Cracker Gains Access to 2.2 Million Credit Cards

Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."

I think not.

[Latrommi]

Fortunately, none of them seem to have been used fraudulently.

And how exactly do they know that all 2.2 million credit card #'s haven't been used fraudulently? I'm sure that there are at least a small percent of any given set of 2.2 million credit card #'s that are used fraudulently.

oops, missed the credibility express

[nomadic]

Fortunately, none of them seem to have been used fraudulently

Uh, yeah, because it's so easy to verify that two MILLION credit card numbers haven't been used fraudulently.

I mean, come on, just through coincidence I'm sure some of the physical cards themselves have been stolen recently and used fraudulently.

How do they know?

[WIAKywbfatw]

With 2.2 million credit card numbers to check, how do they know that the cards haven't been compromised?

Sure, their owners might not have reported any fraudulent use yet (and the card issuers themselves may not have spotted any) but all it takes is for this hacker/cracker to have made one copy of the records which he then disseminated to one or more friends for a problem to occur.

At the very least, the owners of the system that was broken into should be contacting their customers to let them know that there is a small but real risk that their cards numbers might be out there and that they should double check their statements for any unusual items.

But, given that most companies would see something as proactive as this as marketing suicide (rather than use it to enforce the fact that they do everything to protect the security of their customers), I doubt that they will be so bold.

I wish mine were stolen...

[grahamsz]

I like those odds - not a single fradulent use in 2.2 million cards.

Hell i've had 3 fradulent transactions and only own 3 credit cards and two debit cards.

One thing i've noticed is that my card company seem good at stopping me from spending when they think i'm fradulent. Just put 7 currencies on your card in as many days and alarm bells seem to ring somewhere.... but catching real theives is a little too tricky

OUch

[IanBevan]

Citizens Bank, a financial institution serving the Northeast, shut down the accounts of 8,800 customers whose card numbers had been accessed after being notified by MasterCard on Friday, bank spokeswoman Pamela Crawley said. All of those accounts were safe, she said.

I'll bet those people are just *thrilled* to have their accounts locked out. How many people are going to find their card mysteriously declined when doing their weekly grocery shop then ? I'm betting the bank hasn't made 8,800 phone calls to explain their position.

Hell of a way for VISA/MC to limit their liability - just cancel their cards ??

Re:It's probably a matter of time...

[Spy+Hunter]

How on earth do they know that none of 2.2 million credit cards has been used fradulently in the last 24 hours? Seems pretty impossible to me. I'll bet some of them have for reasons completely unrelated to this hacker anyway. How can you verify something like that on such a huge scale?

Re:PIN numbers?

[Kamel+Jockey]

Can anybody explain to me why credit cards don't have PIN numbers like my ATM card does? Wouldn't this stop a tremendous amount of fraud?

No, because the PINs would probably be stored in the same unsecure manner that the other credit card information was. This is why PINs in general and/or 3 digit auth codes will be ineffective. What's needed here is better site security, not better credit card security.

All someone needs is someone's card number and expiration date and they can do whatever they want.

Kinda... You can actually specify any date in the future and the transaction will validate (if you use a system like Cybercash or Authorize.Net). If however, you have a human on the other side who checks the entered credit card information against what they get from the credit card company, then that human can manually disallow the transaciton.

Unfortunately, the only real way to secure information is to store it in an encrypted form such that the key needed to decrypt the information is physically separated from the machine which contains the data. However, many websites currently use the "key under the doormat" approach to security, which in theory is no better than storing the data unencrypted and hoping that no one hacks into the system and sees it.

Re:When will they learn?

[NaDrew]

Debit cards with PINs / Smartcards are the way to go.

Um, no. Your liability if someone steals and uses your credit card and it's provably your fault: $50.
Your liability if someone steals and uses your debit card and it's provably your fault: every cent in your checking account, every cent in your linked savings, CD, brokerage accounts, and as many overdraw fees as your bank can stick you with.

Re:PIN numbers?

