Slashdot Mirror
Security Breach Exposes 40M Credit Cards
The Good Reverend writes "MasterCard International announced today that a security breach at CardSystems Solutions, a third party processor of payment card data, potentially exposed more than 40 million cards. Mastercard is aware of the specific card numbers affected, and is giving its member financial institutions the numbers that may have been compromised. Unlike many of the past high profile cases this one involves a hacker rather than lost packages. CNN Money, the New York Times, Reuters, MSNBC, ZDNet, C|Net, and the Washington Post are also covering the story."
will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream? Wonder how many more of these transactions processors have been compromised and don't even know it yet.
BP http://www.card-central.com
As the complexity and number of features that are added to information systems increase, the opportunities for compromises grows--probably exponentially. We will see a real change in the security policies only after one of the companies has an enormous financial loss.
But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet.
So when is the other shoe going to fall?
Nihil Illegitemi Carborvndvm
About 25 MILLION of the 40 WAS NOT a MasterCard, so there are a WHOLE bunch of credit card providers who like leaving you in the dark here people.
And in other news, the WidgetCard from the WidgetCard corporation, breaking tradition from the main Credit Card corporations, are proud to announce that they have not lost any cardholder's data. This is an especially newsworthy event due to its rareness.
More news at five.
I wonder if it was only US CC numbers or if we all have to worry?
Interest rate: 20%
Annual Fee: $40
Randomly being declined because the machine is on the fritz: $1-$1000 purchase down the drain.
Being the target of fraud through no fault of your own: Priceless.
Pulp Audio Weekly - Geek News and Reviews
http://slashdot.org/articles/05/06/17/2155257.shtm l?tid=133&tid=95 ... and the article was only 4 hours old.
I've always wondered why credit card companies don't simply cancel and re-issue cards when somthing like this happens. I read in the MSNBC article that it costs $10.00 per card to do that, which means this particular incident would cost the credit card companies about $400,000,000.00 to reissue cards. That is a ton of money!
since people here (Ireland) and the UK are basically being encouraged to rack up debt is some one to crack Mastercard/Visa and wipe out all the amounts owed on credit cards. Might encourage the financial institution to be a little less carefree with their lending policies.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
everyone here will be proposing a technical solution
but let me posit my own nontechnical solution: the processor must pay for a replacement card for every single victim
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Banks and financial institutions need to start using public-key encryption to authenticate a user rather than a card number and expiry date. Many visa/master cards already come as smart cards these days and it should be easy to upgrade them to operate as a JavaCard for example. Couple this with a USB card reader issued by the bank. A website can then ask for a signed payment (to be signed in a chip inside the card) valid for a short time period and only usable once in the transaction only. You verify it by looking at the reader, or a display on the card itself and reading the name of the store you're making the payment for, and press a button on the card or on the reader to grant/deny it. In this way, no external software outside the card is involved with granting money which can be tampered with. The signature takes place in the card. No credit card numbers stored. Payment made. Everyone's happy.
Banu
The summary fails to mention that it isn't only Mastercard that is affected (e.g., look at the Washington Post article). VISA is affected as well, as are others. Apparently the breach was detected by the company handling the cards (CardSystems Solutions, Inc.) on May 22, but was only announced by Mastercard now, though they had been notifying banks in the interim. VISA spokespeople claim that they did not announce it sooner because there was an ongoing FBI investigation.
Jeez, even the mainstream newschannels have been reporting this since at least 9am local time (6 hours ago) and creditcards are hardly even used over here.
Seriously, news like this is important and should be spread as quickly as possible. It's a sad day when major international tech-related sites of slashdot's size take this long to report these things.
Best wait until Monday, when the new opening for Head of Information Security will be posted.
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
laws should passed to protect not only what information can be stored but by also how.
And that outsourcing adds complexity and more weak points that can fail.
A stupid question:
how anyone can possibly get so much information by hacking somewhere?
Being semi-pro it person, i'd think downloading so much information at once would easy to spot and made impossible too(and who needs at once so much info anyway?)
Or did they get so much information by getting it all one by one?
Nobody knows the trouble I've seen, nobody knows has the trouble seen me, even I sometimes wonder why I write these line
To ensure that no one places any fraudulent charges on our credit cards, let's all run out to our favorite toy stores and run up our cards to their limits.
Sheesh, evil *and* a jerk. -- Jade
From what I recall, debit card transactions don't give you the same protection as credit card transactions, even though they're both 'mastercard' or 'visa' branded and have identical looking numbers.
creation science book
Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised? :p
...I thought maybe I really did order that 13" translucent pink dildo while I was drunk the other night.
Ok enough ranting, but trust me, in the late 90s banks were trying to outsource as many things as possible from customer service, to invoicing, bills, credit collections, applications and so on. As you can see when the "Credit card company" becomes nothing more than a brand, and a board of execs, everything is out of their control, not to mention every peice of the old credit empire is open for attack.....
