant account). This just about ONLY happens on the internet for subscription accounts (real stores have their own merchant accounts).

When you take into account that a large adult site can have over 200,000 members (and yes, some do), it does not boggle the mind that if they process for 10 or 20 sites like this and come up with 2.2 to 5 million accounts.

BWP

Re:Your grandma's card at the supermart got taken

[edb]

No, this simply is not true. For every credit card transaction (card present in-store, mail order, phone, internet, whatever) there are these parties to the transaction:

1. cardholder presenting the card or providing the card number
   
2. merchant accepting the card and providing goods or service
   
3. cardholder's issuing bank, where the credit limit, current outstanding balance, billing address, etc. is kept
   
4. merchant's bank, where the funds eventually end up for transactions that go through
   
5. processing network, the transaction processing company at the other end of the number the "swipe terminal" calls at the store, or at the other end of Internet authorizations; this is the company that was broken into, according to the news stories. These are networks like NDC, Vital, VisaNet, etc. There are something like 7 major networks, some larger number of minor ones, and not too surprisingly, their number and identities are changing through mergers, acquisitions, and reorganizations.
   
6. VISA International, MasterCard, Amex, Discover -- the marketing organizations that own the trademarks, and license (franchise?) the name to the issuing banks
   

Every credit card transaction goes through a processing network. Only the very largest merchant banks have their own network, and those banks as a rule don't have time for any but the largest (multi-billion-dollar) merchants. All the rest go through a "3rd party processor". You can bet that every neighborhood store, including your local member of a national chain, is processing their credit card transactions through one of the processing networks. It's not just "Internet transactions", and not just subscription accounts.

Re:So....Speedy delivery.

"Finally I have to point out that I have no interest in obtaining these numbers (or any others, except my own :-) and I am certainly not advocating credit card fraud. Just saying that if an opportunity like you described (every email box got the list) came my way, I would be very tempted to try and enjoy myself with some humourous (to me) exploits from a safe place and that there would probably be tens or hundreds of thousands of other following suit. Damages would rack up pretty quickly."

An interesting mental excercise (BTW do you crack DirectTV cards?), but the majority of credit card transactions are electronic in nature (yes that includes mail order[1], and web sites). Anyone submitting such a number would be refused, and redflagged. Remember it's not only crime that can move at the speed of light.

[1] Yes I use to handle both.

broken into after the processor told

I like this bit from the same article:
"...more than 2 million MasterCard accounts had been broken into after the processor told it about the problem."

Laptops Dirt Cheap!

[methangel]

So I was on IRC the other day and some guy messaged me asking if I wanted to buy a tricked out laptop for 250.00 -- I was skeptical and asked why it was so cheap. The guy's response "I use stolen credit card to purchase laptop." I then asked if he accepted COD. He said COD didn't work since the laptop was shipping out of Jersey City and he was located in Russia. Not shady at all.

Yeah, I think the cards have already been used fraudulently. Luckily I'm like the dude from "A Beautiful Mind" when it comes to my bank statements.

"Hacker"

[.com+b4+.storm]

Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system

That is NOT a hacker! C'mon, this is Slashdot. The "Doc" should know better, and the editors should too. Just because CNN calls them hackers doesn't mean we should within our community, as well. Doing so only validates their misuse of the term. We may not be able to change the mainstream, but we should set a better example and choose our wording more carefully within our own communities. Sheesh.

Repeat after me: hackers create, crackers break. Hackers create, crackers break.

Visa...

[Veovis]

It's everywhere you want to be, including some hackers hard drive

It's not fraudulent!

[Tuxinatorium]

This whole thing is part of George W. Bush's new economic stimulus plan! Give everyone's credit card to some millionaire's son, and he spends it all on cars, porn, liquor, etc., and bit by bit the whole economy will recover!

How?

[t0ny]

what they dont clarify is HOW the security was compromised. My first thought is that somebody walked past the security guards, sat at somebody's desk, copied the info to a spreadsheet or DB, and either put it on a floppy, emailed it, or IM'd it out.

They dont actually say somebody hacked into their network from the internet.

Re:How?

[MalleusEBHC]

You can find the answer in the last chapter of my book "The Art of Deception" which is on sale at a variety of bookstores in your area. Sorry to be brief, but I gotta run now.

-Kevin

Heh

[Exiler]

5 cards is not an only dude.

Re:Heh

[grahamsz]

well it's less than 2.2 million :)

actually i have bank accounts and credit cards in both the us and uk. So in reality i have 2 credit cards in the uk, a corporate card in the us, and the debit cards for my appropriate bank accounts.

It's strange...

[evilviper]

I find it very strange.

Visa still does not offer any sort of security for their credit cards. Their method of security is to add 4 more numbers on the end of the CC#, and act as if that is security. Those digits are not even required for 99% of CC sales anyhow, nevermind that anyone stealing the CC# will get the extra digits anyhow.

American Express offers web-based one-time CC#s, but doesn't seem to encourage it's use. It would be even better if CC companies would provide offline programs that ran on handheld computers to generate one-time CC#s, but since almost all banks are partnered with Visa instead, many people can't even take advantage of the online system...

And all the while, with quite a lack of security, identity theft at an all-time high, and more CC# thefts being highly publicised, companies are wondering why people don't buy more products online... Excuse me while I go buy a money order.

Re:So....Speedy delivery.

[bfree]

Well, I live in Ireland so no, I don't crack directTV cards. The only things I do crack are DVDs so I can watch them under Linux (and I would do this even if there was readily available legal (and hence commercial) software for linux that did this and games which I have purchased that I occassionally use noCD cracks on (not to play extra copies, but just so I don't have to have the CDs with me if I fancy a game). Now, the question is what odds is it to me if they redflag my bogus information from a net-cafe and are you not suggesting that these 2.2 million cards are being cancelled which is not the case (excluding 8000 afaik)? In the current state of affairs, if I had a copy of the list the only way they could stop me is if the purchases were unusual enough to catch the systems attention. A few greps of the list could easily get you a list of CC# that you should have a high success rate with quite easily (i.e. grep Seamus ccnums.txt would give me a high percentage of Irish results and grep Randy ccnums.txt a bunch of Americans).

The way I theft protect my credit cards...

[7-Vodka]

You know the strip on the back that says signature? Don't sign it. Write .

that way when someone uses your card in a store they have to also produce your drivers license with holograms and photo and of course the signature they're supposed to be checking :)

Hey it's not much but if someone steals my wallet, my credit card is useless to them before i cancel it.

Re:The way I theft protect my credit cards...

My credit card says "Check ID" in the signature line. I almost NEVER have been asked for ID. I usually remind them they are supposed to be checking and they apologize, but the next time, it happens again.

Re:When will they learn?-Debit Card Facts.

Partially true.
Debit card facts

Cracker Gains Access to 2.2 Million Credit Cards

Unfounded assumptions of ethnicity! What if he/she was black or asian?

Damn slashdot filters.

