Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Breach Exposes 40M Credit Cards

Posted by Zonk on from the consider-the-planet-hacked dept.

The Good Reverend writes "MasterCard International announced today that a security breach at CardSystems Solutions, a third party processor of payment card data, potentially exposed more than 40 million cards. Mastercard is aware of the specific card numbers affected, and is giving its member financial institutions the numbers that may have been compromised. Unlike many of the past high profile cases this one involves a hacker rather than lost packages. CNN Money, the New York Times, Reuters, MSNBC, ZDNet, C|Net, and the Washington Post are also covering the story."

12 of 304 comments (clear)

  1. US numbers only? by mr_tap · · Score: 2, Interesting

    I wonder if it was only US CC numbers or if we all have to worry?

  2. Cost of re-issuing cards by 00squirrel · · Score: 2, Interesting

    I've always wondered why credit card companies don't simply cancel and re-issue cards when somthing like this happens. I read in the MSNBC article that it costs $10.00 per card to do that, which means this particular incident would cost the credit card companies about $400,000,000.00 to reissue cards. That is a ton of money!

  3. What I would like to see by Timesprout · · Score: 4, Interesting

    since people here (Ireland) and the UK are basically being encouraged to rack up debt is some one to crack Mastercard/Visa and wipe out all the amounts owed on credit cards. Might encourage the financial institution to be a little less carefree with their lending policies.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
    1. Re:What I would like to see by j0e_average · · Score: 2, Interesting

      It's a double-edged sword....what responsiblity should the card companies take for thier irresponsible lending practices. For goodness' sake, if you can fog a mirror, you can get credit. If fact, the way the rates are structured on credit cards, the credit card companies EXPECT to write off a percentage of the portfolio. This write-off is insignificant (in relative terms) to the profit they make on the poor saps out there paying 21+% on their accounts. The overnight rate on this money is what, 4%? And being the ever-greedy corporate pigs, the banks now petition congress to pass "Bankruptcy reform" laws, which essentially prevent Mom and Pop consumers from walking away from their debts after filing bankruptcy. I'm not saying it's morally or ethically right to allow folks to take a free ride on the system, but at the same time, the credit card companies have at least half the blame due to their lending policy. The difference is that they (the banks) have deep pockets with which they can buy legislation. Yes, I do work at a bank...and no I would NEVER contribute to their PAC.

    2. Re:What I would like to see by timeOday · · Score: 3, Interesting
      On the other hand, we could always ask the "responsible" adults who take out these credit cards to actually take responsibility for once and only take out and use credit they can afford to pay back?
      It's counterintuitive, but I don't think this is what the creditors want, really.

      Yes, they would like everybody to be in debt up to their eyeballs and still get 100% repayment, but the simple fact is some percentage of people who borrow to the max will have a period of unemployment, or divorce, or health problems, or simply get discouraged and choose to flake out.

      Getting closer to 100% repayment would require significantly lower levels of personal debt and higher savings. It works out better for creditors, and perhaps even for the GDP of nations, to keep individuals highly motivated - on the edge of financial disaster. The ocassional losses are more than compensated by high balances at high interest.

      Creditors like to take on this victim complex whenever somebody fails to repay. But in fact, all investments have risk, including loaning money to people through credit cards. That level of risk is already reflected in the high interest rates that borrowers pay on the cards. Why do companies offer these risky "payday loans"? Because the usurious interest rates and penalty fees more than make up for the losses.

      Creditors also like to blame deadbeats for placing an extra burden on the rest of us good, hardworking and honest citizens. But this too is mostly false, since people are placed in different pools depending on their payment history. Those with significant credit history blemishes are already paying sky-high interest rates - a sort of security against the credit, which they will never get back even if they are perfect borrowers for the rest of their lives.

      And in case you're wondering, no, I don't have bad credit. But I do have only so much pity for the credit card companies, with their crocodile tears, as they demand bankruptcy reform (favorable to themselves, of course) while socking away truckloads of profit. If our law were really putting creditors in an unfair disadvantage, credit would be hard to get, and that would be a problem. Instead, payday loan outfits are sprouting on every corner like mushrooms, and college students with no income can get as many credit cards as they like. That doesn't sound like an under-profitable industry to me.

  4. being a site full of geeks by circletimessquare · · Score: 3, Interesting

    everyone here will be proposing a technical solution

    but let me posit my own nontechnical solution: the processor must pay for a replacement card for every single victim

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  5. This is simply the price of outsourcing. by 0xdeaddead · · Score: 5, Interesting
    See in the banking industry we run these "penetration scans" all the time, that are TOTALY WORTHLESS. I cannot emphasize this enough, that running the weakest setup possbile will pass their "tests" with flying colours. The people doing these tests (Some certified security specialists!) Think that firewalls are magical devices that know how to stop the pesky hackers. Bottom line is that people are involved, they are out of their element, and simply placeholders. Management in general needs to get out of this "placerholder" mentality when it comes to jobs, and just fire people that are not doing their jobs.

