Slashdot Mirror
Security Breach Exposes 40M Credit Cards
The Good Reverend writes "MasterCard International announced today that a security breach at CardSystems Solutions, a third party processor of payment card data, potentially exposed more than 40 million cards. Mastercard is aware of the specific card numbers affected, and is giving its member financial institutions the numbers that may have been compromised. Unlike many of the past high profile cases this one involves a hacker rather than lost packages. CNN Money, the New York Times, Reuters, MSNBC, ZDNet, C|Net, and the Washington Post are also covering the story."
will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream? Wonder how many more of these transactions processors have been compromised and don't even know it yet.
BP http://www.card-central.com
As the complexity and number of features that are added to information systems increase, the opportunities for compromises grows--probably exponentially. We will see a real change in the security policies only after one of the companies has an enormous financial loss.
But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet.
So when is the other shoe going to fall?
Nihil Illegitemi Carborvndvm
About 25 MILLION of the 40 WAS NOT a MasterCard, so there are a WHOLE bunch of credit card providers who like leaving you in the dark here people.
And in other news, the WidgetCard from the WidgetCard corporation, breaking tradition from the main Credit Card corporations, are proud to announce that they have not lost any cardholder's data. This is an especially newsworthy event due to its rareness.
More news at five.
I wonder if it was only US CC numbers or if we all have to worry?
Interest rate: 20%
Annual Fee: $40
Randomly being declined because the machine is on the fritz: $1-$1000 purchase down the drain.
Being the target of fraud through no fault of your own: Priceless.
Pulp Audio Weekly - Geek News and Reviews
I've always wondered why credit card companies don't simply cancel and re-issue cards when somthing like this happens. I read in the MSNBC article that it costs $10.00 per card to do that, which means this particular incident would cost the credit card companies about $400,000,000.00 to reissue cards. That is a ton of money!
since people here (Ireland) and the UK are basically being encouraged to rack up debt is some one to crack Mastercard/Visa and wipe out all the amounts owed on credit cards. Might encourage the financial institution to be a little less carefree with their lending policies.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
everyone here will be proposing a technical solution
but let me posit my own nontechnical solution: the processor must pay for a replacement card for every single victim
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Banks and financial institutions need to start using public-key encryption to authenticate a user rather than a card number and expiry date. Many visa/master cards already come as smart cards these days and it should be easy to upgrade them to operate as a JavaCard for example. Couple this with a USB card reader issued by the bank. A website can then ask for a signed payment (to be signed in a chip inside the card) valid for a short time period and only usable once in the transaction only. You verify it by looking at the reader, or a display on the card itself and reading the name of the store you're making the payment for, and press a button on the card or on the reader to grant/deny it. In this way, no external software outside the card is involved with granting money which can be tampered with. The signature takes place in the card. No credit card numbers stored. Payment made. Everyone's happy.
Banu
The summary fails to mention that it isn't only Mastercard that is affected (e.g., look at the Washington Post article). VISA is affected as well, as are others. Apparently the breach was detected by the company handling the cards (CardSystems Solutions, Inc.) on May 22, but was only announced by Mastercard now, though they had been notifying banks in the interim. VISA spokespeople claim that they did not announce it sooner because there was an ongoing FBI investigation.
Jeez, even the mainstream newschannels have been reporting this since at least 9am local time (6 hours ago) and creditcards are hardly even used over here.
Seriously, news like this is important and should be spread as quickly as possible. It's a sad day when major international tech-related sites of slashdot's size take this long to report these things.
Best wait until Monday, when the new opening for Head of Information Security will be posted.
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
laws should passed to protect not only what information can be stored but by also how.
And that outsourcing adds complexity and more weak points that can fail.
A stupid question:
how anyone can possibly get so much information by hacking somewhere?
Being semi-pro it person, i'd think downloading so much information at once would easy to spot and made impossible too(and who needs at once so much info anyway?)
Or did they get so much information by getting it all one by one?
Nobody knows the trouble I've seen, nobody knows has the trouble seen me, even I sometimes wonder why I write these line
To ensure that no one places any fraudulent charges on our credit cards, let's all run out to our favorite toy stores and run up our cards to their limits.