[7-Vodka]

It should read ..."Write CHECK ID on it."

Serious lack of info??

[Tolvor]

I know Visa is a secretive company but I find the lack of information to be seriously annoying.

Which company was hacked?
How do I determine if my CC# is part of the 2.2 million obtained?
Can the same routine the hacker used be used against other companies that process CCs?
Did the hacker access the CCs from the internet site directly or use the internet to access the companies internal Intranet to get the CCs?

Of course, this is Visa/MC. They don't have to be nice to customers and give out good info. What are their customers going to do, cancel their cards? (snicker)

The victim is not as much the consumer or the bank

[linuxguy]

... but the merchants that sell goods over the Internet. I used to run a mail order business. We got a lot of orders with people trying to use stolen credit cards. After a while we got really good at filtering these out. But the cost to learn the lessons was high. I can only sympathize with all the new businesses. If they think that matching the shipping/billing address and security code is enough, they are in for a rude awakening.

At the end of the day, the entire loss from these fraudulent transactions is passed down to the retailers, when clearly the morons who are handing out the credit cards to the thiefs have some responsibility to share.

funny math

[goodrob]

i dunno... when i calculate:

"The affected accounts make up about one-third of 1 percent of the 560 million MasterCard and Visa cards in the United States"

i get: 1866666.66

seems they could be 400,000 is alot to be off by... i wonder which way..

Security Saves

[Oriumpor]

if each card costs 25-50 cents to replace ... that's 550k-1.1m dollars.... that should have gone to the following:

TRAINING STAFF: The first line of defense is someone who won't just give 5 million credit card numbers out over the phone.

TRAINING STAFF: The second line of defense is someone who won't let leave their console logged on when they go to the bathroom.

TRAINING STAFF: The third line of defense is someone who doesn't give out his password to someone over the phone.

TRAINING STAFF: ... I think you get the point...

Ok, so maybe it wasn't this easy, .... maybe someone who works there just mailed the database home.

Re:Whew!

[civilizedINTENSITY]

Hacking cash is called "counterfeiting". Its way old school. ;-)

Re:Go away, Negro.

I don't want to be a saltine cracka...I want to be a sugar wafer. I don't know how to accomplish this, but dammit i'll try!

Cracker Gains Access to 2.2 Million Credit Cards

Why was it that the Tech industry Bubble Burst? Hmmmm.

Mod Parent Up

[ONU+CS+Geek]

mod the parent up. I'm fresh out of mod points this week

This poster has it right on the head. I had a gas station charge my debit card twice for the same transaction, and my bank still hasn't fixed it. When it happened on my credit card, it was taken care of the next day. Use your credit cards!

Insecure OS ?

[polyp2000]

I wonder what operating systems the company was using?
This is not acceptable. I suggest we boycott the company!

did you expect

that cred card company to say: yes, they hacked our accounts and used the cc numbers? be serious.

Simpler, more secure way

I would like to see it overhauled too. However, I'd prefer to see credit cards that use strong cryptography. These days, we have the proper algorithms pretty much worked out, and we have enough very cheap computing devices available to do it.

Basically, crypto allows you do two helpful things with a good degree of certainty:

1. Send a message to someone and ensure that only they can read it, either by using their public key or by using a shared secret key.
2. Examine a message and be sure that it was sent by none other than the holder of a certain private key.

Now, the fundamental problem with credit card transactions these days is that, although signatures and photo IDs are used peripherally, fundamentally they are based on the idea (just like social security numbers) that they will be kept secret, because knowing the number allows you to exercise the privileges that come with holding the account. But, there is no way to use the account other than to give away the secret . And worse, you either seriously restrict your buying or you end up giving the secret away to people who you can't really trust and who have no big incentive to protect the secret. And even those who you legitimately want to have the secret (your insurance company) can screw up and overcharge, because they have the power (if not the legal right) to charge your account any amount any number of times once they have the secret.

Cryptography can basically eliminate all those problems.

Here's how I envision a future credit card transaction working:

1. The merchant sends a digital message to your credit card (which is really a smart card, or maybe just software on your computer if you wish). This message says that the merchant requests that you pay them X dollars and Y cents, and that in return, they will provide goods/services A, B, and C for you. (This message is signed with the merchant's private key, so that you can use their public key to verify they really sent it. This avoids the situation where someone might impersonate a merchant and try to get you to authorize a payment.)
2. Your equipment (not owned or controlled by the merchant in any way, and preferably not by the credit card company either, although that's less bad) receives the message and verifies that it really does come from the merchant. Should you choose to go ahead with the transaction, your device composes a message to the credit card company. The message includes the message sent to you by the merchant (including their signature) and asks the credit card company to remit funds on your behalf for this transaction. This message is digitally signed with your own private key, ensuring that nobody could have sent it but you, and it's encrypted so that only the credit card company can read it. You can send it directly to the credit card company. Or, have the merchant forward it for you; the encryption should protect them from reading it.
3. Finally, the credit card company receives the message and verifies it is really from you. It then makes a decision about whether to approve the transaction, and it sends a notification of the result to both you and the merchant. Of course, this notification includes the original transaction description and is signed by the credit card company, ensuring that the company cannot later deny that they approved the transaction.

There would be some drawbacks (big effort to change over, etc.), but the following benefits would, I think, outweigh them:

1. From the user's point of view, the experience is VERY similar to using a credit card right now. The merchant proposes a transaction, you approve it, the credit card company approves it, and then you're done. (You can even have the merchant relay messages back and forth to the credit card company for you, so there is no need to mess with using the credit card company's web site to generate one-time credit card numbers.)
2. Except, now YOU control the process of approving a transaction. Right now, the merchant's equipment is used to generate the approval. You press a "yes" or "no" button maybe, but fundamentally this is just to get your approval, and it's not as if they need YOUR finger there to press that button.
3. The customer has proof that they ordered something and that the merchant agreed to give it to them, and that it was really the merchant who agreed to this and not someone else.
4. The merchant doesn't really need to know the customer's public key or indeed anything at all about the customer (except what credit card company they use). So, you can make a close to anonymous, yet very secure payment.
5. Because there is no secret passing between any party, if you're willing to make the details of a transaction known, you can safely conduct credit card transactions through e-mail or other insecure channels.
6. Because the merchant is never entrusted with any secret information or other information they must be vigilant to protect, you can do business with web sites that mean well, but simply AREN'T tech savvy.
7. Because the merchant is never entrusted with any secret information, the merchant themselves needn't be burdened with the chore of protecting your secrets if they want to accept credit cards (read: they won't be tempted to do a half-assed job with SSL, etc., just so they can say the accept credit cards securely even though really just want to sell widgets).
8. No annoying paperwork is required to authorize a merchant to periodically charge your account. If you want to pay your cable TV bill automatically each month, your cable TV company can e-mail you a payment request, and your own desktop computer can grab the bill out of your inbox, verify the sender, apply certain criteria, and automatically generate a request for the credit card company to pay it.
9. Since the vendor doesn't need any special information about the customer, if you are careless and give away your credit card's private key, this is not a catastrophe. The merchant can still send you a message requesting that you authorize a payment. So, your recurring payments can continue even if your card (read: private key) was compromised and had to be replaced. Or, your recurring payments can even continue if you decide you dislike your credit card company and switch to a different company. (Forget knowing the credit card number and expiration date -- the merchant shouldn't even have to specify the credit card company.)
10. Not only is it very, very difficult to forge a message from the customer requesting a transaction, but even if someone does forge such a message, it's easy to detect. This is because you can keep a log of all transactions you did approve. You can periodically query the credit card company for transactions they've seen, and if there's one you didn't generate, a big red flag goes up.
11. The merchant has proof from the credit card company that they agree to pay X dollars and Y cents. And, the credit card company has verifiable proof from the customer that they've agreed to pay them X dollars and Y cents (plus the interest on X dollars and Y cents, etc.) -- even if the X dollars and Y cents is for gas at a gas station. (Right now, credit card companies have essentially no usable proof that it was really you there at the pump.)
12. If the merchant feels like it, they can accept a payment without verifying it with the credit card company first -- you just give them the signed message, and both of you keep a copy to forward to the credit card company later. This could be good if they're a small-time company that can't afford a full-time network link to the credit card company. Of course, they're risking more, but at least they haven't lost that option.