[kiolbasa]

I don't think there's any reason to store the 3 digit number in a database. It's only used during transaction approval. I can see why merchants store accounts numbers, to keep records of transactions and such (though it's just lazy and insecure the way they manage that data sometimes). There really is no need to add a field in their dastabases for the extra 3 digits, since the account number already serves its purpose, and is guaranteed to be unique.

Of course, then the problem is not every merchant verifies the 3 digit code, so a theif doesn't even need it for some transactions. It is in the merchants' best interests to use the code, however, since the merchants foot the bill in fraud claims.

It's still not the greatest system, but it has some potential to curb fraud. Needs refining, but it's better than nothing.

Credit card security is a joke

[koreth]

I used to work on the billing system for a company that took credit card payments, and I have to say the security in the system is just laughable. I have no sympathy whatsoever for the banks losing billions a year to fraud; there are so many simple ways to plug the system's gaping holes that I think it borders on criminal negligence they haven't done so yet. A few examples off the top of my head -- with the caveat that this was all true a few years ago and may be less so today. All of what I'll describe here is pretty rampant already, so I don't think I'm revealing any state secrets.

• Address/ZIP code verification (AVS) is fine and dandy. But for the major US credit cards (Visa, MC) it only works with US addresses! So if you have a Visa card with a Canadian or British billing address, address verification is a no-op. It didn't take our fraudulent customers long to figure that one out.
• And even if you want to use a US ZIP code, all you need to know is the card prefix for a small regional bank (the first 4 digits of a Visa card are a bank ID) that only serves a few ZIP codes, and you can get a pretty good hit rate with random card generation.
• Depending on the issuing bank, you can often use any expiration date you want as long as it's in the future. We used to have an option to automatically bump the expiration date forward by a year when the expiration date on a monthly-billed account went by, and most of the time it worked without any errors even in cases where we knew the bank had issued a new card with a two-year expiration time.

Here are a few things I'd like to see in the credit card infrastructure.

• More strict address verification. Standardize the format of street addresses such that the actual address can be verified on mail-order or online sales, rather than just the ZIP code. Some banks do already support street address verification, but it's not universal and it's pretty unreliable since there are so many different ways to format addresses and they don't always match what's in the bank database. (#10 101 1st St., 101-10 First St., 101 1st Street Suite 10, etc.)
• Require a photo on every credit card, a la Citibank. That plus better AVS makes physical credit card theft a lot less worthwhile.
• Smart account closures. Right now when an event like the one in the article happens, 2.2 million people have to scramble to clean up the mess of recurring payments suddenly failing through no fault of their own. The letter from the bank is followed a couple days later by a nastygram from the cable company or whatever. The infrastructure should be able to shut down a card for new transactions while allowing familiar ones to go through, where "familiar" means a vendor that's charged to the card more than N times over a period of at least M months where the amount of the new charge is within X percent of the previous charges. This one might not appear to benefit the banks at first glance, but it does: when there's a big theft of card numbers, it will cut down on the number of irate customer phone calls they have to field from people whose utilities just got shut off.
• Single-use card numbers. I should be able to call a phone robot or hit a web site, enter my card number, and get back a virtual card number that's good for either a limited amount of time (American Express offers that) or, better still, that's only good for the first vendor who uses it. That way I'd give a different card number for each monthly payment (cable bill, Netflix subscription, etc.) and if the number was stolen, I'd only have to give a new number to that one vendor and the bank's exposure to fraudulent transactions would be negligible.
• PINs. Again, this is more helpful for physical card theft than online theft since the PINs would be in the online databases right alongside the card numbers, but it's an obvious thing that'd make it next to useless to grab someone's wallet intending to use their cards.

Some of these things would be a major overhaul. Some of them wouldn't. But any of them has to be doable for a lot less money than the credit industry claims it loses to fraud every year. I cannot comprehend why they don't do some of these things.

Re:Credit card security is a joke

[g_attrill]

banks losing billions a year to fraud...

Banks don't lose out - they merely do a chargeback to the merchant, and unless they can prove the transaction was authorised they are the ones that lose the money. Since most fraud is mail-order or uses signatures clearly nothing like the one on the card 99% of the time they lose out.

Gareth

No, Seriously, it's better if we don't know who...