If anything the question is why did it take so long to find them?!
As usual, private industry is regulating itself and solving its own problems.
If the Government got involved they'd regulate these companies and we'd have security breaches all over the place, like the IRS...
Oh wait, exactly how many IRS breaches have we had so far?
Someone get me a direct line to Fox News, STAT!!!
--- Grow a pair, liberals... stop letting the Republicans bully you!
or at least a very important aspect of the story.
/. readers are always so preoccupied (and rightly so, as this example shows) with what happens to their personal data, this aspect shouldn't be overlooked.
"MasterCard said its investigation found that CardSystems, in violation of MasterCard's rules, was storing cardholders' account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the bank handling the merchants' transactions but not retained by CardSystems."
As
Why did it take /. so long to cover this story? I mean the political sites had this story 12 hours ago.
/.?
What has happened to
i look at about 5 news sites (drudge, abcnews, newsmax, cnn, foxnews).
this was an interesting event as i saw this first about a day/day-and-a-half ago on one site. sometimes a news item will maybe hit 2 or three of these sites. one by one, this became a major news item on all five.
this is starting to capture peoples attention.
eric
That's because a lot of the times articles on these are submitted to the slashdot editors but they reject them for one reason or another (too much other news, editor doesn't think it is interesting, etc.) I know I submitted this yesterday but my submission was rejected, but now someone else resubmitted another day and it was accepted. It's just the way the system works.
Quality Hosting e3 Servers
> Check out their careers page.
I wonder how many of those open positions have opened up since May 22.
If I worked there I'd certainly be looking for a lifeboat.
Sheesh, evil *and* a jerk. -- Jade
Or was it Eric S. Raymond who illegally stole the credit card information?
The press may co-opt our sub-cultural language for their own gross-oversimplification purposes. That doesn't mean Slashdot has to follow suit.
Definition from the Jargon File:
hacker n. [originally, someone who makes furniture with an axe]
Could someone be so kind to check if my credit card number was exposed?
;-)
My cc number is 5122-5655-1459-0444.
Reverse code: 444
If it was exposed I want to cancel it so the hacker cant use it.
Thanks.
It's not surprising someone other than MasterCard actually had a list of card numbers stolen. I have customers all the time tell me how they don't like what they feel are draconian measures to protect the credit card numbers people have in their own systems. What they fail to understand is that Visa and Mastercard require us to do this, and the protections we have are customer service.
But they still complain, because their customers and they themselves don't ever notice. Hell at one point I was told by a demanding customer to remove the protections because he said "I'll risk it." I was tempted to show him how insecure he was by remotely accessing his system, getting his list of customer phone numbers, and telling all his customers that he was careless with credit card numbers and their numbers could have easily been stolen from his system.
People are pretty careless about credit card security. It's usually in the name of convenience and visible customer service. Credit card security is invisible service. Being able to purchase something conveniently flies right in the face of having security which just might prevent you from selling something to someone, so some people don't care, as long as they are selling. Owners care once they find out that they'll be issued chargebacks, but individual salesreps will write down every credit card number on a piece of paper if it means making money for them personally.
Visa and Mastercard have the right idea, and in the press release I like how they said that they gave cardsystems a "limited amount of time" to basically get their act together so this doesn't happen again. Education and enforcement of regulations... nice to see an organization, especially one that is a corporation, actually give a damn.
"All great wisdom is contained in .signature files"
Jesus, yes people, please RTFA.
You'll soon find out that all major credit card companies were hit by this, that they all commented, that they all knew about the problem since May 22, but kept quite, on the request of the FBI (or so they claim).
And please mods, how about RTFA yourselves before modding an obvious troll like the parent informative?
Remember how a notable movie (based on a notable novel) a few years ago had, as part of its plot, a plan to reset the credit card debt of the world? With the rate of security breaches we've seen, I have to wonder if the system won't lead to such a problem on its own, not through someone wanting to reset the debt but rather from a massive case of distributed fraud as the result of these kinds of security breaches.
... or could be bogus? There's no human way to know what's real and what's not if you have to check every one of them. I'm sure they have computerized methods, but I'd imagine that there is still a level of distributed low-level (i.e. not buying boats and plasma TVs) fraud that would disrupt the system in some critical way.
I mean, what do you do when something like 40 million transactions could be legit
Curmudgeon Gamer: Not happy
It's always some mundane detail.
Comment removed based on user account deletion
To end this kind of thing is to make the companies handling records financialy responsible for any problems. Triple the amount in damages to each misused account. They won't do anything until it affect the P&L severely. It's the only thing big corporations understand.
Professional Politicians are not the solution, they ARE the problem.
Credit, like electricity, is provided to people to use as a tool. One can use that tool responsibly. For instance:
1. Don't buy things you can't afford
2. Don't stick your finger in a light socket
Or one can use such tools irresponsibly and think that consequences don't apply to them.