OK, I could go on, but basically the situation right now is that the system is horribly insecure, and we're relying on legal penalties to try and prevent fraud. But, with strong cryptography, we have the capability to do a million times better, and it really wouldn't be all that inconvenient. And the scary part is, a working prototype of this system can be built in maybe 24 hours using Perl and GPG or similar.

Here's a fun drinking game...

[kiddailey]

Cool drinking game

Read this entire discussion and take a drink every time you see a post that says:

"How can they possibly know that all 2.2 million cards haven't been used fraudulently?"

Geeze... If only credit card security was as redundant!

Optional variation:

[kiddailey]

...and for a when you want to get really plastered, play with this variation: Take an extra drink when the post has been modded up despite the redundancy.

New commercial

[Stonent1]

Online Viagra purchase: $150
Trisexual Midget porn : $55
Buying it on someone elses credit card so that your wife never finds out: Priceless
There's somet things that money can buy but you'd rather it not be your own. For everything else, there's Mastercard.

I apologize!

[Black+Parrot]

> On a serious note though, what was he going to do with all those numbers anyway?

<sheepish>I'm sorry guys - I thought I was reading from the National Random Number Server!</sheepish>

Re:Because of technology...AND GREED

[caluml]

Simple replace the word credit with debt.

Debt card.
Debt limit.
Debt rate.

Suddenly it all makes sense.

Mix up between accounts

[moncyb]

This must be widespread. A while ago, my mother told me a similar story about Wells Fargo. She said when we were living in California (so it was at least 20 years ago), they kept getting our account and this other guy's account mixed up--he had the same last name. I wonder if their system just looks at last names instead of account numbers? Either way, their system sucks!

Re:Mix up between accounts

[JWSmythe]

Bank Of America had a similiar mess-up with a friend of mine..

Her name is Cindy Z . I won't write her last name because

1) I want to protect her privacy
2) I couldn't spell it if I wanted to.

Her brother was in another state. Well, her brother met a nice girl, also named Cindy. They got married, and she took his name (as traditional).. So now there are two Cindy Z's, in different states, with completely seperate bank accounts, which happen to be with the same bank. We'll mark this Cindy Z as Cindy Z(2). :)

The Cindy Z(2). decides to close her account, and bank elsewhere.. She takes out *ALL* the money. Not a problem, right? After all, it's her account.

Well, they pulled out of the original Cindy Z's account, and closed *HER* account. Different social security number, different state. This isn't a matter of $20 or $30. It's in the tens of thousands. Like, a life savings worth.

The original Cindy Z. had written and mailed all her bill checks, and was currently on the road. When she gets home, she finds every check had bounced, and her account was empty. "Funny that", thinks Cindy Z, "there should be plenty of money in there. (I think the real phrasing was a bit more harsh)

She goes to the bank, and they very kindly explain to her that she withdrew her money and closed her account (in the wrong state).

As she tells the story, there was a bit of screaming that went on.. It took a couple weeks to clear up. They never did cover all the bounced check charges incurred with their little mess up.

My real name is rather common (as opposed to my online name).. I know there are a whole bunch of me out there. Google finds 7690 instances of my name on pages, none of which are me. people.yahoo.com finds 65. Two of them are within 20 miles of where I used to live, and four within 50 miles of where I am now.

There's a rather good photographer in Germany with my name as his site. My name was also used by a Vietnam era pilot, and quite a few other me's. :) There are warrants out for a few of me though. Luckly there's a good age gap between me and them, so it's fairly obvious I'm not the evil me.

At one time, I banked with a bank that had another me. Different SS#, different address, same name..

I go to Bank Of America on a regular basis to cash checks that are drawn from there. It's a slow, painful process every time.. They check my ID, and see that it's out of state (I maintain two residences in very seperate states). They take the check, verify the account, check the signature, then check with a bank manager who comes over look at me, look at the ID, and verify my signature. Then they fingerprint me, and charge me $5 for the pleasure of standing there for 15 minutes while they do this process. Only once have I enjoyed it. They have one very cute teller, who I flirted with while the manager was busy doing his verification thing..

I've already reserved myself to the fact that it will take no less than 15 minutes to do a 30 second transaction, so I go in with no intention of leaving quickly.

The last time I went to Bank Of America, one of the managers asked to talk to me.. Fine, I say, talk.. He recognizes the fact that I cash large checks every time I go in, and I'm in on a weekly basis. They want me to open an account in a bad sort of way.

I have to weigh my options.. Pay the $5 BoA tax for standing in their line for 15 minutes, or simply deposit my cash in their bank, with the risk of loosing it to any one of the me's that are out there. It's a tough decision.

I'm tempted to open a free account, and keep $5 in it, so I can empty the other me's accounts. But, I'm too honest to do that, and am afraid another me will get my $5..

Which company does the transactions?

[YeeHaW_Jelte]

I wonder if anybody knows which company does the actual transactions, a.k.a. who was actually hacked? I know of one large credit card transaction processer, Firepay, but I'm not sure if they're the official one for VISA/MC.

Why did the list exist?

[ka24]

I dont see anyone asking the obvious question. Why the fuck did a list of 2.2 million card numbers exist in the first place?

CC companies DO foot the bill for fraud.

Since I work for one, I'll be AC for now.

CC companies foot the bill for fraud, as long as there was no gross negiligence on the part of the merchant (and some other rules). That would translate into vastly dissimilar signatures, a white dude using a black dude's card (with a photo) and so forth.