Sheesh, evil *and* a jerk. -- Jade
From what I recall, debit card transactions don't give you the same protection as credit card transactions, even though they're both 'mastercard' or 'visa' branded and have identical looking numbers.
creation science book
Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised? :p
Ok enough ranting, but trust me, in the late 90s banks were trying to outsource as many things as possible from customer service, to invoicing, bills, credit collections, applications and so on. As you can see when the "Credit card company" becomes nothing more than a brand, and a board of execs, everything is out of their control, not to mention every peice of the old credit empire is open for attack.....
If anything the question is why did it take so long to find them?!
Why did it take /. so long to cover this story? I mean the political sites had this story 12 hours ago.
/.?
What has happened to
i look at about 5 news sites (drudge, abcnews, newsmax, cnn, foxnews).
this was an interesting event as i saw this first about a day/day-and-a-half ago on one site. sometimes a news item will maybe hit 2 or three of these sites. one by one, this became a major news item on all five.
this is starting to capture peoples attention.
eric
That's because a lot of the times articles on these are submitted to the slashdot editors but they reject them for one reason or another (too much other news, editor doesn't think it is interesting, etc.) I know I submitted this yesterday but my submission was rejected, but now someone else resubmitted another day and it was accepted. It's just the way the system works.
Quality Hosting e3 Servers
> Check out their careers page.
I wonder how many of those open positions have opened up since May 22.
If I worked there I'd certainly be looking for a lifeboat.
Sheesh, evil *and* a jerk. -- Jade
Or was it Eric S. Raymond who illegally stole the credit card information?
The press may co-opt our sub-cultural language for their own gross-oversimplification purposes. That doesn't mean Slashdot has to follow suit.
Definition from the Jargon File:
hacker n. [originally, someone who makes furniture with an axe]
Could someone be so kind to check if my credit card number was exposed?
;-)
My cc number is 5122-5655-1459-0444.
Reverse code: 444
If it was exposed I want to cancel it so the hacker cant use it.
Thanks.
> Why would crackers want to hack the IRS?
Probably a gold mine for identity theft resources.
Also, lots of people give their bank account's routing number for automagic deposit of their refund. Maybe there's a way to forge that kind of transaction and clean out people's bank accounts?
Sheesh, evil *and* a jerk. -- Jade
It's not surprising someone other than MasterCard actually had a list of card numbers stolen. I have customers all the time tell me how they don't like what they feel are draconian measures to protect the credit card numbers people have in their own systems. What they fail to understand is that Visa and Mastercard require us to do this, and the protections we have are customer service.
But they still complain, because their customers and they themselves don't ever notice. Hell at one point I was told by a demanding customer to remove the protections because he said "I'll risk it." I was tempted to show him how insecure he was by remotely accessing his system, getting his list of customer phone numbers, and telling all his customers that he was careless with credit card numbers and their numbers could have easily been stolen from his system.
People are pretty careless about credit card security. It's usually in the name of convenience and visible customer service. Credit card security is invisible service. Being able to purchase something conveniently flies right in the face of having security which just might prevent you from selling something to someone, so some people don't care, as long as they are selling. Owners care once they find out that they'll be issued chargebacks, but individual salesreps will write down every credit card number on a piece of paper if it means making money for them personally.
Visa and Mastercard have the right idea, and in the press release I like how they said that they gave cardsystems a "limited amount of time" to basically get their act together so this doesn't happen again. Education and enforcement of regulations... nice to see an organization, especially one that is a corporation, actually give a damn.
"All great wisdom is contained in .signature files"
Sounds great. Let's make it as hard to buy something from a store as it is to file a tax return. As a paid tax preparer, my profits would go through the roof.
Remember how a notable movie (based on a notable novel) a few years ago had, as part of its plot, a plan to reset the credit card debt of the world? With the rate of security breaches we've seen, I have to wonder if the system won't lead to such a problem on its own, not through someone wanting to reset the debt but rather from a massive case of distributed fraud as the result of these kinds of security breaches.
... or could be bogus? There's no human way to know what's real and what's not if you have to check every one of them. I'm sure they have computerized methods, but I'd imagine that there is still a level of distributed low-level (i.e. not buying boats and plasma TVs) fraud that would disrupt the system in some critical way.
I mean, what do you do when something like 40 million transactions could be legit
Curmudgeon Gamer: Not happy
Comment removed based on user account deletion
To end this kind of thing is to make the companies handling records financialy responsible for any problems. Triple the amount in damages to each misused account. They won't do anything until it affect the P&L severely. It's the only thing big corporations understand.