I wonder which type of person you are?
I'm a big tall mofo.
Wouldn't that be a 'cracker' not a hacker?
they'll have fun trying to use it... there's zero credit left at the moment... if they like, they could always put some back on it first...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
How many more times does American business have to get ass-raped before they wake up and smell teh coffee - WINDOWS IS FUCKING INSECURE YOU GODDAMN DINOSAURS!!!!!
I.e., pass the cost to the consumer. Of course there are any number of simple technological and business procedural solutions, but since the route of least resistance is through the consumer, that's how the credit card companies are going to do business.
Don't forget the super-duper-high-security last three digits on the back of the card!
I'm sure it's no problem at all that many online vendors ask for those last three digits and then store them alongside your credit card number and expiration date. Security problem solved. Done, and done.
I'm a big tall mofo.
Running linux is like having all the components needed to make a lightsabre rattling around loose in a cardboard box.
That way, I can closely monitor all my bank's account activity to make sure somebody isn't trying to hack into my accounts to steal my money. That was how I was able to find out somebody did an inside job identity theft of my checking account and they stomped out that fraud (and got the "perp" pretty quickly).
However, before you do online banking, I would recommend you have both antivirus and firewall programs active and run anti-spyware programs at least once a day to keep out keystroke loggers.
Well, I just call in once a year to mastercard and tell them I lost the card. Then they issue you a new card with a new number.
... particularly with the new bankrpucy laws.
The irony is, they will not issue 40 million new cards because it costs them about $5-10 a card.
I might have to call in twice this year.
Better to be safe than sorry
Is their an option not to use the internet? Sadly, sometimes I wish there could be.
It's worth mentioning that they're hiring people with VMS and WindowsNT experience. Small wonder the malicious code got in there.
Direct away from face when opening.
On a side note, I'm starting to get the feeling that the story mods reject almost any submitted story by default, then the other mods look at the story, re-word it, then post the story to front page news claiming an article for them.
Oh wait, exactly how many IRS breaches have we had so far?
I doubt the IRS would be forthcoming if their was a breach (although there are the occasional articles about corrupt IRS employees). In fact, a breach would probably be classified and not be allowed to be published. In contrast, a card processing company knows that it exposes itself to greater liability if it fails to alert its partners (card issuers/banks) of a problem.
Two wrongs don't make a right, but three lefts do.
from Mastercard's Newsroom | Global Press Releases "Upon receiving notice from MasterCard, banks are able to take the appropriate steps to protect their cardholders from potential fraud. No highly sensitive information, such as social security numbers or dates of birth or the like, are stored on MasterCard cards. "
No idea how Mastercard could think that account details aren't classed as highly sensitive information - perhaps this is the reason for the lax security!
there are some numbers hackers can't steal
for everything else there's MasterCard
(Accepted all over, even if it's not yours.)
You can hold down the "B" button for continuous firing.
Even on Slashdot hackers get a bad name. Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".
Torrent, anyone?
My other Sig is
My bank over here in holland uses a similar system to authenticate it's online banking. You have your card (with a chip on it) you know your PIN (very weak password IMHO) and you get a standalon reader that you have to put your card in, punch in your pin and a 8 digit number generated by them. It generates a 6 digit code that you have to enter in the webpage.
It has no connection to your computer, so no inpompabilities for mac/linux users and no chances of spyware/keyloggers making off with valuable passwords. You indentify with wath you know and what you have. The processor only has to know the public part of the keypair (the private one is on your card, probably 'encrypted' with your pin). If such a processor is breached, they will not get any info on the card.
This space is intentionally staring blankly at you
Yes and gay people walk around happy all day (actually, they might, but the usage of the word has changed)
Deal with it.
liqbase
Now imagine a headline in 10 years: "120 Million biometric data stolen" It seems that the technical challenges to keep data secure has sunk in already. This credit card data breach could support these concerns.
VISA won't certify you if you persist CVV codes. CVV codes can only be kept in RAM and must be discarded after CVV response is received.
Unless your name is Roland Picquepaille or however the hell he spells it. The editors will post whatever piece of shit he submits.
Bet they used it.
Only got themselves to blame.
L1nu}{ 4 liff, fool!
"Yes, maybe credit card companies should have a "responsibility test" which takes into account whether potential customers are willing to take responsibility for their actions and reject those who would rather not, however their current checks such as credit reference checks and the like do give a fairly accurate picture of people's finances and the people applying for these cards should take responsibility rather than blaming the card companies themselves."
Unless we're talking about computers and possession. Then the rules for responsability are different.
Or at least receiving a fine from each of the credit card companies that were breached - the various agreements companies sign do include fines (that could apply to either party) for various performance and compliance failures. Also, I suppose the banks could sue if they felt so inclined, which would probably end up in some sort of settlement.