There are several reasons why cc technology is slow to roll out. The current way liability is distributed between issuer and acquirer (you have your customer relationship to the issuer, while the merchant has their relationship to the acquirer), there is insufficient incentive to invest the billions of dollars a smart card rollout costs. There are even incentives in the system to underreport fraud. It is simply more cost effective to monitor the transactions, and use software+humans to identify fraud as early as possible. Remember, most fraud is "skimming" (copy the magstripe, put it onto a counterfeit card). Skimming will happen as long as we have a magstripe, and there is little incentive for developing nations to implement smart cards. That means that the magstripe will be around for a looong time. So, a smart card solution would only reduce the problems to an unknown degree (since the fraud would migrate across borders). The alternative is to make cards that only work in countries with interoperable smart cards.

Simply put, there are more cost effective ways of handling fraud without alienating your customers (PIN entry is really not an option, since people forget their PIN all the time on low-usage cards)

For online authorizations, I think the one-use cardnumber is a good solution, as well as the idea of a browser plug-in.

Of course, I have wet dreams of biometrics. We might actually see that sometime. There will be a rollout of smart cards at SOME point, and the longer that takes, the lower the extra cost of using biometrics. We'll see.

Re:CC companies DO foot the bill for fraud.

[filmcritic]

Finally, a post from someone who knows what they're talking about and it only gets a 1 score? After weeding through miles of garbage blaming the card companies and general slushdot stupidity, an informative post only gets a 1. Well, obviously no one here has any sense because they're too wrapped up in seeing conspiracies founded at Microsoft. Why else would there be posts wondering why there was a list of 2 million card numbers? Only a damn fool would say something like that. Say it with me: get your head out of your ass and get out of Mom's basement.

And yes, hacker DOES equal cracker today. No matter how loud you protest, no one hears it. Get over it because every normal person knows hacker=cracker. Words change meaning over time and nothing will ever change it.

Whew!

[smagruder]

Thank goodness my Visa Checkcard has a negative balance right now! :)

Denied!

BAT BOY? BATTY BOI MORE LIKE.

# Important Stuff: Please try to keep posts on topic.
# Try to reply to other people's comments instead of starting new threads.

31337

[JMastahFlex]

hax0r

No, Seriously, it's better if we don't know who...

The MSN article says "it involved a third party processor" and "they could not disclose the name of that processor."

A third party processor could be, for example, Authorize.net, Verisign, Card Service Intl, or any of the other Payment Gateways, I believe.

I know it sucks that we can't find out which third party processor it is, so we can all stop using them, but I'll take the unpopular position that it's a good idea to not have that information disclosed to the public.

The bad publicity from a mess like this could put a struggling company out of business when everyone stops using them. Do they deserve to go out of business? Sure, but that's not the point.

If a company discovers someone has hacked into one of their servers with access to a database full of credit card numbers, and they know that notifying Visa, MasterCard, and the FBI is going to put them out of business with bad publicity, how many companies are going to report it?

They could rationalize that while there is evidence the server was cracked, there is no proof that someone actually downloaded credit card numbers from the server. Maybe it was a worm that just infected the server and tried to find more vulnerable servers, and did nothing more. Or maybe they were just setting up an ftp server for their mp3 collection.

Is it worth publicly releasing this information that right now only 3 people in the company know about, and all but guarantee they will go out of business? Or should they just rebuild the server, fix the problem, and hope that no credit card numbers were stolen, and if they were, that they don't get traced back to you if they are used fraudulently?

Personally, I was in that situation two years ago, and we opted to just rebuild the server and hope that the 10,000 credit card numbers sitting on the cracked server were never found. Was it the right thing to do? No. Was it illegal? Hard to say. But the negative impact to the company could have been devastating, so we decided to report nothing. We never heard about any of the credit cards being used fraudulently, which wasn't surprising, and we went out of business a year later anyway, which also wasn't surprising.

So my point is, if companies that get cracked can report it without having to go public, Visa and MasterCard would probably be able to stop a lot more fraud before it happens. I would guess the vast majority of known server compromises go unreported now because companies are afraid to come forward and tarnish their name.

i wonder how they define "gain access too"

[lloyd+elliott]

i mean, if a script kiddy roots an IIS server with an auto page defacer, technically, he had access to any credit card info stored on that comp, he probably didn't even know that he did, but it could be reported as "gaining access". i wonder if this cracker even found the numbers.

Re:Go away, Negro.

"Cracker Gains Access to 2.2 Million Credit Cards"

well last time

something like this happened they got encrypted, burnt to CD and sold to organised crime.
well the Fed was posing as a member of a cartel anyway....the encryption key was a passage from the godfather too... nice touch

Re:This is OSS at its finest.

[blue+trane]

In a perfect world, no one would lack anything, so there would be no motivation to steal. And even if you wanted to steal for stealing's sake, what you stole could be easily replaced, so it wouldn't hurt the person you stole it from anyway.

Conflicts?

Dem you Saddam! I've told you not to steel from other people!

I'm betting....

[purduephotog]

.... its all about your attitude. And frankly I don't like it. Ring this up for me, this $300 HD. I'm gonna give it to my kid sister for her birthday.... and I'll take 3 more for my Engineering workstation, thanks. And make it snappy, you show the competence of a small snail when it comes to flinging that laser scanner around.

Put away your tinfoil hat

[Kombat]

If they manage to find something odd in a bunch of online payments, then they are obviously abusing your privacy by profiling your consumption

They're not "profiling your consumption," because it's not your money you're spending - it's theirs. Until you pay your bill, you've spent THEIR money, and thus have every right to track what you buy and protect their money from being spent fraudulently.

If someone steals your card and charges up $10K, who do you think gets stuck with the loss? Certainly not you! So if you want them to stop watching what you buy, I'd suggest you agree to be liable for any and all fraudulent charges, without limitation.

Take a Valium, you paranoid, X-File watching, crop-circle worshipping, black-helicopter-fearing freedom-junkie. If you're so scared of it, then cut up your credit card and pay for everything with cash.

On a side note, is anyone else a little worried about how it is presently impossible to live without a bank? In Canada, stores are not obligated to accept cash. That surprised me. It seems to me that cash should be the one things stores should not be allowed to decline. If I choose to pay for my gas with cash, I should be allowed - but that right is not guaranteed in Canada. Think about all the bills you pay in a month. How many of them could be paid with cash? My car payment comes out of my bank account. So does my mortgage. None of my utilities accept cash; cheque or automatic withdrawl only (i.e., bank account required). Is it possible to carry on a normal life without a bank account in present day?

Re:Put away your tinfoil hat

[mirko]

Take a Valium, you paranoid, X-File watching, crop-circle worshipping, black-helicopter-fearing freedom-junkie. If you're so scared of it, then cut up your credit card and pay for everything with cash.
What did you pour in your coffee, this morning ? :-D

OK : I am not especially paranoid, and I don't have a TV set : so I am not sure about what these XFiles are...

Now, I don't care about my privacy that much, but it is also because I live in Switzerland (*the* Bank country) and I sure know that someone may know exactly anything about my purchases... not that I care more.

