Slashdot Mirror
Cracker Gains Access to 2.2 Million Credit Cards
Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."
Fortunately, none of them seem to have been used fraudulently.
And how exactly do they know that all 2.2 million credit card #'s haven't been used fraudulently? I'm sure that there are at least a small percent of any given set of 2.2 million credit card #'s that are used fraudulently.
Fortunately, none of them seem to have been used fraudulently
Uh, yeah, because it's so easy to verify that two MILLION credit card numbers haven't been used fraudulently.
I mean, come on, just through coincidence I'm sure some of the physical cards themselves have been stolen recently and used fraudulently.
That article was not written with many details... What credit group... who's the hacker?
||| I still can't believe Parkay's not butter.
With 2.2 million credit card numbers to check, how do they know that the cards haven't been compromised?
Sure, their owners might not have reported any fraudulent use yet (and the card issuers themselves may not have spotted any) but all it takes is for this hacker/cracker to have made one copy of the records which he then disseminated to one or more friends for a problem to occur.
At the very least, the owners of the system that was broken into should be contacting their customers to let them know that there is a small but real risk that their cards numbers might be out there and that they should double check their statements for any unusual items.
But, given that most companies would see something as proactive as this as marketing suicide (rather than use it to enforce the fact that they do everything to protect the security of their customers), I doubt that they will be so bold.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
I like those odds - not a single fradulent use in 2.2 million cards.
Hell i've had 3 fradulent transactions and only own 3 credit cards and two debit cards.
One thing i've noticed is that my card company seem good at stopping me from spending when they think i'm fradulent. Just put 7 currencies on your card in as many days and alarm bells seem to ring somewhere.... but catching real theives is a little too tricky
Citizens Bank, a financial institution serving the Northeast, shut down the accounts of 8,800 customers whose card numbers had been accessed after being notified by MasterCard on Friday, bank spokeswoman Pamela Crawley said. All of those accounts were safe, she said.
I'll bet those people are just *thrilled* to have their accounts locked out. How many people are going to find their card mysteriously declined when doing their weekly grocery shop then ? I'm betting the bank hasn't made 8,800 phone calls to explain their position.
Hell of a way for VISA/MC to limit their liability - just cancel their cards ??Never, ever lose a file again. Ever.
Oh, yes. It doesn't look good for them, and it looks REALLY bad for the issuing banks, if nothing is done about it. But I still think that at least some people are going to be filing disputes on bad charges because of this.
If you had read the article, you'd know that the cardholders are not liable for any purchases that may be made with the stolen CC data. Visa and Mastercard have already been contacting banks to let them know which CC#s were stolen.
It's better to troll than karma-whore. It's better to troll than do ANYTHING, in fact.
I think its time the whole CC system is overhauled!
The lack of authentication is the biggest problem with it. And no, the PVV is not good enough for authentication either, its also printed on the card and some online stores require that number but store it with the CC# anyway.
I'm sure the banks have a huge amount of fraud on cards and eventually these costs get passed on to the customers.
Debit cards with PINs / Smartcards are the way to go.
How on earth do they know that none of 2.2 million credit cards has been used fradulently in the last 24 hours? Seems pretty impossible to me. I'll bet some of them have for reasons completely unrelated to this hacker anyway. How can you verify something like that on such a huge scale?
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
The article is pretty poor, it contains no facts and verifies nothing. It attempts to convey that it is true because of the trail of denial.
Analytic & algebraic topology of locally Euclidean meterization of infinitely differentiable Riemmanian manifold
Can anybody explain to me why credit cards don't have PIN numbers like my ATM card does? Wouldn't this stop a tremendous amount of fraud?
No, because the PINs would probably be stored in the same unsecure manner that the other credit card information was. This is why PINs in general and/or 3 digit auth codes will be ineffective. What's needed here is better site security, not better credit card security.
All someone needs is someone's card number and expiration date and they can do whatever they want.
Kinda... You can actually specify any date in the future and the transaction will validate (if you use a system like Cybercash or Authorize.Net). If however, you have a human on the other side who checks the entered credit card information against what they get from the credit card company, then that human can manually disallow the transaciton.