Dunno if there are potential government fines or not.
Yes and gay people walk around happy all day
That would be a good analogy if only there was a culture of straight gay people that was upset about being associated with homosexuals.
Looks like they're a Microsoft .NET house: http://www.cardsystems.com/careers/DevDotNet_0501. pdf
This may not be much of a revelation, but how about we give everyone a tattoo (maybe on their hand, or even their forehead), and make presentation of that tattoo with a number matching that on their card a requirement for any transaction.
What do you think, could a system like that be prophetable?
That if a company loses personal information, then that company is libal for $1000 fine per person affected, plus any additional fees, fines, moneys to pay to correct the problem(s).
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
As any small business owner will attest, it is incredibly difficult to obtain reasonable business insurance, especially professional liability, and even more so when they don't understand the technology behind your business itself. The reason is that the insurance industry is running scared about terrorism, the great "unknown" world of IT, and our generally vindictive litigious society.
None of these factors are in their actuarial tables, so they presume you're going to cost them millions of dollars. They don't care whether they understand or not; they're simply not willing to take the risk.
Now, how do you suppose the insurance company will treat your small business, if it happens to accept credit cards for payment? Not good.
Do you suppose they'll care how paranoid you are about data security? Will they care how many levels of protection you afford the data of your customers?
The answer is a resounding "no" to all. They don't have the technical acumen to judge what is and what is not appropriate (honestly, too few people who call themselves "security experts" do). And they don't care. They simply raise the rates to astronomical levels, with a big "screw you" attitude, because they're somewhat ironically not at all in the business of taking risks.
Sometimes I think slashdot saves the jucier stories for busier times of the day/week. It's no fun to join a discussion that fissled out 4 hours ago. The news sites don't have this problem.
But we would need to tread carefully. A fine line there is between 'safe' and 'inaccessable' and 'secret'. I could imagine a dark situation which is already kind of here where enormous databases of personal info and customer billing information can never be challenged or queried by joe public in the interests of 'keeping it safe'.
Sorry to sound like some burnt out old hippy but all these problems with leaks/hackers/whatever are a just a symptom of the problems of mass consumer credit driven and data collecting society.
And it won't go away with ID cards or similar ideas either, although I do wonder if this incident actually either 1) never happened, 2) didn't happen to the extent it did just to keep softening up Joe Public for more and more draconian measures to keep us 'safe'. After all the debate about stopping terrorism with things like ID cards has really been effectively lost. Wouldn't suprise me now if governements are trying to find a new angle on this to sell to the sheep out there.
Tyler Durgan, is that you?
From the CNNMoney article:
"It looks like a hacker gained access to CardSystems' database and installed a script that acts like a virus, searching out certain types of card transaction data."
This news item was presented on CNN (TV) in a way to make a non-technical person believe that the company was hit with a virus. The part which should have been emphasized is the "hacker gained access".
Hmm... Apparently we all must have pissed off the hackers and now they're targeting the big fish. Apparently those of us in IT and the programmers writing browsers, firewalls, and other tools, might have sufficiently locked down the typical users system to prevent this sort of thing.
Now since the only two choices are direct social engineering of the end-users out of their data, or go after the warehouses that contain what they want, I wonder if this kind of thing is now expected to only escallate in a really big way.They should now go after a congressional law change that makes this kind of major hacking a death-penalty punishable offense... Hmmm...
Just thinking...
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
Timing, unfortunately, has become a major component of the news release cycle. Here's how news timing works:
1. If a pretty white woman goes missing, (or is dying) it's instant news all the time on the U.S. cable news channels. The news channels will instantly increase the cost of advertising on a sliding scale based on how white, how pretty, and how rich the missing woman is.
2. If Amnesty International's accusations about torture and desecration of religious objects at U.S. "held without charges" camps are borne out by internal government documents, then the news is broken at 7:30 p.m. on a Friday night, briefly discussed on Sunday while everyone is at church, and forgotten by Monday morning.
3. If a popular Democratic president gets a blowjob, it's all blowjobs, all the time on every news network.
4. If there is reasonably clear evidence that a Republican president trumped up intelligence to get us involved in a $300 Billion war, it'll never be seen in print or heard on TV.
Now you know how the U.S. "liberal" news media cycle works.
Exercise: Using what you've learned, what can you tell us about the MasterCard breach story? Do you think MasterCard released the news on a Friday night for any particular reason?
Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised?
Yes, just click here, enter your credit card number, PIN, and mother's maiden name (or other passphrase), CVI# if applicable, and they will confirm that your card has fallen into the hands of identity theives.
Good luck.
The Future of Human Evolution: Autonomy
By now, most slashdot hackers should be aware of the differences between the media use of 'hacker' and the proper use of hacker. Just like being desensitized to violence on TV.