Professional Politicians are not the solution, they ARE the problem.
Credit, like electricity, is provided to people to use as a tool. One can use that tool responsibly. For instance:
1. Don't buy things you can't afford
2. Don't stick your finger in a light socket
Or one can use such tools irresponsibly and think that consequences don't apply to them.
I wonder which type of person you are?
I'm a big tall mofo.
Not to mention the name, address and SSN itself (which, AFAIK, are on every tax return, by nature) being practically the keys to the whole kingdom...
--- Grow a pair, liberals... stop letting the Republicans bully you!
Wouldn't that be a 'cracker' not a hacker?
they'll have fun trying to use it... there's zero credit left at the moment... if they like, they could always put some back on it first...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Don't forget the super-duper-high-security last three digits on the back of the card!
I'm sure it's no problem at all that many online vendors ask for those last three digits and then store them alongside your credit card number and expiration date. Security problem solved. Done, and done.
I'm a big tall mofo.
That way, I can closely monitor all my bank's account activity to make sure somebody isn't trying to hack into my accounts to steal my money. That was how I was able to find out somebody did an inside job identity theft of my checking account and they stomped out that fraud (and got the "perp" pretty quickly).
However, before you do online banking, I would recommend you have both antivirus and firewall programs active and run anti-spyware programs at least once a day to keep out keystroke loggers.
It's worth mentioning that they're hiring people with VMS and WindowsNT experience. Small wonder the malicious code got in there.
Direct away from face when opening.
Oh wait, exactly how many IRS breaches have we had so far?
I doubt the IRS would be forthcoming if their was a breach (although there are the occasional articles about corrupt IRS employees). In fact, a breach would probably be classified and not be allowed to be published. In contrast, a card processing company knows that it exposes itself to greater liability if it fails to alert its partners (card issuers/banks) of a problem.
Two wrongs don't make a right, but three lefts do.
from Mastercard's Newsroom | Global Press Releases "Upon receiving notice from MasterCard, banks are able to take the appropriate steps to protect their cardholders from potential fraud. No highly sensitive information, such as social security numbers or dates of birth or the like, are stored on MasterCard cards. "
No idea how Mastercard could think that account details aren't classed as highly sensitive information - perhaps this is the reason for the lax security!
there are some numbers hackers can't steal
for everything else there's MasterCard
(Accepted all over, even if it's not yours.)
You can hold down the "B" button for continuous firing.
Even on Slashdot hackers get a bad name. Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".
Torrent, anyone?
My other Sig is
My bank over here in holland uses a similar system to authenticate it's online banking. You have your card (with a chip on it) you know your PIN (very weak password IMHO) and you get a standalon reader that you have to put your card in, punch in your pin and a 8 digit number generated by them. It generates a 6 digit code that you have to enter in the webpage.
It has no connection to your computer, so no inpompabilities for mac/linux users and no chances of spyware/keyloggers making off with valuable passwords. You indentify with wath you know and what you have. The processor only has to know the public part of the keypair (the private one is on your card, probably 'encrypted' with your pin). If such a processor is breached, they will not get any info on the card.
This space is intentionally staring blankly at you
Yes and gay people walk around happy all day (actually, they might, but the usage of the word has changed)
Deal with it.
liqbase
Now imagine a headline in 10 years: "120 Million biometric data stolen" It seems that the technical challenges to keep data secure has sunk in already. This credit card data breach could support these concerns.
Or at least receiving a fine from each of the credit card companies that were breached - the various agreements companies sign do include fines (that could apply to either party) for various performance and compliance failures. Also, I suppose the banks could sue if they felt so inclined, which would probably end up in some sort of settlement.
Dunno if there are potential government fines or not.
Yes and gay people walk around happy all day
That would be a good analogy if only there was a culture of straight gay people that was upset about being associated with homosexuals.
Looks like they're a Microsoft .NET house: http://www.cardsystems.com/careers/DevDotNet_0501. pdf
That if a company loses personal information, then that company is libal for $1000 fine per person affected, plus any additional fees, fines, moneys to pay to correct the problem(s).
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
As any small business owner will attest, it is incredibly difficult to obtain reasonable business insurance, especially professional liability, and even more so when they don't understand the technology behind your business itself. The reason is that the insurance industry is running scared about terrorism, the great "unknown" world of IT, and our generally vindictive litigious society.
