Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cracker Gains Access to 2.2 Million Credit Cards

Posted by timothy on from the check-yer-wallet dept.

Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."

7 of 500 comments (clear)

  1. oops, missed the credibility express by nomadic · · Score: 4, Insightful

    Fortunately, none of them seem to have been used fraudulently

    Uh, yeah, because it's so easy to verify that two MILLION credit card numbers haven't been used fraudulently.

    I mean, come on, just through coincidence I'm sure some of the physical cards themselves have been stolen recently and used fraudulently.

  2. How do they know? by WIAKywbfatw · · Score: 5, Insightful

    With 2.2 million credit card numbers to check, how do they know that the cards haven't been compromised?

    Sure, their owners might not have reported any fraudulent use yet (and the card issuers themselves may not have spotted any) but all it takes is for this hacker/cracker to have made one copy of the records which he then disseminated to one or more friends for a problem to occur.

    At the very least, the owners of the system that was broken into should be contacting their customers to let them know that there is a small but real risk that their cards numbers might be out there and that they should double check their statements for any unusual items.

    But, given that most companies would see something as proactive as this as marketing suicide (rather than use it to enforce the fact that they do everything to protect the security of their customers), I doubt that they will be so bold.

    --

    "Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
  3. I wish mine were stolen... by grahamsz · · Score: 4, Insightful

    I like those odds - not a single fradulent use in 2.2 million cards.

    Hell i've had 3 fradulent transactions and only own 3 credit cards and two debit cards.

    One thing i've noticed is that my card company seem good at stopping me from spending when they think i'm fradulent. Just put 7 currencies on your card in as many days and alarm bells seem to ring somewhere.... but catching real theives is a little too tricky

  4. OUch by IanBevan · · Score: 4, Insightful

    Citizens Bank, a financial institution serving the Northeast, shut down the accounts of 8,800 customers whose card numbers had been accessed after being notified by MasterCard on Friday, bank spokeswoman Pamela Crawley said. All of those accounts were safe, she said.

    I'll bet those people are just *thrilled* to have their accounts locked out. How many people are going to find their card mysteriously declined when doing their weekly grocery shop then ? I'm betting the bank hasn't made 8,800 phone calls to explain their position.

    Hell of a way for VISA/MC to limit their liability - just cancel their cards ??
    --
    Never, ever lose a file again. Ever.
  5. Re:It's probably a matter of time... by Spy+Hunter · · Score: 4, Insightful

    How on earth do they know that none of 2.2 million credit cards has been used fradulently in the last 24 hours? Seems pretty impossible to me. I'll bet some of them have for reasons completely unrelated to this hacker anyway. How can you verify something like that on such a huge scale?

    --
    main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
  6. Re:PIN numbers? by Kamel+Jockey · · Score: 5, Insightful

    Can anybody explain to me why credit cards don't have PIN numbers like my ATM card does? Wouldn't this stop a tremendous amount of fraud?

    No, because the PINs would probably be stored in the same unsecure manner that the other credit card information was. This is why PINs in general and/or 3 digit auth codes will be ineffective. What's needed here is better site security, not better credit card security.

    All someone needs is someone's card number and expiration date and they can do whatever they want.

    Kinda... You can actually specify any date in the future and the transaction will validate (if you use a system like Cybercash or Authorize.Net). If however, you have a human on the other side who checks the entered credit card information against what they get from the credit card company, then that human can manually disallow the transaciton.

    Unfortunately, the only real way to secure information is to store it in an encrypted form such that the key needed to decrypt the information is physically separated from the machine which contains the data. However, many websites currently use the "key under the doormat" approach to security, which in theory is no better than storing the data unencrypted and hoping that no one hacks into the system and sees it.

    --
    In case of fire, do not use elevator. Use water!
  7. Credit card security is a joke by koreth · · Score: 5, Insightful
    I used to work on the billing system for a company that took credit card payments, and I have to say the security in the system is just laughable. I have no sympathy whatsoever for the banks losing billions a year to fraud; there are so many simple ways to plug the system's gaping holes that I think it borders on criminal negligence they haven't done so yet. A few examples off the top of my head -- with the caveat that this was all true a few years ago and may be less so today. All of what I'll describe here is pretty rampant already, so I don't think I'm revealing any state secrets.
    • Address/ZIP code verification (AVS) is fine and dandy. But for the major US credit cards (Visa, MC) it only works with US addresses! So if you have a Visa card with a Canadian or British billing address, address verification is a no-op. It didn't take our fraudulent customers long to figure that one out.
    • And even if you want to use a US ZIP code, all you need to know is the card prefix for a small regional bank (the first 4 digits of a Visa card are a bank ID) that only serves a few ZIP codes, and you can get a pretty good hit rate with random card generation.
    • Depending on the issuing bank, you can often use any expiration date you want as long as it's in the future. We used to have an option to automatically bump the expiration date forward by a year when the expiration date on a monthly-billed account went by, and most of the time it worked without any errors even in cases where we knew the bank had issued a new card with a two-year expiration time.

    Here are a few things I'd like to see in the credit card infrastructure.

    • More strict address verification. Standardize the format of street addresses such that the actual address can be verified on mail-order or online sales, rather than just the ZIP code. Some banks do already support street address verification, but it's not universal and it's pretty unreliable since there are so many different ways to format addresses and they don't always match what's in the bank database. (#10 101 1st St., 101-10 First St., 101 1st Street Suite 10, etc.)
    • Require a photo on every credit card, a la Citibank. That plus better AVS makes physical credit card theft a lot less worthwhile.
    • Smart account closures. Right now when an event like the one in the article happens, 2.2 million people have to scramble to clean up the mess of recurring payments suddenly failing through no fault of their own. The letter from the bank is followed a couple days later by a nastygram from the cable company or whatever. The infrastructure should be able to shut down a card for new transactions while allowing familiar ones to go through, where "familiar" means a vendor that's charged to the card more than N times over a period of at least M months where the amount of the new charge is within X percent of the previous charges. This one might not appear to benefit the banks at first glance, but it does: when there's a big theft of card numbers, it will cut down on the number of irate customer phone calls they have to field from people whose utilities just got shut off.
    • Single-use card numbers. I should be able to call a phone robot or hit a web site, enter my card number, and get back a virtual card number that's good for either a limited amount of time (American Express offers that) or, better still, that's only good for the first vendor who uses it. That way I'd give a different card number for each monthly payment (cable bill, Netflix subscription, etc.) and if the number was stolen, I'd only have to give a new number to that one vendor and the bank's exposure to fraudulent transactions would be negligible.
    • PINs. Again, this is more helpful for physical card theft than online theft since the PINs would be in the online databases right alongside the card numbers, but it's an obvious thing that'd make it next to useless to grab someone's wallet intending to use their cards.

    Some of these things would be a major overhaul. Some of them wouldn't. But any of them has to be doable for a lot less money than the credit industry claims it loses to fraud every year. I cannot comprehend why they don't do some of these things.