The head of security is also the help desk and unix system admin Tucson is a small town and I live here
Does anyone have any insight?
Yes and gay people walk around happy all day
That would be a good analogy if only there was a culture of straight gay people that was upset about being associated with homosexuals.
The issue is that the word "gay" was hijacked by a group of people who don't want to be called (are ashamed of????) what they are: homosexual.
Homosexual isn't an evil word. Why try to obfuscate what you really are?
"I don't know, therefore Aliens" Wafflebox1
I was in the public sector for a while. People always would look at me for poo-pooing direct deposit. Little did they know that the bank involved had them running the data over on a weekly basis on a floppy disk. The program to generate that disk was the biggest chunk of crap I've seen in my software days (from my coding and all the 2 bit shareware I've seen) Scary stuff.
Now I'm in a bigger corp, that not only demands that you are direct deposit, but is not trying to get you to give up the paper copy they send you to tell you they paid you. (No thank you) That and now the crapware exists as what we are supposed to do our expence reporting to AMEX. My wife (stillin the public sector) already has to go online and print hers regularly if she wants to keep it. (Ask yourself if you trust your company to not lose that data.) This is *not* tin foil hat stuff folks. I can't wait until some outsourced online paycheck viewing software gets hacked and people are in the same boat.
People outside the sectors have to realize. We want this stuff. But not with the mentality that this industry treats things. Things are very lax, and the players in the field seem to be mostly "consultants" that don't really know what they are doing but are good at making the higher ups feel better. This needs to be opened up. The data formats need to be transparent and there needs to be some competition. If your system can't stand someone knowing how it works and still be secure, it wasn't "secure" begin with.
So where is the site that's tracking all of this crap anyway. Step up with a link for some Karma points. Let's see ratings, by company on who has it togather (or no yet hacked at least) Then people can start ditching groups that don't protect their info. (Or at least give someone new a chance to lose it)
Who said anything about an issue? He was fleshing out an analogy not asking for a random tangent of quasi-related history.
--
WHO ATE MY BREAKFAST PANTS?
What would happen if even a small percentage of those people, figured, "Hey lemme get some free stuff outta this." They all started maxxing out their credit cards and when the bill came said, "No sir, my cards been in my wallet the whole time."
The credit card company knows that card number likely was comprimised, but thinkg you may be the one who charged the goods, they have no way to prove it though. Imagine if even 4 million people did that.
I had credit cards stolen so many times and you can't imagine how much trouble I had to go through that I decided to give up credit cards altogether. Cash is king and I am happily back to cash.
I like how the Post titles it:
"40 Million Credit Card Numbers Are Hacked"
Someone needs to go over there with a clue bat and replace "hacked" with something more accurate like "compromised", or like Slashdot, "exposed", of if they want to try to use the correct lingo "cracked".
The CNN article says they discovered the breach on May 22. So this guy had a whole month to do damage with said numbers already! Thanks a bunch, corps, for telling us in such a timely manner...
*sigh*
somebody sues these companies. The company who was cracked was running MS. If a civil law suit is started against the company AND against the CIO for running an insecure OS (and most likely an insecure set-up), then we would see changes.
I prefer the "u" in honour as it seems to be missing these days.
I have a "no hassle" Visa card from Capital One.
-What's in your wallet?
There is -no- incentive for any company in payments processing to do anything else but make a profit.
Dilbert PHB's are in charge of your data. This despite Visa/Mastercard rules.
These PHB's they put their full faith and credit in:
- A Windows Server infrastructure. The rest is just weird hobby OS stuff.
- Has never heard of PGP, PKI, PKCS. That's just bad-guy stuff.
- Believe that email is secure. I need a password to get my mail right?
- Hire IT folks that agree with them. "There's no budget for anything else." says the PHB.
Visa/Mastercard is a federation of the largest banks in the country. Do you think they are going to let their cash-cow get burdened by additional costs and regulations?
What about -their- (visa/mc banks) merchant services organization? (firstdata.com) How much theft have they had? It's likely you will never know. You'll find out about theft from their small-time competitor in AZ, but firstdata? Not likely.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
http://sympaticomsn.ctv.ca/servlet/ArticleNews/sto ry/CTVNews/1119107850615_136?hub=topstories
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
All these information break-ins have hit every company that I don't use..I've never had a mastercard.. oh until that day
a one-store retailer.
There seem to be any number of companies out there who want my card acceptance processing. (I get cold-called once or twice a month.) A lot of them seem to be resellers for the big national processors. They *ALL* compete on price. I've never had one of them even mention security procedures.
And actually, as far as I am concerned, the security of my processor is not my problem. As long as my terminal software isn't an arcane mess, I don't get any bogus approvals, my legitimate transactions get transmitted to the card companies on deadline, and the cash winds up in my bank account when it's supposed to, then I'm satisfied.