None of these factors are in their actuarial tables, so they presume you're going to cost them millions of dollars. They don't care whether they understand or not; they're simply not willing to take the risk.
Now, how do you suppose the insurance company will treat your small business, if it happens to accept credit cards for payment? Not good.
Do you suppose they'll care how paranoid you are about data security? Will they care how many levels of protection you afford the data of your customers?
The answer is a resounding "no" to all. They don't have the technical acumen to judge what is and what is not appropriate (honestly, too few people who call themselves "security experts" do). And they don't care. They simply raise the rates to astronomical levels, with a big "screw you" attitude, because they're somewhat ironically not at all in the business of taking risks.
Sometimes I think slashdot saves the jucier stories for busier times of the day/week. It's no fun to join a discussion that fissled out 4 hours ago. The news sites don't have this problem.
Hmm... Apparently we all must have pissed off the hackers and now they're targeting the big fish. Apparently those of us in IT and the programmers writing browsers, firewalls, and other tools, might have sufficiently locked down the typical users system to prevent this sort of thing.
Now since the only two choices are direct social engineering of the end-users out of their data, or go after the warehouses that contain what they want, I wonder if this kind of thing is now expected to only escallate in a really big way.They should now go after a congressional law change that makes this kind of major hacking a death-penalty punishable offense... Hmmm...
Just thinking...
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
Timing, unfortunately, has become a major component of the news release cycle. Here's how news timing works:
1. If a pretty white woman goes missing, (or is dying) it's instant news all the time on the U.S. cable news channels. The news channels will instantly increase the cost of advertising on a sliding scale based on how white, how pretty, and how rich the missing woman is.
2. If Amnesty International's accusations about torture and desecration of religious objects at U.S. "held without charges" camps are borne out by internal government documents, then the news is broken at 7:30 p.m. on a Friday night, briefly discussed on Sunday while everyone is at church, and forgotten by Monday morning.
3. If a popular Democratic president gets a blowjob, it's all blowjobs, all the time on every news network.
4. If there is reasonably clear evidence that a Republican president trumped up intelligence to get us involved in a $300 Billion war, it'll never be seen in print or heard on TV.
Now you know how the U.S. "liberal" news media cycle works.
Exercise: Using what you've learned, what can you tell us about the MasterCard breach story? Do you think MasterCard released the news on a Friday night for any particular reason?
Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised?
Yes, just click here, enter your credit card number, PIN, and mother's maiden name (or other passphrase), CVI# if applicable, and they will confirm that your card has fallen into the hands of identity theives.
Good luck.
The Future of Human Evolution: Autonomy
By now, most slashdot hackers should be aware of the differences between the media use of 'hacker' and the proper use of hacker. Just like being desensitized to violence on TV.
The head of security is also the help desk and unix system admin Tucson is a small town and I live here
Yes and gay people walk around happy all day
That would be a good analogy if only there was a culture of straight gay people that was upset about being associated with homosexuals.
The issue is that the word "gay" was hijacked by a group of people who don't want to be called (are ashamed of????) what they are: homosexual.
Homosexual isn't an evil word. Why try to obfuscate what you really are?
"I don't know, therefore Aliens" Wafflebox1
I was in the public sector for a while. People always would look at me for poo-pooing direct deposit. Little did they know that the bank involved had them running the data over on a weekly basis on a floppy disk. The program to generate that disk was the biggest chunk of crap I've seen in my software days (from my coding and all the 2 bit shareware I've seen) Scary stuff.
Now I'm in a bigger corp, that not only demands that you are direct deposit, but is not trying to get you to give up the paper copy they send you to tell you they paid you. (No thank you) That and now the crapware exists as what we are supposed to do our expence reporting to AMEX. My wife (stillin the public sector) already has to go online and print hers regularly if she wants to keep it. (Ask yourself if you trust your company to not lose that data.) This is *not* tin foil hat stuff folks. I can't wait until some outsourced online paycheck viewing software gets hacked and people are in the same boat.
People outside the sectors have to realize. We want this stuff. But not with the mentality that this industry treats things. Things are very lax, and the players in the field seem to be mostly "consultants" that don't really know what they are doing but are good at making the higher ups feel better. This needs to be opened up. The data formats need to be transparent and there needs to be some competition. If your system can't stand someone knowing how it works and still be secure, it wasn't "secure" begin with.