Unfortunately, the only real way to secure information is to store it in an encrypted form such that the key needed to decrypt the information is physically separated from the machine which contains the data. However, many websites currently use the "key under the doormat" approach to security, which in theory is no better than storing the data unencrypted and hoping that no one hacks into the system and sees it.
In case of fire, do not use elevator. Use water!
My guess is that they haven't had any reports of fradulent use.
Why are so many companies so foolish?
You encrypt the number like crazy when it's traveling to your server. You protect it with all the firewalls and whatnot you can muster. You limit who has legitimate access to it. And you don't encrypt it when it's stored on the server?
I don't get it. Passwords are stored encrypted. Why not credit cards?
For all the time I've spent reassuring my parents that it's okay to pay for things on the Internet because the encryption is impossible to break, things like this make me really nervous. I think we need legislation requiring all company databases that store credit cards to store them encrypted.
That way, if someone does break the encryption and get our credit card numbers, at least we can prosecute them under the DMCA!
I found the meaning of life the other day, but I had write-only access.
> Think of it this way, if I stole your ATM card, I couldn't empty out your checking acount without your PIN which, hopefully, only you know.
..
.. a centrally secured PIN number repositority accountable to the company that issues the card would probably prevent alot of fraud.
I'm pretty sure the machine knows it too (however briefly as it checks with the bank's servers)
However, retail websites wouldnt have to store your PIN, just authorize you briefly. That makes discovering PINs from 3rd parties impossible. You'd have the crack the credit card company, and thats the most 'logical' party to trust with the data that you need to use the account.
I agree with the parent post
"Old man yells at systemd"
You could just cut them all off. Are there any places left that don't call in credit card purchases? Of course, that would leave 2.2 million credit card users high and dry and they would have to issue 2.2 million new cards. It would cost hundreds of thousands of dollars and do incalculable PR damage. So what to do?
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Having read it :) I suspect this CNN article isn't much more than a paraphrase-the-press-release sort of thing. ("A hacker has gained access to as many as 2.2 million Visa and MasterCard accounts, the two companies announced Monday.") Someone else here cites an article saying FIVE million numbers were stolen! I think more probing work is needed.
Also, I love "Both card companies have zero-liability policies, which protect cardholders from being held responsible for unauthorized or fraudulent charges" -- as if they're so generous. For one thing, I think that "policy" is required by federal law, and if not it would be legally insane (and unenforceable) to hold subscribers liable for 3rd party mistakes. An interesting Q might be how long you could wait or fail to notice an ongoing fraudulent use of the card, assuming it didn't get maxed out within minutes.
Anyway, look for more probing articles. I'd like to know what *other* sensitive information might have been accessible? Wouldn't a list of social security numbers be nice? How'd you like to have to go get that number changed? I assume (hope, pray) SSN's weren't stored in the same sloppy way as these CC #'s, but it's perfectly possible at some other institution.
I don't think there's any reason to store the 3 digit number in a database. It's only used during transaction approval. I can see why merchants store accounts numbers, to keep records of transactions and such (though it's just lazy and insecure the way they manage that data sometimes). There really is no need to add a field in their dastabases for the extra 3 digits, since the account number already serves its purpose, and is guaranteed to be unique.
Of course, then the problem is not every merchant verifies the 3 digit code, so a theif doesn't even need it for some transactions. It is in the merchants' best interests to use the code, however, since the merchants foot the bill in fraud claims.
It's still not the greatest system, but it has some potential to curb fraud. Needs refining, but it's better than nothing.
Beer wants to be free
Here are a few things I'd like to see in the credit card infrastructure.
Some of these things would be a major overhaul. Some of them wouldn't. But any of them has to be doable for a lot less money than the credit industry claims it loses to fraud every year. I cannot comprehend why they don't do some of these things.
Because remember, it's not the credit card processor's fault that your credit card got stolen, it's the evil hacker who bypassed the security. If we told you which credit card processor it was you might take your business elsewhere, therefore ensuring that security of your credit card is taken seriously -- and we don't want that, do we? I mean, that would be like punishing the credit card processor for the evil hacker's crime!
