Cracker Gains Access to 2.2 Million Credit Cards

Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."

How do they know?

[WIAKywbfatw]

With 2.2 million credit card numbers to check, how do they know that the cards haven't been compromised?

Sure, their owners might not have reported any fraudulent use yet (and the card issuers themselves may not have spotted any) but all it takes is for this hacker/cracker to have made one copy of the records which he then disseminated to one or more friends for a problem to occur.

At the very least, the owners of the system that was broken into should be contacting their customers to let them know that there is a small but real risk that their cards numbers might be out there and that they should double check their statements for any unusual items.

But, given that most companies would see something as proactive as this as marketing suicide (rather than use it to enforce the fact that they do everything to protect the security of their customers), I doubt that they will be so bold.

Re:PIN numbers?

[Kamel+Jockey]

Can anybody explain to me why credit cards don't have PIN numbers like my ATM card does? Wouldn't this stop a tremendous amount of fraud?

No, because the PINs would probably be stored in the same unsecure manner that the other credit card information was. This is why PINs in general and/or 3 digit auth codes will be ineffective. What's needed here is better site security, not better credit card security.

All someone needs is someone's card number and expiration date and they can do whatever they want.

Kinda... You can actually specify any date in the future and the transaction will validate (if you use a system like Cybercash or Authorize.Net). If however, you have a human on the other side who checks the entered credit card information against what they get from the credit card company, then that human can manually disallow the transaciton.

Unfortunately, the only real way to secure information is to store it in an encrypted form such that the key needed to decrypt the information is physically separated from the machine which contains the data. However, many websites currently use the "key under the doormat" approach to security, which in theory is no better than storing the data unencrypted and hoping that no one hacks into the system and sees it.

Credit card security is a joke

[koreth]

I used to work on the billing system for a company that took credit card payments, and I have to say the security in the system is just laughable. I have no sympathy whatsoever for the banks losing billions a year to fraud; there are so many simple ways to plug the system's gaping holes that I think it borders on criminal negligence they haven't done so yet. A few examples off the top of my head -- with the caveat that this was all true a few years ago and may be less so today. All of what I'll describe here is pretty rampant already, so I don't think I'm revealing any state secrets.

• Address/ZIP code verification (AVS) is fine and dandy. But for the major US credit cards (Visa, MC) it only works with US addresses! So if you have a Visa card with a Canadian or British billing address, address verification is a no-op. It didn't take our fraudulent customers long to figure that one out.
• And even if you want to use a US ZIP code, all you need to know is the card prefix for a small regional bank (the first 4 digits of a Visa card are a bank ID) that only serves a few ZIP codes, and you can get a pretty good hit rate with random card generation.
• Depending on the issuing bank, you can often use any expiration date you want as long as it's in the future. We used to have an option to automatically bump the expiration date forward by a year when the expiration date on a monthly-billed account went by, and most of the time it worked without any errors even in cases where we knew the bank had issued a new card with a two-year expiration time.

Here are a few things I'd like to see in the credit card infrastructure.

• More strict address verification. Standardize the format of street addresses such that the actual address can be verified on mail-order or online sales, rather than just the ZIP code. Some banks do already support street address verification, but it's not universal and it's pretty unreliable since there are so many different ways to format addresses and they don't always match what's in the bank database. (#10 101 1st St., 101-10 First St., 101 1st Street Suite 10, etc.)
• Require a photo on every credit card, a la Citibank. That plus better AVS makes physical credit card theft a lot less worthwhile.
• Smart account closures. Right now when an event like the one in the article happens, 2.2 million people have to scramble to clean up the mess of recurring payments suddenly failing through no fault of their own. The letter from the bank is followed a couple days later by a nastygram from the cable company or whatever. The infrastructure should be able to shut down a card for new transactions while allowing familiar ones to go through, where "familiar" means a vendor that's charged to the card more than N times over a period of at least M months where the amount of the new charge is within X percent of the previous charges. This one might not appear to benefit the banks at first glance, but it does: when there's a big theft of card numbers, it will cut down on the number of irate customer phone calls they have to field from people whose utilities just got shut off.
• Single-use card numbers. I should be able to call a phone robot or hit a web site, enter my card number, and get back a virtual card number that's good for either a limited amount of time (American Express offers that) or, better still, that's only good for the first vendor who uses it. That way I'd give a different card number for each monthly payment (cable bill, Netflix subscription, etc.) and if the number was stolen, I'd only have to give a new number to that one vendor and the bank's exposure to fraudulent transactions would be negligible.
• PINs. Again, this is more helpful for physical card theft than online theft since the PINs would be in the online databases right alongside the card numbers, but it's an obvious thing that'd make it next to useless to grab someone's wallet intending to use their cards.

Some of these things would be a major overhaul. Some of them wouldn't. But any of them has to be doable for a lot less money than the credit industry claims it loses to fraud every year. I cannot comprehend why they don't do some of these things.