So where is the site that's tracking all of this crap anyway. Step up with a link for some Karma points. Let's see ratings, by company on who has it togather (or no yet hacked at least) Then people can start ditching groups that don't protect their info. (Or at least give someone new a chance to lose it)
Who said anything about an issue? He was fleshing out an analogy not asking for a random tangent of quasi-related history.
--
WHO ATE MY BREAKFAST PANTS?
What would happen if even a small percentage of those people, figured, "Hey lemme get some free stuff outta this." They all started maxxing out their credit cards and when the bill came said, "No sir, my cards been in my wallet the whole time."
The credit card company knows that card number likely was comprimised, but thinkg you may be the one who charged the goods, they have no way to prove it though. Imagine if even 4 million people did that.
It wouldn't have really mattered, if the trojan the perp planted on the servers worked as it was described. It was said to "listen" to credit card transactions, in which case it would've been able to swipe the numbers regardless of whether the data was retained by CardSystems or not.
Anyway, for this sort of violation of rules, I think MasterCard (and other credit card companies) should terminate their contract with CardSystems. They won't, of course.
In Soviet Russia, I ruled you
I like how the Post titles it:
"40 Million Credit Card Numbers Are Hacked"
Someone needs to go over there with a clue bat and replace "hacked" with something more accurate like "compromised", or like Slashdot, "exposed", of if they want to try to use the correct lingo "cracked".
somebody sues these companies. The company who was cracked was running MS. If a civil law suit is started against the company AND against the CIO for running an insecure OS (and most likely an insecure set-up), then we would see changes.
I prefer the "u" in honour as it seems to be missing these days.
There is -no- incentive for any company in payments processing to do anything else but make a profit.
Dilbert PHB's are in charge of your data. This despite Visa/Mastercard rules.
These PHB's they put their full faith and credit in:
- A Windows Server infrastructure. The rest is just weird hobby OS stuff.
- Has never heard of PGP, PKI, PKCS. That's just bad-guy stuff.
- Believe that email is secure. I need a password to get my mail right?
- Hire IT folks that agree with them. "There's no budget for anything else." says the PHB.
Visa/Mastercard is a federation of the largest banks in the country. Do you think they are going to let their cash-cow get burdened by additional costs and regulations?
What about -their- (visa/mc banks) merchant services organization? (firstdata.com) How much theft have they had? It's likely you will never know. You'll find out about theft from their small-time competitor in AZ, but firstdata? Not likely.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
http://sympaticomsn.ctv.ca/servlet/ArticleNews/sto ry/CTVNews/1119107850615_136?hub=topstories
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
a one-store retailer.
There seem to be any number of companies out there who want my card acceptance processing. (I get cold-called once or twice a month.) A lot of them seem to be resellers for the big national processors. They *ALL* compete on price. I've never had one of them even mention security procedures.
And actually, as far as I am concerned, the security of my processor is not my problem. As long as my terminal software isn't an arcane mess, I don't get any bogus approvals, my legitimate transactions get transmitted to the card companies on deadline, and the cash winds up in my bank account when it's supposed to, then I'm satisfied.
IMO the security issue belongs to the card companies. They're the ones that wind up paying the cost of fraud, and if they don't like the way a processor does its security, then they should not allow it to handle their cards.
(And as a practical matter, I've usually gone with the processor recommended by my bank. At worst, it only costs a bit more, while at best it gives me another hammer (my banker) should there be a dispute. And it means I don't have to deal with issues for which I have neither the time nor the expertise.)
Last time I checked, Trojans were found mostly 1. in jeans pockets on a Saturday night, 2. on Windows machines.
And sure enough, Netcraft tells us that the horny hypothesis can safely be discarded. It's Windows all right:
Now, I realize that this doesn't mean necessarily that the CC numbers are kept on a Windows machine, but this is apparently an MS shop, so that's not surprising.--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
April 2001 - March 2005 Security Administrator, CardSystems, Inc.
- Responsible for maintaining all aspects of security
- Limited recent security breach to a mere 40 million cardholder accounts, out of a possible 200 million- an 80% reduction,
- Worked closely with team members to monitor and ensure transaction integrity- we successfully prevented 99% of the methods known to pose substantial risk.
- Provided off-site backup services for our clients, preventing catastrophic loss due to irrecoverable system malfunction.
They made this issue public, so our banks can be notified, so we (the consumers) can know.