How we know is more important than what we know.
Yeah but there's no reason for CC#'s to be stored anywhere either. Can the CC companies please hire someone who knows how to use a hash function.
It will be the merchant who gets hosed. Those 5 million cards will be used to stiff merchants across the world. And when it comes to credit card fraud the merchant always gets the short stick.
To add insult to injury, if a merchant gets a chargeback rate of more than 1%, Visa/MC has the right to start charging the merchant up to $10000/mo for 'research fees', that is if they don't drop the merchant entirely (and thereby put them out of business -- a not uncommon event for smaller businesses).
Heh. I haven't read all the posts on this article yet, but I'm sure I'm not the only one thats thinking about this "coincidence" ...
Starting at the beginning of the month, and every 4 days since then, someone has been using my friends Visa card to buy Calcium Pills and have them shipped to his house. This is the first time this had ever happened to him.
The people made 3 orders using two different emails addresses. When the first orders arrived at the door, he called the Bank and had them put a stop on his card. There were two more attempts made, and the email addresses where the orders originated (at least the order confirmations weren't bounced back) were then delivered to the police, and our district attorney's office. We have yet to hear from anyone on the matter.
Whether this has anything to do with what has happened is beyond me, but its a little interesting that this happened at the same time.
400 Person LAN for Charity: Zion LAN 2005
2.2 million cards isn't that many so I don't think it was a major gateway. I bet some vender kept credit cards on record and had lousy security. Also if there was a gateway problem we would see some missing AmEx and Discover. Lots of venders just accept Visa and Master (it's the basic package man)
We use a randomly generated code specific to each transaction, user, time, and credit card that only our bank (in theory) can track back to an actual credit card. We don't know and therefore don't have any of our customer's credit cards.
-888 Geek Help (888-433-5435)
How is it that a credit card company can determine (within hours!) that not a single one out of their +2 MILLION accounts have been tampered with, but yet, it takes them like 3 months to resolve a single dispute over an unauthorized charge to *my* account?
I used to have a pretty good bullshit detector.... Until this Timmy-riffic article came along and broke the fucking needle off, that is.
Bowie J. Poag
The number of cards is too large for any gateway IMHO. I will bet money that a private processor network got hacked, or the central database for said network, i.e., ECHO, EFS or something on that scale.
These networks are used for dialup and leased line access for authorizations. This means your grandmother's card used at the grocery store could now be in the hand of a hax0r.
Reuters is reporting 5 million cards.
"Finally I have to point out that I have no interest in obtaining these numbers (or any others, except my own :-) and I am certainly not advocating credit card fraud. Just saying that if an opportunity like you described (every email box got the list) came my way, I would be very tempted to try and enjoy myself with some humourous (to me) exploits from a safe place and that there would probably be tens or hundreds of thousands of other following suit. Damages would rack up pretty quickly."
An interesting mental excercise (BTW do you crack DirectTV cards?), but the majority of credit card transactions are electronic in nature (yes that includes mail order[1], and web sites). Anyone submitting such a number would be refused, and redflagged. Remember it's not only crime that can move at the speed of light.
[1] Yes I use to handle both.
I would like to see it overhauled too. However, I'd prefer to see credit cards that use strong cryptography. These days, we have the proper algorithms pretty much worked out, and we have enough very cheap computing devices available to do it.
Basically, crypto allows you do two helpful things with a good degree of certainty:
Now, the fundamental problem with credit card transactions these days is that, although signatures and photo IDs are used peripherally, fundamentally they are based on the idea (just like social security numbers) that they will be kept secret, because knowing the number allows you to exercise the privileges that come with holding the account. But, there is no way to use the account other than to give away the secret . And worse, you either seriously restrict your buying or you end up giving the secret away to people who you can't really trust and who have no big incentive to protect the secret. And even those who you legitimately want to have the secret (your insurance company) can screw up and overcharge, because they have the power (if not the legal right) to charge your account any amount any number of times once they have the secret.
Cryptography can basically eliminate all those problems.