IMO the security issue belongs to the card companies. They're the ones that wind up paying the cost of fraud, and if they don't like the way a processor does its security, then they should not allow it to handle their cards.
(And as a practical matter, I've usually gone with the processor recommended by my bank. At worst, it only costs a bit more, while at best it gives me another hammer (my banker) should there be a dispute. And it means I don't have to deal with issues for which I have neither the time nor the expertise.)
Last time I checked, Trojans were found mostly 1. in jeans pockets on a Saturday night, 2. on Windows machines.
And sure enough, Netcraft tells us that the horny hypothesis can safely be discarded. It's Windows all right:
Now, I realize that this doesn't mean necessarily that the CC numbers are kept on a Windows machine, but this is apparently an MS shop, so that's not surprising.--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
April 2001 - March 2005 Security Administrator, CardSystems, Inc.
- Responsible for maintaining all aspects of security
- Limited recent security breach to a mere 40 million cardholder accounts, out of a possible 200 million- an 80% reduction,
- Worked closely with team members to monitor and ensure transaction integrity- we successfully prevented 99% of the methods known to pose substantial risk.
- Provided off-site backup services for our clients, preventing catastrophic loss due to irrecoverable system malfunction.
Dammit, why did my mod points have to expire *yesterday*? That comment is a thing of beauty.
They made this issue public, so our banks can be notified, so we (the consumers) can know.
Obviously they've noticed that the public isn't so thrilled when we find out about a breach that happened years before we were told.
Visa wasn't going to tell us anytime soon. God knows how long the investigation would take until they released the info to us.
Wake up.
It is scary but not surprising that so much information can be hacked. The reality is that 24/7 security monitoring and research by companies and corporations will be needed forever to try and maintain security of personal information such as this. Also, there is the fact that it will still not be 100 percent secure.
However, my thoughts are that most individuals, businesses, companies, corporations and governments do not want to add this type of resource because of the tremendous cost involved. Many individual and small businesses may not be able to afford it.
Most would rather hire the person or group that says we will guarantee the security of your information data for this much. Which presentation do you think would sell in a board meeting? Here are two made up and abbreviated information briefs or sale pitches to some boards in a corporation to clarify some of my thoughts here:
"It will take many new measures, constant research, consistent new education and many resources to bring the security of this data to the safest possible levels. It will never be 100 percent secure but by maintaining this vigilance we can have some assurance of protected data."
Or
"We have some of the brilliant minds constantly researching security applications and procedures that will virtually monitor and protect your systems from any threats or breaches. The resources are implemented with user friendly GUI systems. Most of the work such as maintenance and updates will be done by the software, algorithms and bots that will assist in keeping the cost's lower but the security extremely high."
Well enough of my 2 cents for now...
~BlogCruiser~
Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".
Hackers are people who love to play with technology, who *MAY* also like to cause carnage and destruction.
White or black, a hack is a hack.
paintball
So, let's call ourselves something else. We can think of a new name. Let the word 'hacker' go ahead and be a reference to criminal activity.
which means this particular incident would cost the credit card companies about $400,000,000.00 to reissue cards. That is a ton of money!
Excellent deduction, Sherlock.
...not hackers. Hackers are the one's who built the systems. It was crackers (probably teenage punk wanabe hackers in their mom's basement) but none the less crackers.
What kind of vulnerability could be opened on a Window's machine that would allow that much network traffic? Do you think we will ever learn the details of the attack and if there is a patch that could have been in place to prevent.
According to http://blogs.ittoolbox.com/security/investigator/, the disclosure may have been to cover their ass or keep the thugs from using the info?
I hope I wasn't one of the victims.
The distinction between hacker and cracker was not made in computer geek culture (EG: Usenet) prior to the first mainstream media exposure circa 1983 (on CBS IIR?). The computer community didn't distinguish between "hacking" as (in)elegant writing of code and "hacking" as systems penetration and perversion; it was all part of the continuum. Anyone who practiced SP&P was at the time considered a "hacker", although not all hackers were in SP&P. This lack of foresight led to the mainstream use of "hacker" to describe anyone in SP&P, which has continued to the present even though while "script kiddies" practice a (crude) form of SP&P, most are not even larval "hackers" of the classic meaning.
Attempts to close the barn door after the horse has left, however, are futile-- and in this case, have been for decades. You will not get the mushroom cloud back into it's happy little plutionium sphere; live with it.
//Information does not want to be free; it wants to breed.
Only a matter of time until each American has had their credit card info compromised at least once. Once everyone's identity is by default stolen, we might be able to make a case to use something other than your retirement account number as the key that gives someone access to your whole life, the universe and everything.
<grub> Reading
I know! Tweaker! Oh wait... Hmmmm...