Obviously they've noticed that the public isn't so thrilled when we find out about a breach that happened years before we were told.
Visa wasn't going to tell us anytime soon. God knows how long the investigation would take until they released the info to us.
Wake up.
It is scary but not surprising that so much information can be hacked. The reality is that 24/7 security monitoring and research by companies and corporations will be needed forever to try and maintain security of personal information such as this. Also, there is the fact that it will still not be 100 percent secure.
However, my thoughts are that most individuals, businesses, companies, corporations and governments do not want to add this type of resource because of the tremendous cost involved. Many individual and small businesses may not be able to afford it.
Most would rather hire the person or group that says we will guarantee the security of your information data for this much. Which presentation do you think would sell in a board meeting? Here are two made up and abbreviated information briefs or sale pitches to some boards in a corporation to clarify some of my thoughts here:
"It will take many new measures, constant research, consistent new education and many resources to bring the security of this data to the safest possible levels. It will never be 100 percent secure but by maintaining this vigilance we can have some assurance of protected data."
Or
"We have some of the brilliant minds constantly researching security applications and procedures that will virtually monitor and protect your systems from any threats or breaches. The resources are implemented with user friendly GUI systems. Most of the work such as maintenance and updates will be done by the software, algorithms and bots that will assist in keeping the cost's lower but the security extremely high."
Well enough of my 2 cents for now...
~BlogCruiser~
Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".
Hackers are people who love to play with technology, who *MAY* also like to cause carnage and destruction.
White or black, a hack is a hack.
paintball
So, let's call ourselves something else. We can think of a new name. Let the word 'hacker' go ahead and be a reference to criminal activity.
The distinction between hacker and cracker was not made in computer geek culture (EG: Usenet) prior to the first mainstream media exposure circa 1983 (on CBS IIR?). The computer community didn't distinguish between "hacking" as (in)elegant writing of code and "hacking" as systems penetration and perversion; it was all part of the continuum. Anyone who practiced SP&P was at the time considered a "hacker", although not all hackers were in SP&P. This lack of foresight led to the mainstream use of "hacker" to describe anyone in SP&P, which has continued to the present even though while "script kiddies" practice a (crude) form of SP&P, most are not even larval "hackers" of the classic meaning.
Attempts to close the barn door after the horse has left, however, are futile-- and in this case, have been for decades. You will not get the mushroom cloud back into it's happy little plutionium sphere; live with it.
//Information does not want to be free; it wants to breed.
Only a matter of time until each American has had their credit card info compromised at least once. Once everyone's identity is by default stolen, we might be able to make a case to use something other than your retirement account number as the key that gives someone access to your whole life, the universe and everything.
<grub> Reading
I know! Tweaker! Oh wait... Hmmmm...
Slightly off-topic, perhaps, but I'm very curious:
I thought that the credit info was stored in the bank where you get your card from, and in the few credit reporting agencies in the country of credit?.. So, does it mean that your credit history does follow you around the world after all?..
From news.netcraft.com, whatever that is....http://news.netcraft.com/archives/2005/06/18 /lax_security_cited_in_massive_credit_card_data_th eft.html/
With 40M cards exposed, what's the probability that my card will be exploited?
White or black, a hack is a hack.
I thought it was bad everytime somebody brought up the politically correct way of referring to "cybercriminals" and whatnot, but now you're bring race into this? Touche
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
Death penalty is only appropriate when it is impossible to protect society from a criminal. This is never the case with any form of cracking-- simply don't give them access to a computer and they cannot repeat their crime.
A lifelong prison sentence would be the most that would be a legit punishment.
Luke-Jr
I don't think Joe Public has any right to query that information unless it's his own either. But short of police investigations I can't imagine many types of data that JP shouldn't have a right to query about his own data.
We already have a law like this in Canada. I'm curious why it doesn't apply to Equifax though. It seems to me that negligence should be treated in the same way as just giving it out to anyone that asks for it.
From the Fact Sheet: I knew it sounded too good to be true.
Hackers are people who love to play with technology, who *MAY* also like to cause carnage and destruction.
That applies to any group of people. A better example of this than the gay/homosexual analogy, is the misconception that to be a faithful Moslem neccessarily means that you are anti American, or a terrorist or whatever. Again, some are... But there are a great many Christian and Jewish terrorists out there too. Same as there are many hackers who are not terrorists.