Of course, I mention "abusing one's privacy" but I consider it'd be legitimate for somebody to be angry if he'd found himself being profiled by a bank :
I once met my banker (in France) who asked me "are you felling better today ?"
He actually saw I spent some money in a pharmacy.
I was not happy : I don't care if he knows but I don't want him to consider that because he knows he should suddenly feel familiar with me.

I changed banks.
That's all.

So, now, breath a bit and explain me what your point is : did I insult you ???

Re:Put away your tinfoil hat

[Kombat]

Sorry, I got a little carried away. I just found it a little "over the top" that someone believes that a credit card company trying to protect their money is somehow an invasion of privacy, when the person has to willingly sign up for said card and willingly use it to make purchases.

Anyway, my point was that the banks are merely protecting their interests, and are not invading anyone's privacy by employing automatic fraud detection (here's another shocker: cell phone companies do it too).

But I'd still like to explore the sinister potential consequences of a society that is grooming its citizens to be so dependent on banks, to the degree that even the government is buying into it (in Canada, you can't pay your income tax with cash. They only take cheques). Isn't anyone else bothered by this trend? Is anyone still reading this thread? :)

Re:Put away your tinfoil hat

[mirko]

But I'd still like to explore the sinister potential consequences of a society that is grooming its citizens to be so dependent on banks, to the degree that even the government is buying into it (in Canada, you can't pay your income tax with cash.

as of last time I lived in France, it is (was ?) forbidden to refuse cash as a mean of payment.

Isn't anyone else bothered by this trend? Is anyone still reading this thread?

Nope, they're too busy whining about today's dupe ;-)

Re:Put away your tinfoil hat

[arkanes]

Well, banks do it with ATM and debit cards, too, and thats certtainly not thier money, it's mine. That said, it doesn't bother me that much, although if I have to go through anything more complicated than calling a 1-800 number and providing verification to get my card unlocked I'll be really pissed off.

Re:Put away your tinfoil hat

[overunderunderdone]

In Canada, stores are not obligated to accept cash.

That seems strange, but I can see why it might be that way. Convenience stores and the like which are subject to high rates of robbery often refuse to accept high denomination bills because they don't want to leave a lot of money in the register to make change for them. You haven't yet bought anything so you aren't yet in debt to them - if you were they *would* be obligated to accept cash - at least in the US where each bill says " This note is legal tender for *all* debts, public and private."

Ecryption

[shadowpuppy]

Perhaps it's time credit cards went public key. That way you could sign the transaction rather than just handing out the magic number to you account.

KILL!

[Fuzzle]

KILL WHITEY!!!!!

oh...not that kind of Cracker.

Die, credit cards

[0x0d0a]

pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....

I think the moral of the story is that CCs are *really* bad from an authentication point of view. For chrissake, the *number* is enough to let you bypass the thing.

A replacement (probably public key/smartcard) system would be a *much* better idea -- you'd have to physically steal a card to abuse it. No more grabbing a database or a recipt and having free rein.

There are only two drawbacks to this: first, there's a *huge* installed base of CC users and support, and second, anyone instituting it (VISA, whatever) is going to have to overcome temptation to try charging percentages of transactions (the reason we don't have e-cash now is because of overly greedy financial services companies who couldn't manage this).

Re:Die, credit cards

[FunkyELF]

Yah, I agree. I work at a grocery store...when somone uses a credit card, it prints all *'s except for the last 4 numbers on their receipt, and even credit card receipt......but on the journal which is in plain view for a while untill i ring up other stuff and it scrolls up has the whole number displayed. If i cared enough or wanted to get in trouble memorizing one of these would be about the easiest thing in the world.

but you are forgetting one thing....most web sites now match the card numnber/exp date to the address, which is still easy to get from my job cuz i can ask to see their liscence and if its easy enough to remember, BAM!!! I could actually pay for internet pr()n.

Re:Die, credit cards

[Directrix1]

I've always wondered why they didn't make CCs like this:
A credit card sized 10-key (with decimal point, enter, and clear) with small one line LCD (or equivalent device) at top, with a thumbprint authentication utility on the side, and a printed circuit on the back for generating flux to simulate a magnetic strip for use in standard CC readers and maybe for automated amount entry(a circuit tuned to the GPS frequencies of the area where the card is allowed to be used could be embedded to charge small capacitors for power, and also possibly for use in theft detection). Embedded in the card is:

1) Account Private Key (encrypted by a reversible crypto with the key being the output of a perceptron neural net trained to recognize all authorized users thumbprints [or other biometric authentication could and should be used as it becomes viable] with a constant result set [this is much simpler than you would think])

2) Account Public Key (signed by institution [aka VISA or Verisign whichever gets to this idea first])

The card has 4 states:
Off, Amount query, thumbprint authorization, and encrypted transaction display and encrypted transaction activation of magnetic strip.

Essentially the card waits for an authorized thumbprint to activate the card going to the amount input, after the user enters the amount (or maybe the amount can automatically be transferred to the card using the strip or smart card interface or something), the transaction is signed by the private key, and then the signed transaction is made available on the LCD and the pseudo magnetic strip (which is cleared after swiping it or hitting the clear button). You get the point, its just like a remote cert mechanism for transactions. Just an idea.

Re:Die, credit cards

[GregGardner]

Well yes, it is possible to use a credit card number that isn't yours to purchase items. The risk, though, is built into the cost of using the credit cards. And any decent credit card company will not make you pay for false charges. This is much of the reason it costs so much to use a credit card. This cost is usually eaten by the merchant, though, and the consumer rarely sees it.

There are new ways in place to make it a little more difficult for theives to make fradulaent purchases. Most places now make you give them the expiration date of the card and that is checked to be valid in real-time. Also, they can do real-time checks of the name of the card holder as well as the zip code. It's really up to the merchant as to how much risk they want to take. In fact, the merchant will usually get better rates if they implement these anti-fraud measures force the customer to give them their zip code or whatever.

The credit card system is vastly better than the check system as far as fraud goes. There exists a system called ACH (Automated Clearing House, I think) in which you only need the person's name, bank routing number, and bank account number, all of which are always printed right on the front of a personal check. And unlike a credit card that you only hand over temporarily to a merchant, you send checks to people all the time. There are a number of things you can buy online or mailorder using ACH (lots of bill-pay places, etc). Makes you think twice the next time you want to pay some stranger with a personal check.

Re:Die, credit cards

[jfx32]

It comes down to cost. The cost of implementing a smartcard credit card and replacing the existing infrastructure would be immense. It is cheaper for the credit card companies to simply absorb the loss. You won't see a new standard emerge unless this situation changes, and absorbing the cost becomes to high.

Re:Die, credit cards

[aaarrrgggh]

You don't really even need the thumbprint; just a pin code would work.

Effectively all your idea does is move the authorization number to a function of the card which can be correlated to the account number, ammount, and merchant. Throw in a datestamp, and you are set!

For that matter, why not have the merchant type in the 16-digit authorization number?