Here's how I envision a future credit card transaction working:
There would be some drawbacks (big effort to change over, etc.), but the following benefits would, I think, outweigh them:
OK, I could go on, but basically the situation right now is that the system is horribly insecure, and we're relying on legal penalties to try and prevent fraud. But, with strong cryptography, we have the capability to do a million times better, and it really wouldn't be all that inconvenient. And the scary part is, a working prototype of this system can be built in maybe 24 hours using Perl and GPG or similar.
A third party processor could be, for example, Authorize.net, Verisign, Card Service Intl, or any of the other Payment Gateways, I believe.
I know it sucks that we can't find out which third party processor it is, so we can all stop using them, but I'll take the unpopular position that it's a good idea to not have that information disclosed to the public.
The bad publicity from a mess like this could put a struggling company out of business when everyone stops using them. Do they deserve to go out of business? Sure, but that's not the point.
If a company discovers someone has hacked into one of their servers with access to a database full of credit card numbers, and they know that notifying Visa, MasterCard, and the FBI is going to put them out of business with bad publicity, how many companies are going to report it?
They could rationalize that while there is evidence the server was cracked, there is no proof that someone actually downloaded credit card numbers from the server. Maybe it was a worm that just infected the server and tried to find more vulnerable servers, and did nothing more. Or maybe they were just setting up an ftp server for their mp3 collection.
Is it worth publicly releasing this information that right now only 3 people in the company know about, and all but guarantee they will go out of business? Or should they just rebuild the server, fix the problem, and hope that no credit card numbers were stolen, and if they were, that they don't get traced back to you if they are used fraudulently?
Personally, I was in that situation two years ago, and we opted to just rebuild the server and hope that the 10,000 credit card numbers sitting on the cracked server were never found. Was it the right thing to do? No. Was it illegal? Hard to say. But the negative impact to the company could have been devastating, so we decided to report nothing. We never heard about any of the credit cards being used fraudulently, which wasn't surprising, and we went out of business a year later anyway, which also wasn't surprising.
So my point is, if companies that get cracked can report it without having to go public, Visa and MasterCard would probably be able to stop a lot more fraud before it happens. I would guess the vast majority of known server compromises go unreported now because companies are afraid to come forward and tarnish their name.
They're not "profiling your consumption," because it's not your money you're spending - it's theirs. Until you pay your bill, you've spent THEIR money, and thus have every right to track what you buy and protect their money from being spent fraudulently.
If someone steals your card and charges up $10K, who do you think gets stuck with the loss? Certainly not you! So if you want them to stop watching what you buy, I'd suggest you agree to be liable for any and all fraudulent charges, without limitation.
Take a Valium, you paranoid, X-File watching, crop-circle worshipping, black-helicopter-fearing freedom-junkie. If you're so scared of it, then cut up your credit card and pay for everything with cash.
On a side note, is anyone else a little worried about how it is presently impossible to live without a bank? In Canada, stores are not obligated to accept cash. That surprised me. It seems to me that cash should be the one things stores should not be allowed to decline. If I choose to pay for my gas with cash, I should be allowed - but that right is not guaranteed in Canada. Think about all the bills you pay in a month. How many of them could be paid with cash? My car payment comes out of my bank account. So does my mortgage. None of my utilities accept cash; cheque or automatic withdrawl only (i.e., bank account required). Is it possible to carry on a normal life without a bank account in present day?
Like woodworking? Build your own picture frames.
pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....
I think the moral of the story is that CCs are *really* bad from an authentication point of view. For chrissake, the *number* is enough to let you bypass the thing.
A replacement (probably public key/smartcard) system would be a *much* better idea -- you'd have to physically steal a card to abuse it. No more grabbing a database or a recipt and having free rein.
There are only two drawbacks to this: first, there's a *huge* installed base of CC users and support, and second, anyone instituting it (VISA, whatever) is going to have to overcome temptation to try charging percentages of transactions (the reason we don't have e-cash now is because of overly greedy financial services companies who couldn't manage this).
May we never see th
Credit cards work both ways. Be intelligent, and they will be an asset. Be stupid, and they will be a liability.
Sticking feathers up your butt does not make you a chicken - Tyler Durden