I am the tech guy for a processing company that uses
CardSystems. We have a vpn connection to cardsystems that uses all the strong encyption. The big problem is that cardsystems is is an old vax system, with a monthly changed password. If one of the receptionists at my company gets some spyware installed that can beat all of our current anti-virus/spyware/trojan stuff. It really is not that hard to logon to cardsystems from there. And as we can see, once your in, you have access to lots and lots of stuff.
When I heard this on the news (We were not informed at all!!) I broke out into a sweat, please God don't let this be us!
Most of these processors are very small companies, you have to have big money to get started but it takes 2 to 3 years to start seeing a profit, so for the first 2 years, it's shoestring security budget, if a security is there at all.
As an aside. I went to help another proccessor fix his vpn and he had an open wireless network... with ms filesharing turned on ofcourse.! This seems common.
I am surprised this does'nt happen every weekend.
Slightly off-topic, perhaps, but I'm very curious:
I thought that the credit info was stored in the bank where you get your card from, and in the few credit reporting agencies in the country of credit?.. So, does it mean that your credit history does follow you around the world after all?..
From news.netcraft.com, whatever that is....http://news.netcraft.com/archives/2005/06/18 /lax_security_cited_in_massive_credit_card_data_th eft.html/
With 40M cards exposed, what's the probability that my card will be exploited?
White or black, a hack is a hack.
I thought it was bad everytime somebody brought up the politically correct way of referring to "cybercriminals" and whatnot, but now you're bring race into this? Touche
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
Death penalty is only appropriate when it is impossible to protect society from a criminal. This is never the case with any form of cracking-- simply don't give them access to a computer and they cannot repeat their crime.
A lifelong prison sentence would be the most that would be a legit punishment.
Luke-Jr
Hackers are people who love to play with technology, who *MAY* also like to cause carnage and destruction.
That applies to any group of people. A better example of this than the gay/homosexual analogy, is the misconception that to be a faithful Moslem neccessarily means that you are anti American, or a terrorist or whatever. Again, some are... But there are a great many Christian and Jewish terrorists out there too. Same as there are many hackers who are not terrorists.
Anyone who takes hacking or religion too seriously (I.E. uses it to harm others) is probably suffering from some kind of delusion.
How much is your time worth to you?
-- No matter how great your triumphs or how tragic your defeats, approximately one billion Chinese couldn't care less.
MUAHAhAHAHAHAHAhahahaahAHAHAHAHAHAhAH!!!
(b wahahahah)
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
Some times just for fun I'll use type in a random 3 digit security code when ordering online (with my own card of course). My order usually goes through without a hitch. Try it some time. It seems pretty useless to me.
Are these companies even _trying_?!? I am letting every represenative I have know that I demand accountability for loss of personal data. I want _any_ company keeping so much as my initials on record to be accountable in the MILLIONS of dollars for loosing ANY records. This should force one of two things to happen. Their first option is to secure their systems. Their second option is to stop storing massive ammounts of data on me to eliminate their accountability.
Shouldn't MasterCard have had CardSystems "demonstrate compliance" before sending them even one credit card number? Or is this a usage of "requirements" with which I am unfamiliar?
(Unix & Network) (Security & SysMgmt)
I have never, nor will I ever sign up for MasterCard.
To be honest, though, I had no way of knowing this would happen. One would think that I could back this up with things like bad service, or higher average interest, etc.
The real reason I don't use MasterCard is because on every single one of them there is a Venn diagram in hideous colors looking back me. If second grade were taught in a bowling alley, the MasterCard symbol is what would be on the wall as a guide to comparing and contrasting.
Your brain is not a computer.
If you are 1 minute late with a payment - $39 fee If you are late paying a credit card, your other credit cards can jack the rate to the max - universal default Got a problem with e-bay or pay-pal? Good luck getting a hold of anyone. Got a problem with equifax? Good luck with that one. Took me a year to get a car that my ex-wife refinanced off my credit report. They said I had not paid the loan in a year. That's true, because I NO LONGER EVEN HAD THE LOAN! These are huge companies that would never think twice about making your life more expensive and more hellish, but if you have a legitimate problem, it's almost impossible to get to these faceless companies. Absolutely they should be forced to replace ALL cards in question EVERY time this happens. They are making so much money off of so many people and yet, they don't get the slightest punishment when they screw up.
Mod parent redundant, that is what the parenthesis said in the original.
Well yeah. But none of what you posted said it ran windows.
I heard about this on the local Chicago news last night (06/17). It was one of the first stories reported. Heck they were doing promos for the 10PM news all evening long that mentioned the breach. For it to take the lead over the daily reporting of Chicago city government corruption was quite surprising. I jumped onto the normal sites where I would have expected to get more information about this incident (including /.) and found no mention of this story. Anywhere. There were, though, stories about telepresence and terraforming to be found here. So I guess this story should have had a science fiction component to get onto /. earlier. If only Theo de Raadt had ranted about it...
