Security Breach Exposes 40M Credit Cards

The Good Reverend writes "MasterCard International announced today that a security breach at CardSystems Solutions, a third party processor of payment card data, potentially exposed more than 40 million cards. Mastercard is aware of the specific card numbers affected, and is giving its member financial institutions the numbers that may have been compromised. Unlike many of the past high profile cases this one involves a hacker rather than lost packages. CNN Money, the New York Times, Reuters, MSNBC, ZDNet, C|Net, and the Washington Post are also covering the story."

Proves that the hackers...

[bpuli]

will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream? Wonder how many more of these transactions processors have been compromised and don't even know it yet.

A bit over 1/4 were mastercard branded...

[the+packrat]

But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet.

So when is the other shoe going to fall?

Re: A bit over 1/4 were mastercard branded...

[Black+Parrot]

> But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet. So when is the other shoe going to fall?

The news has been reporting for the last 14 hours (at least) that the four major credit cards are all affected.

Also, this has been known since May 22, but everyone was keeping it quiet.

If there's another shoe, it's going to be that the breach was even larger than reported, or that they got more information than we're being told.

The card number / expiry-date system is stupid

[mukund]

Banks and financial institutions need to start using public-key encryption to authenticate a user rather than a card number and expiry date. Many visa/master cards already come as smart cards these days and it should be easy to upgrade them to operate as a JavaCard for example. Couple this with a USB card reader issued by the bank. A website can then ask for a signed payment (to be signed in a chip inside the card) valid for a short time period and only usable once in the transaction only. You verify it by looking at the reader, or a display on the card itself and reading the name of the store you're making the payment for, and press a button on the card or on the reader to grant/deny it. In this way, no external software outside the card is involved with granting money which can be tampered with. The signature takes place in the card. No credit card numbers stored. Payment made. Everyone's happy.

Re:being a site full of geeks

[gweihir]

the processor must pay for a replacement card for every single victim

An one more: Processors should have mandatory insurance against this event. Then the insurance company would check their security with a keen eye....

Re: Not just mastercard -- VISA, etc.

[Black+Parrot]

> Apparently the breach was detected by the company handling the cards (CardSystems Solutions, Inc.) on May 22

One source I read said it was detected by the credit card companies when they noticed an upturn in the number of fraudulent transactions being reported to them by banks, and only then traced back to the clearinghouse.

> VISA spokespeople claim that they did not announce it sooner because there was an ongoing FBI investigation.

Yeah, supposedly there was an agreement to silence (for good reasons or bad), and the other participants are surprised (and probably outraged) that M/C broke the news.

And while the "FBI investigating" story is at least a semi-plausible reason for silence, I suspect the real motivation was "OMFG, let's stall as long as we can and hope Jesus comes back before word gets out". As mentioned in other threads, there are estimates that it will cost a billion dollars to replace all those cards.

Also, IIRC, in the past these exposures have always turned out to be much larger than first reported.

The only way

[BCW2]

To end this kind of thing is to make the companies handling records financialy responsible for any problems. Triple the amount in damages to each misused account. They won't do anything until it affect the P&L severely. It's the only thing big corporations understand.

Re:Also proves that..

[Curtman]

Even on Slashdot hackers get a bad name. Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".

ABN-AMRO uses such a system

[nietsch]

My bank over here in holland uses a similar system to authenticate it's online banking. You have your card (with a chip on it) you know your PIN (very weak password IMHO) and you get a standalon reader that you have to put your card in, punch in your pin and a 8 digit number generated by them. It generates a 6 digit code that you have to enter in the webpage.
It has no connection to your computer, so no inpompabilities for mac/linux users and no chances of spyware/keyloggers making off with valuable passwords. You indentify with wath you know and what you have. The processor only has to know the public part of the keypair (the private one is on your card, probably 'encrypted' with your pin). If such a processor is breached, they will not get any info on the card.

Re:Also proves that..

[LiquidCoooled]

Yes and gay people walk around happy all day (actually, they might, but the usage of the word has changed)

Deal with it.

imagine a similar disaster

[e**(i+pi)-1]

Now imagine a headline in 10 years: "120 Million biometric data stolen" It seems that the technical challenges to keep data secure has sunk in already. This credit card data breach could support these concerns.

Re:Also proves that..

[Curtman]

Yes and gay people walk around happy all day

That would be a good analogy if only there was a culture of straight gay people that was upset about being associated with homosexuals.

Microsoft security problem?

Looks like they're a Microsoft .NET house: http://www.cardsystems.com/careers/DevDotNet_0501. pdf

Re:What I would like to see

[Ark42]

Of course, the CC companies DON'T CARE if you are trying to get some free stuff. They will happily issue chargebacks and give you your money back. The only person hurt here is the merchant, who loses the amount of the sale, a transaction fee of a few percent of the sale price in both directions (one for the sale, one for the chargeback), and a chargeback fee of at least $35 per item being forcefully refunded.

So as you can see, it is the merchants that people are abusing, not the CC companies. The CC companies pocket the chargeback fee as well as double the transaction fees, without having to pay out a cent to the merchant. The customer gets their free item and all of their money back, and the merchant is out one item and probably $40 or more, depending on that items cost.

I'm not suggesting that people should withhold from reporting fraudulant use of their cards, but it is easy for people to get away with stealing from merchants, and neither the theifs taking the CC numbers, nor the people abusing the situation and getting free stuff are hurting the CC companies at all.

Re:Lesse

[StupidKatz]

I fail to see why this is made out to be such a big deal by the consumers. Have any of you read the service agreement/contract for any of the major credit cards? Do you know what you are liable for in the event of a fraudulent/unauthorized charge? If you did, you'd probably be unable to care less about stories like this.

The basic liability for consumers under MasterCard and Visa is $50 (probably per incident). Now, that could be a problem, except for the fact that MC and Visa waive that liability. So, what are your responsibilities when it comes to reporting fraud? Simple: you report the unauthorized charge to your bank, usually via the 800 number on the back of the card, within 24 (or possibly 48) hours after discovering the fraudulent activity. This means that if you don't open your bill for two months, and so discover the charge six weeks after it happened, you can call in the next day and have ZERO liability. The best part is, since it was a credit card, it's not YOUR money that is lost - unlike a debit card. Hint hint: always use a credit card to buy stuff, not debit or ATM cards.

The real losers here are the merchants, who get stuck with the ~4% per transaction fee and often have to eat the cost of the fraudulent purchase. OTOH, how many merchants can afford NOT to honor the major credit cards?

Re:I think that we'll see more of this

[Xyrus]

Here's the ting though, the credit card companies aren't suffering financial losses.

When fradulent charge is made, you call them. They call the merchant and say, "Sorry bud, you just got pwned."

The merchants take the hit. So credit card companies could really care less.

~X~

Re:Also proves that..

[raehl]

Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".

Hackers are people who love to play with technology, who *MAY* also like to cause carnage and destruction.

White or black, a hack is a hack.