Re:Die, credit cards

[Directrix1]

A pin code would work. But thumbprint authorization would be quicker and easier, its all just a number to the underlying hardware. Really, all it does is authorize the transaction and generate an amount of virtual cash (a transaction counter on the card should be encrypted into the transaction also [I left that out of the parent post] and incremented after every transaction). You don't want to throw in merchant, or datestamp. Its not needed. The merchant does that. This should only take the place of a credit card number. The merchant can do whatever they want with it, but it will only yield that amount, and it authorizes making theft a very small issue. The point is to not just have some arbitrary number that will work for any transaction under the sun.

Re:Die, credit cards

[tgreen001]

Or... Why don't we all just get GPS enabled JAVA chips implanted in our heads... that way all we have to do is wave our skulls under the scanners... and that way, the Govt and large corporations have even easier times tracking our buying patterns, locations and such. I just love letting other people keep tabs on me

OTOH

[Ender+Ryan]

OTOH, if you are an intelligent person, you can conveniently use a credit card to get an instant loan whenever you like, allowing you to purchase things you otherwise wouldn't be able to afford.

Credit cards work both ways. Be intelligent, and they will be an asset. Be stupid, and they will be a liability.

Illuminating the evil of the Fake Visa...

[PSaltyDS]

This kind of thing is why I simply refuse to get the Fake Visa, a checking account debit card that has a Visa logo with none of the credit fraud protections of a real credit card, and no PIN like a real debit card.
If your credit card is misused, then a debt is recorded against you that you have not paid yet, and can refuse to pay, with laws to back you up. To misuse a regular debit (ATM) card, the PIN must be known. But the Fake Visa leaves you completly twisting in the wind. If it is misused your money is already gone. You can begin the process of trying to get it back, but any leagal eagle can tell you that getting money back is a completly different universe from refusing to pay it in the first place!
In short, we take comfort in reading this story that we all know the law protects these card owners fairly well. But I am afraid people get these Fake Visa debit cards thinking they have the same protection AND THEY DON'T!
-
-
Tim "The Tool Man" Taylor, my hero and nomination for Greatest System Engineer Of All Time!

The IT industry is still relatively young

[MECC]

Its a young industry, and it hasen't showed signs of maturity yet. After all, the most successfull software is also one of the worst.

sick of the misuse of the word Hacker

[nurb432]

They are not hackers.. true hackers don't profit or harm things they learn only.

Cracker is the correct term to use.

Gives all us old timers a bad name due to public association.

Re:sick of the misuse of the word Hacker

shut up hippy.

Re:Cracker?

Why are we automatically assuming the the guy was white?

Because niggers arent smart enough to pull something like this off

Wait until cash is outlawed.

[nurb432]

When only digital transactions are allowed due to 'security' and 'safety' reasons, things like this will take on even more ominous proportions.

would only take one bad apple to bring down the entire banking system at that point.

Shameless plug

[Adam+Wiggins]

Don't store your own credit cards, stash them someplace secure. You don't keep your money in a sock under your matress do you? You put it in a bank. Some deal here.

What about check cards?

[jelton]

Credit cards are protected against fraud. Check cards, however, are not as well protected. In addition, it is a big hassle as the money is usually deducted from your account rather quickly. Just one more reason this company should be alerting its customers to problem.

Just another paranoid /.er

Re:We should be moderately safe THAT was funny

[Havokmon]

Remember, Credit Cards companies use neural networks to analyse transactions and decide whether or not they may be faulty, and the success-rate of these babies is higher than you may suspect

Neural Networks? Umm WHATEVER. Having worked for a credit card processor ranked 17th in the nation (when I left a few years ago), I can tell you that's probably crap.

Visa MIGHT use them, Mastercard is so fucked up, I highly doubt it. We did Merchant Processing. That's the type of company that got hacked, and I'm not surprised. The company I worked for did everything in FOXPRO. That's right. Everyone had full access to the datafiles. Not only that, but the programs were written so anyone could change a DOS variable, and 'become' any other user to the front-end software. VERY bad.

Sure there was a security program, but it wasn't there to protect the cardholder, it was there to protect the COMPANY. Each merchant has limits, and average sales. If the limit, or average sale is exceeded, the money isn't put into their account. If a card is charged twice, for the same amount, both transactions are stopped. Anything that will stop a chargeback from the customer is checked for.

Someone mentioned making sure a card wasn't used in NV and NJ at the same time... That MAY happen at the cardholder banks, but not at the processor. In fact, we did a little cardholder stuff there too. I'm quite sure the TWO people in that department weren't working on cardholder security.

When willl the banks and CC processing...

[callipygian-showsyst]

When will the banks and the credit processing companies start being liable for having lax security?

While, of course, the person who accessed the numbers bears the bulk of the blame, I also see the bank and credit processing company as culpable.

Each person with a stolen # will have some work to do, if only to change the CC #s on file with eBay, PayPal, auto-mortgage payment systems, etc.

And that's bad?

[Flamesplash]

Is this a bad thing?

The retailer should be held accountable for not putting some sort of safety mesure in place. There are a number I know are actively used:

1. Ship to addresses that differ from the address on the account must be added to the account as a ship-to address. New Egg currently does this at least.

2. the 3 digit security code on the back of your card, though I dunno if that info is part of the DB stolen. This is becoming more promenent every day on line.

3. A PIN, visa is currently marketing this as Verified Visa.

One of my biggest problems with Walmart is that they almost never check ID when I write checks. If someone steals my check book and uses it at walmart successfully then walmart is partially to blame.

Re:And that's bad?

[Nexx]

I'll do a point-by-point rebut. I used to work for a large credit-card company, though under my NDA, I'm unable to name them for another few years. It's not that I know things other people might not know, either, but....

1. Ship to addresses that differ from the address on the account must be added to the account as a ship-to address. New Egg [newegg.com] currently does this at least.

Right. You're assuming US-based retailers. non-US retailers cannot do this, either for legal reasons, or address-format difference reasons. For example, in some cases in Japan, a given address must be given down to the head-of-household's name in order to map to a specific domicile. In other regions of the world, namely some of the EU countries, the release of that sort of information by the CC companies apparently violates privacy laws.

2. the 3 digit security code on the back of your card, though I dunno if that info is part of the DB stolen. This is becoming more promenent every day on line.

The CVC2 that you refer to, MUST NOT be stored by the merchant. However, that information is quite useless with some banks, as 1) they use other information in the magstripe to compute the value, and 2) the banks themselves don't necessarily store that information either.

3. A PIN, visa is currently marketing this as Verified Visa.

This will only protect Visa customers. I'm all for credit card companies doing this sort of thing, but a PIN really doesn't mean diddly-squat when the $BAD_GUY takes a card, writes it to a blank, and swipes it at a mom-and-pop's whose clearing house does things in batch mode. You can simply tell the mom-and-pop's to use a different clearing house, but what we want them to do is to proactively prevent the use of these numbers in any means by marking them "cancelled" or "stolen".