CUR ALLOC 20195.....5804M
If you mean the amount involved in the fraudulent transaction, then it might be true.
but credit card companies might face legal action as well, with amounts that exceeds many times the cost of the actual transaction so that in the long run they can lose, too.
START RANT
in the short term, however, managers and directors of those companies do not usually worry because this impact rarely shows up in the end of the current fiscal year (legal action takes time to happen and eventual losses were already forwarded to the merchants, remember). that people can still meet their profit forecasts and wall street analysts (the ones who looks at balances and think they understand the inner workings of an individual company) get happy and excited about these execs.
what do they do in the following fiscal year, you might ask. well, some of them who are luck or well-connected enough can actually go to work in some other corporation, leaving the mess to the newcomer.
that's why, imho, they do not really care at all.
in the other hand, making them fully accountable would just increase those executive's compensation by a lot, since they would face the risk of going to jail or something like it due to something they never really knew (management tends to hide those kinds of stuff from the next higher hierarchical level and so on), but i fail to see if they can be actually held responsible to these security problems without blaming someone else (attorneys can be very persuasive in court sometimes). anyway, as a result, they would get paid a lot more to take that risk and the cost of credit would increase. security, however, would stay laughable as it is today.
upon public indignation, the government steps in and recognizes this fact and implements some stupid, ineffective piece of legislation to appease stockholders, requiring a lot of static, law-mandated checks in an ever-changing environment (security) and the cycle never ends.
as said before, costs to the consumer only go up and up, because corporations might contract insurance against those unknown risks (its way easier to do a financial settlement with an insurance co than carrying a fully-fledged change management program in a large-size corp) and because legislation usually requires yet another layer of auditors who are contracted just to make sure that the company is in compliance with something hackers circumvented long ago.
END RANT
there's a more polished treatment of this kind of reasoning under the name "agency theory", so this is not entirely based on paranoia, but if you think all this is just too stark and cynical, i am not ashamed to agree with you.
and damn, that was a long rant.
you can see the job posting for a DB Admin requires UNIX Oracle DB Admin experiences.
.NET IIS stuff is only front end web sites...
The
Ooops, sorry, cut-and-paste missed a line. Here, look for yourself: http://toolbar.netcraft.com/site_report?url=http:/ /www.cardsystems.com
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Read on down to the end of MasterCard's press relesase.
. asp?ID=61946
... We have tracking systems in place to find the common point of interaction."
The U.S. Government is currently considering legislation to expand the Gramm-Leach-Bliley law requiring better security procedures for personal financial information. Currently MasterCard is subject to this law - third party processors are not. I would not be at all surprised if no real accounts have actually been compromised, but then I like tin foil hats.
In fact, Master Card is already backtracking:
http://www.accessnorthga.com/news/ap_newfullstory
Now the number of cards considered "at risk" is only 68,000 - and the spokesperson for Master card says "It wasn't a large amount of fraud, just an abnormal pattern that triggered our system.
Of course, no person who isn't a criminal could oppose "protecting" your personal information better, could they? Especially if it helps protect the children...
Final 2006 "Proof of Global Warming" US Hurricane Count -> 0
First of all, the modern credit cards, i.e. smart cards, allow you to use PKI if you are using chip reader. There are certificates of Visa, of your bank and reader manufacturer's. However, the same card has a magnetic stripe, which only holds credit card number, expiration date and some other value like possible limits.
What is important, is that you can not eliminate legacy authentication method, i.e. number and expiration date, just because you will have no possibility then to authorize offline transactions. If you will not allow offline transactions, then it will paralyze commerce on some places like cruise ships, mountains, gas stations etc. Communications are expensive these days, and new technologies like GSM card readers are expensive as well. Millions of such readers required, and even they have their own flaws, like the stupid PKI implementation and WiFi/GSM bugs.
And more. Why your proposed system is stupid. Just because it depends not from VISA or MasterCard, but from specific bank, and there is a bunch of banks even in Paraguay, and I can only imagine how many of them operates in New York. So imagine a small shop, a half of it is occupied by super-secure card readers.
However, what you described is a simplified version of current smart card PKI infrastructure. The point is - it should not be used alone, although it is more secure.
But if to think more on this subject, I think that in the future, don't know how near, all your bank cards, no matter of system, VISA or Amex, will be on one card, one chip, the same as in your mobile phone. In fact, it will be on your mobile phone chip. It is possible, and the only difficulty here is who will own this card - mobile operator, or bank, or you...
"cracker: n.
One who breaks security on a system. Coined ca. 1985 by hackers in defense against journalistic misuse of hacker (q.v., sense 8). An earlier attempt to establish worm in this sense around 1981--82 on Usenet was largely a failure."
""It looks like a hacker gained access to CardSystems' database and installed a script that acts like a virus, searching out certain types of card transaction data."
A virus -- that sounds like windows. I wonder if the company could be sued for using an insecure operating system.