The MSN article says "it involved a third party processor" and "they could not disclose the name of that processor."

A third party processor could be, for example, Authorize.net, Verisign, Card Service Intl, or any of the other Payment Gateways, I believe.

I know it sucks that we can't find out which third party processor it is, so we can all stop using them, but I'll take the unpopular position that it's a good idea to not have that information disclosed to the public.

The bad publicity from a mess like this could put a struggling company out of business when everyone stops using them. Do they deserve to go out of business? Sure, but that's not the point.

If a company discovers someone has hacked into one of their servers with access to a database full of credit card numbers, and they know that notifying Visa, MasterCard, and the FBI is going to put them out of business with bad publicity, how many companies are going to report it?

They could rationalize that while there is evidence the server was cracked, there is no proof that someone actually downloaded credit card numbers from the server. Maybe it was a worm that just infected the server and tried to find more vulnerable servers, and did nothing more. Or maybe they were just setting up an ftp server for their mp3 collection.

Is it worth publicly releasing this information that right now only 3 people in the company know about, and all but guarantee they will go out of business? Or should they just rebuild the server, fix the problem, and hope that no credit card numbers were stolen, and if they were, that they don't get traced back to you if they are used fraudulently?

Personally, I was in that situation two years ago, and we opted to just rebuild the server and hope that the 10,000 credit card numbers sitting on the cracked server were never found. Was it the right thing to do? No. Was it illegal? Hard to say. But the negative impact to the company could have been devastating, so we decided to report nothing. We never heard about any of the credit cards being used fraudulently, which wasn't surprising, and we went out of business a year later anyway, which also wasn't surprising.

So my point is, if companies that get cracked can report it without having to go public, Visa and MasterCard would probably be able to stop a lot more fraud before it happens. I would guess the vast majority of known server compromises go unreported now because companies are afraid to come forward and tarnish their name.

Put away your tinfoil hat

[Kombat]

If they manage to find something odd in a bunch of online payments, then they are obviously abusing your privacy by profiling your consumption

They're not "profiling your consumption," because it's not your money you're spending - it's theirs. Until you pay your bill, you've spent THEIR money, and thus have every right to track what you buy and protect their money from being spent fraudulently.

If someone steals your card and charges up $10K, who do you think gets stuck with the loss? Certainly not you! So if you want them to stop watching what you buy, I'd suggest you agree to be liable for any and all fraudulent charges, without limitation.

Take a Valium, you paranoid, X-File watching, crop-circle worshipping, black-helicopter-fearing freedom-junkie. If you're so scared of it, then cut up your credit card and pay for everything with cash.

On a side note, is anyone else a little worried about how it is presently impossible to live without a bank? In Canada, stores are not obligated to accept cash. That surprised me. It seems to me that cash should be the one things stores should not be allowed to decline. If I choose to pay for my gas with cash, I should be allowed - but that right is not guaranteed in Canada. Think about all the bills you pay in a month. How many of them could be paid with cash? My car payment comes out of my bank account. So does my mortgage. None of my utilities accept cash; cheque or automatic withdrawl only (i.e., bank account required). Is it possible to carry on a normal life without a bank account in present day?

Die, credit cards

[0x0d0a]

pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....

I think the moral of the story is that CCs are *really* bad from an authentication point of view. For chrissake, the *number* is enough to let you bypass the thing.

A replacement (probably public key/smartcard) system would be a *much* better idea -- you'd have to physically steal a card to abuse it. No more grabbing a database or a recipt and having free rein.

There are only two drawbacks to this: first, there's a *huge* installed base of CC users and support, and second, anyone instituting it (VISA, whatever) is going to have to overcome temptation to try charging percentages of transactions (the reason we don't have e-cash now is because of overly greedy financial services companies who couldn't manage this).

OTOH

[Ender+Ryan]

OTOH, if you are an intelligent person, you can conveniently use a credit card to get an instant loan whenever you like, allowing you to purchase things you otherwise wouldn't be able to afford.

Credit cards work both ways. Be intelligent, and they will be an asset. Be stupid, and they will be a liability.