WHO WAS HACKED?

[fanatic]

How come CNN coudn't put that in the article? What crap.

Re:Because of technology... Not expensive...

[leeet]

I used to work in a computer store and we resold a lot of badging stuff. A writer used to go for less than 300$ and a printer was around 2000$.

Basically, a small investment for such a (possible) great return. Although, if you get caught... that's another story :)

Companies should send a note to card owners

[ngnMan]

They have to do that when such things happen.
So people can effectively control their bank account.

Do they expect that all internet users check their bank account usage from now for 12 months or more?

A serious company would do that.
It is better to send 2 million people in panic than 40 million (or 560)

They're so poor they send a press note claiming nobody used the c.cards

"...no accounts have been used fraudulently..."

[shiroi_kami]

Yep, gives me the warm and fuzzy. Give me a break!

This happened/ is happening

[overunderunderdone]

mind you, if they only took a few cents from each credit card account, they COULD buy a Ferrari ...

There are ongoing frauds where small amounts in fraudulent "service fees" or subscriptions to porn sites are being charged on hundreds of thousands of cards every month. The charges are small enough that most card holders don't bother to track them down and get hit up month after month for years.

There is a web page about one of these frauds here In this particular fraud the card numbers were taken from a shady bank that did CC transactions for porn sites. The con men would make charges under a variety of entities posing as subscription based porn sites so the card holder would not only be paying for his original porn purchase but other fraudulent ones besides - pretty smart because it wouldn't set of any alarms at the card company (the guy is already making legitimate purchases of that particular product) and the numbers are small enough that the guy wouldn't bother doing anything about it if he even notices. Since it's porn, and some of it he really *did* sign up for, he might be too embarassed to do anything about it even if he realises some of the charges are fraudulent. This particular fraud ended up making between $40 and $50 million dollars off of about 900,000 card holders.

one way to deal with it

[Walt+Dismal]

I have the perfect defense against credit fraud on me. I have bad credit.

Happened to me

[overunderunderdone]

I tried to buy milk a couple of days ago and they wouldn't take my visa card - now I know why.

Why have the number at all?

[PSaltyDS]

Why should the various vendors have a database of CC#s at all? Sorry if this is a dim question, but I don't see it. Many financial transactions, like using your ATM card at the grocery store, get one-time-use transaction numbers that presumably include some encryption. The grocery store doesn't record my ATM card number and PIN (...at least, I don't think so...) all they want is that transaction number, which is only good once for exactly the ammount of sale. Even if you give the vendor's computer your CC# (via web or phone), they only need it long enough to get a valid transaction number from the CCCorp. Why should they keep it longer than that? Maybe this is the next generation of abstraction for these account numbers, a law that says a vendor can only use and store the CC# until they get a transaction/confirmation from the bank, then they have to drop it. I don't have a problem with refusing to do credit business with a vendor who insists on using one of those absurd hardcopy embossing machines to make a CC sale. Most resturants, stores, and gas pumps already print only the last four digits, or an abstract transaction number, on the receipt already.

Love the CNN

[wrax]

I just love CNN. They even get the numbers wrong in their own articles.

Title: Hacker accesses 5.6 Million Credit cards

Story: Hacker has access to 2.2 Million Credit cards.

I wonder which it is.

Hhaha

Re:mmmm gay sex not as good as Ninnle!

Ninnle is as ON topic as can be in the /. world.

Avoidance Strategy

I got fraudulently charged last summer. Zero-liability, but big-time hassle. So I abandoned credit cards for life. Using the strength of my check-card credit, I now open an account everywhere I shop. Now, at least I'm not handing over my bank number or credit card number to the disgruntled employee performing service and needing his daily free-base crack doseage.
Emergency car repair? Grabbed a Goodyear card. Clothes? JCPenny account. Granted, this increases my chances for spam and telemarketing by 1000000 percent, but at least it's not an all-purpose charge account the dishonest get their hands on. And even better, I don't have to use my check-card visa to get these other accounts. For example, I got the Goodyear account simply from their calling a secret credit agency and looking me up. And I opened a Blockbuster account with my JCPenny's card! America is wonderful. Who has thoughts on this?

PALLADIUM will solve it!

[zackbar]

Just wait until the Palladium(tm) chip is in place! Then we don't have to worry about cc fraud ever again either.

Woo hoo!

I'm just wondering where they will attach the chip on my credit card though.

Actually over 5 million cards...

[lwbecker2]

Latest estimates are 5.6 million card numbers...

source: CNN Money

I wonder if this estimate is bound to rise again?

I think my card number was used...

[SuperBusTerror]

Someone bought a brand new 23" apple cinema display at the CompUSA downtown with my card...

uhhh, DAMN those crooks...

The reason for the lack of PINs

[zanderredux]

Credit cards do not have PINs because in some countries credit card transactions are captured by physical means. Paper and carbon-copying-paper, that is. This is the very reason why credit card numbers are embossed and not print with plain ink, the latter being way cheaper. When you capture a transaction with paper and carbon paper, the embossing prints the paper through the carbon.

Now, PINs do not constitute a better security feature. They do help control fraud but you can still borrow a card and ask for the PIN. When was the last time a store clerk checked your card against some other form of photo ID? As for me, never.

Smartcard credit cards will have PINs, but the embossed thing will stay with us for quite a while, especially for cards that can be used abroad.

re issue

Could this be the reason I receive newly updated credit cards weekly... who am i kidding

I bet

[RATBOON]

I lay $10,000 that this hack will later be 'revealed' to have been the work of al-Qaeda operatives hailing from (yep) Iraq.

Happened to me & my Amex

[healy]

Looks like my amex got hit with this. Someone from macmall.com called me this morning about two 120gig hard drives I bought that were not being shipped to my billing address. Thus began my morning.

It appears that these items were being shipped to:

Kenneth Beringer
10930 GuildFord Rd
New Orleans, LA 701627

In digging a bit deeper, it looks like this is a nursing home in New Orleans (I'm on in Oregon). My bet is on someone with family there or a worker in the facility.

I also got a call from bestbuy.com with someone attempting to buy a wireless access point and have it shipped to a different location. This guy would not give me the desination.

All in all, looks like about $3000 got dinged onto my Amex account.

at 2:30 PST, it is up to 8 million. eom

eom

Re:at 2:30 PST, it is up to 8 million. eom

[lwbecker2]

Yup.. seems like the different amounts are for different _types_ of cards.

2.2 mil was Mastercard. 5.x mil was Visa others are getting it up to 8 million....

sheesh.

Dicover is now reporting the same thing....

[w3svc_animal]

Take a look here....

Discover Financial Services and American Express Tuesday joined the list of credit-card companies saying a hacker breached a security system of a company that processes transactions on behalf of merchants... ...

http://money.cnn.com/2003/02/18/technology/creditc ards/index.htm

What about ATM/POS/Check Cards?