    Ok enough ranting, but trust me, in the late 90s banks were trying to outsource as many things as possible from customer service, to invoicing, bills, credit collections, applications and so on. As you can see when the "Credit card company" becomes nothing more than a brand, and a board of execs, everything is out of their control, not to mention every peice of the old credit empire is open for attack.....

    If anything the question is why did it take so long to find them?!

  6. Weakest link by hellfire · · Score: 4, Interesting

    It's not surprising someone other than MasterCard actually had a list of card numbers stolen. I have customers all the time tell me how they don't like what they feel are draconian measures to protect the credit card numbers people have in their own systems. What they fail to understand is that Visa and Mastercard require us to do this, and the protections we have are customer service.

    But they still complain, because their customers and they themselves don't ever notice. Hell at one point I was told by a demanding customer to remove the protections because he said "I'll risk it." I was tempted to show him how insecure he was by remotely accessing his system, getting his list of customer phone numbers, and telling all his customers that he was careless with credit card numbers and their numbers could have easily been stolen from his system.

    People are pretty careless about credit card security. It's usually in the name of convenience and visible customer service. Credit card security is invisible service. Being able to purchase something conveniently flies right in the face of having security which just might prevent you from selling something to someone, so some people don't care, as long as they are selling. Owners care once they find out that they'll be issued chargebacks, but individual salesreps will write down every credit card number on a piece of paper if it means making money for them personally.

    Visa and Mastercard have the right idea, and in the press release I like how they said that they gave cardsystems a "limited amount of time" to basically get their act together so this doesn't happen again. Education and enforcement of regulations... nice to see an organization, especially one that is a corporation, actually give a damn.

    --

    "All great wisdom is contained in .signature files"

  7. Re:Proves that the hackers... by whovian · · Score: 2, Interesting

    will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream?

    Agreed. One wonders how to trust your contractees and outsourcees. It would argue for the most data-secure companies to cut out the middleman and do their own processing.

    The cynical side of me says that there lurks a propaganda campaign to be pushed here by those in favor of introducing new credit card feature, perhaps RFID or biometrics. I cannot say whether those are good solutions, but it certainly seems that some form of security that requires you to present physical evidence of your credit card or account seems in order -- may even a PIN?

    --
    To-do List: Receive telemarketing call during a tornado warning. Check.
  8. Reset the Debt by jvmatthe · · Score: 2, Interesting

    Remember how a notable movie (based on a notable novel) a few years ago had, as part of its plot, a plan to reset the credit card debt of the world? With the rate of security breaches we've seen, I have to wonder if the system won't lead to such a problem on its own, not through someone wanting to reset the debt but rather from a massive case of distributed fraud as the result of these kinds of security breaches.

    I mean, what do you do when something like 40 million transactions could be legit ... or could be bogus? There's no human way to know what's real and what's not if you have to check every one of them. I'm sure they have computerized methods, but I'd imagine that there is still a level of distributed low-level (i.e. not buying boats and plasma TVs) fraud that would disrupt the system in some critical way.

    --
    Curmudgeon Gamer: Not happy
  9. Good thing I have online banking! by MtViewGuy · · Score: 2, Interesting

    That way, I can closely monitor all my bank's account activity to make sure somebody isn't trying to hack into my accounts to steal my money. That was how I was able to find out somebody did an inside job identity theft of my checking account and they stomped out that fraud (and got the "perp" pretty quickly).

    However, before you do online banking, I would recommend you have both antivirus and firewall programs active and run anti-spyware programs at least once a day to keep out keystroke loggers.

  10. Re:Proves that the hackers... by Michael+Spencer+Jr. · · Score: 2, Interesting

    (I work in the payment processing industry, but other than the article I don't know any more about this incident than you guys do.)

    That makes me wonder: how does the security of different payment processors correlate with their processing rates and operational cost? It seems to me, as a First National employee, that our fancy well-designed computer systems, our multiple security-related departments, etc., increase our cost of doing business, so we get beat on price by a lot of other processors. We're not the cheapest processor out there.

    Since I'm not an industry expert, and I don't know what everybody else charges for processing, I'm curious: for any Slashdotters who are also merchants (own a business, accept credit card payments), does this ring true? Big company, big systems and good security, higher internal cost, higher prices? Small company, smaller systems and maybe less security, lower internal cost, lower prices?