[rmarquis]

From what I understand, debit cards aren't covered by the same kind of credit protection (because they're not really) than actual personal-line credit cards do; even if they share the same logo.

Any thoughts on whether these cards were affected? I'd imagine the numbers all went through the same network...

Re:Because of technology... Not expensive...

[thogard]

I used to work for the 2nd largest CC company. I know the fruad levels and the fake strip stuff is no where near what the pay TV comapines are dealing with. Fake cards that get used are in the Evolis card printer and as far as I can tell, it will not make a card that a real EFTPos terminal will accept.

While a mag stripe writer (that might be able to write a credit card or not) lists for about $300, my bank just sent me a gemplus pc430 smart card writer. The serial version of this is what people used to make smart cards with for the TV market.

I currently work at a place that does point of sale gear. In theory we sell mag stripe writers but our sales of that is close to zero. If you look at the total number of mag stripe writers made and compare it to the the number of gemplus smart card writers, you will see that there are far more people with the gear to write smartcards than mag stripes.

So why does the truth about security always get moded -1 flamebait?

Many significant points not even mentioned.

[expro]

My own article was rejected that raised significant issues not even mentioned here, and this one article nearly off the front page, but just for the record, let me raise the following:

1. The number of disclosed credit cards in this case may be closer to 8 million.

2. If your credit card was compromised, it was the fault of the store for keeping the CC info forever in what amounts to a filing cabinet in a publicly-accessable area -- unless you are a technical person, who should have known better. Not all services have millions of credit card numbers just laying around like this -- only extremely incompetent ones, such as PayPal, who insist on storing your credit card information forever, even if you close the account. This is the only way you build up millions of credit card numbers in a weakly-protected database. Because of the logistics in this case, how many bits of key they use encoding it is typically irrelevant, because the order origination process, controlled by the web pages, has o be able to decrypt it. Why did you allow it to be held there by the merchant? It is sheer stupidity.

3. This is why brick and mortar stores seem more secure. They do not keep your credit card number in a filing cabinet in the show room in case you forget to bring your wallet. PayPal does, making it vulnerable to any burglar or employee with a little knowledge years later who compromises the database, which is not hard to do if it has to be available for automatic remembering of CC numbers during ordering.

4. As customers, we have a right to know which of the major incompetent CC processors, such as PayPal was compromised this time, so we can use it better as an example to ordinary users why not to deal with a company that would forever hold your CC info hostage to the Microsoft Security oxymoron.

5.6 vs 2.2 million

[gotr00t]

I'm suprised that nobody has mentioned this (or at least nobody that I've seen) but the linked article on CNN indicates that 'Hacker accesses 5.6 million credit cards' while the article title is 2.2 million.

Total now up to 8 million

[eskwayrd]

CNN Money is now reporting that the total is 8 million affected cards, since Discover and American Express have reported that their card numbers were in the batch stolen.

I find it frustrating that the number of cards stolen is a guess, yet that each company is claiming no instances of fraud as a result. How can they be so sure when they can't decide how many cards and of what type have been stolen?

And they still haven't named the company whose security was breached. Which means I will not be using my card in the near future until they do so. I do not wish to pass my card number through that company unwittingly while they sort out their security issues.

Re:Total now up to 8 million

I verified my credit cards with their respective issuers this evening and was told by two of the customer service reps I spoke with that it was Citizen's Bank that was comprimised. The easiest thing to do is just call the customer service number on the back of your card and ask them. If you're ultra-paranoid, you can report the card lost of stolen and have a new card issued.

Are cc numbers enough?

forgive the naivety but dont you need the name,expiration date and zip code of the owner of the card to be able to use it?..
im wondering that say,i even get a valid cc number what use is it gonna be since ill either use it on the internet or by phone and generally the above details are required for authentication. is this also the reason that the link claims none of the cc's were fraudulently used?..
-nitin

I am glad it was a cracker and not a nigger

see subject

score: -1,Troll
penis size: 14,demigod

Re:Put away your tinfoil hat (CASH IS KING)

[ScienceofSpock]

I pretty much strictly use cash, but I live and work in Las Vegas, where cash is king.

If I can't pay for it with cash, or a money order that was payed for with cash, I'll find somewhere else to buy it.

I don't buy much online, but I have enough friends with CC's, and I pay them cash to make the purchase for me.

I don't have a bank account because I have yet to find a bank where the monthly fees don't negate the interest you SHOULD be earning on YOUR MONEY. Banks make money by charging interest on YOUR MONEY that they loan to people buying a house/car/boat etc. You shouldn't have to pay for that as well.

I don't have a credit card. I learned about credit cards early, when I got my first and only credit card at age 18. I had a $300 limit on a "student" credit card that my then girlfriend ran up in one evening. 3 years and $1500 in fees later, I realized that CC's were nothing more than a scam played on those that had low income and were bad at math.

I now have 2 car payments (both at 1.9%), insurance, rent, cable, 3 telephone bills, water, student loans (the Wife's) and various other bills, all payed by money order.

Life without a bank is blissful. I may not be earning interest (who actually is?), but I'm not paying to spend my money.

Re:Put away your tinfoil hat (CASH IS KING)

[ScienceofSpock]

oh yeah, I cash my paycheck at the casino, where I actually get MORE than my check is worth. It's usually just a drink, but sometimes it's an additional $10 in nickels :)

THAT's interest for ya....

8 million CC's...blah blah...

[i_h8_windoze]

It seems now that Discover and American Express are joining the list of compromised cards. Here is a report snipit from CNN.com's article... : "Discover and American Express would not disclose how many accounts were involved. In a statement, MasterCard put the overall security breach at about eight million accounts, including 2.2 million of its own cards. Visa said 3.4 million of its cards were affected." You do the math folks... that is 5.6 million from MC/VISA which leaves 2.4 million to be left for DISC and AMX. Fact is that until they knew the CC's were compromised, they couldn't very well verify the legitimacy of the use of the CC's especially if they were used for internet Purchases. Basically, they were covering their asses it seems...as to keep the general public from going into chaos. I know reading this report is somewhat comforting, but I know the reality...why? Because i'm a Geek. By this I mean I can see through the bullshit the media tries to put over on the idiots. but if I check my bank and it's wiped, then someone is going to have to fork out Rent money...and let's not forget the beer money too!! :-p -IHW

Re:Encryption

[MikeBabcock]

Signatures aren't as big of deal as encryption of course. I want my transaction to be signed by my private key and encrypted to VISA/MC's public key so that the intermediaries only have the encrypted version of the transaction data, not the raw data.

Next-generation credit cards

The next-generation credit cards are actually being developed and will hit the streets in the next couple of years. The largest difference is that the cards use a chip instead of the old-fashioned magnetic strip (although the strip will also be on the card as a secondary method). The chips are reprogrammable and patches can be sent to the card via the payment network. (I wonder why creates the first credit card virus? :)

It's all based on public-key encryption. The standard's called EMV (website at www.emvco.org), as in Eurocard-Mastercard-Visa.