Anyone who takes hacking or religion too seriously (I.E. uses it to harm others) is probably suffering from some kind of delusion.
How much is your time worth to you?
-- No matter how great your triumphs or how tragic your defeats, approximately one billion Chinese couldn't care less.
MUAHAhAHAHAHAHAhahahaahAHAHAHAHAHAhAH!!!
(b wahahahah)
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
If everything was easy many of us wouldn't have jobs. Programmers for instance wouldn't have any work at all. If buying things online becomes hard enough then a whole cottage industry could spring up around online-shopping and US government regulations bringing much needed jobs to America.
Imagine online-shopping as easy to use as IRS Tax Forms and online-stores as fast to use as the DMV.
[signature]
Some times just for fun I'll use type in a random 3 digit security code when ordering online (with my own card of course). My order usually goes through without a hitch. Try it some time. It seems pretty useless to me.
Shouldn't MasterCard have had CardSystems "demonstrate compliance" before sending them even one credit card number? Or is this a usage of "requirements" with which I am unfamiliar?
(Unix & Network) (Security & SysMgmt)
I have never, nor will I ever sign up for MasterCard.
To be honest, though, I had no way of knowing this would happen. One would think that I could back this up with things like bad service, or higher average interest, etc.
The real reason I don't use MasterCard is because on every single one of them there is a Venn diagram in hideous colors looking back me. If second grade were taught in a bowling alley, the MasterCard symbol is what would be on the wall as a guide to comparing and contrasting.
Your brain is not a computer.
If you are 1 minute late with a payment - $39 fee If you are late paying a credit card, your other credit cards can jack the rate to the max - universal default Got a problem with e-bay or pay-pal? Good luck getting a hold of anyone. Got a problem with equifax? Good luck with that one. Took me a year to get a car that my ex-wife refinanced off my credit report. They said I had not paid the loan in a year. That's true, because I NO LONGER EVEN HAD THE LOAN! These are huge companies that would never think twice about making your life more expensive and more hellish, but if you have a legitimate problem, it's almost impossible to get to these faceless companies. Absolutely they should be forced to replace ALL cards in question EVERY time this happens. They are making so much money off of so many people and yet, they don't get the slightest punishment when they screw up.
Well yeah. But none of what you posted said it ran windows.
No they won't, because of all the little fry that send transactions through this processor. Questions I want answered...
How long was the 'trojan' capturing the data ? How on earth did MC/Visa/FBI decide when it first started monitoring the CC numbers ? They must have a start date, otherwise how did they come up with the 40m number ?
The general phrase here is that it was a 'hacker'... but was it ? Was it some organized crime outfit in eastern europe, russia or perhaps north korea ?
My guess is that the FBI knows alot more about the whole story that is being talked about. This episode should be a textbook study on security failure.
This msg is brought to you by the letter 'W'.. for Worthless Wuss
I heard about this on the local Chicago news last night (06/17). It was one of the first stories reported. Heck they were doing promos for the 10PM news all evening long that mentioned the breach. For it to take the lead over the daily reporting of Chicago city government corruption was quite surprising. I jumped onto the normal sites where I would have expected to get more information about this incident (including /.) and found no mention of this story. Anywhere. There were, though, stories about telepresence and terraforming to be found here. So I guess this story should have had a science fiction component to get onto /. earlier. If only Theo de Raadt had ranted about it...
CUR ALLOC 20195.....5804M
If you mean the amount involved in the fraudulent transaction, then it might be true.
but credit card companies might face legal action as well, with amounts that exceeds many times the cost of the actual transaction so that in the long run they can lose, too.
START RANT
in the short term, however, managers and directors of those companies do not usually worry because this impact rarely shows up in the end of the current fiscal year (legal action takes time to happen and eventual losses were already forwarded to the merchants, remember). that people can still meet their profit forecasts and wall street analysts (the ones who looks at balances and think they understand the inner workings of an individual company) get happy and excited about these execs.
what do they do in the following fiscal year, you might ask. well, some of them who are luck or well-connected enough can actually go to work in some other corporation, leaving the mess to the newcomer.
that's why, imho, they do not really care at all.
in the other hand, making them fully accountable would just increase those executive's compensation by a lot, since they would face the risk of going to jail or something like it due to something they never really knew (management tends to hide those kinds of stuff from the next higher hierarchical level and so on), but i fail to see if they can be actually held responsible to these security problems without blaming someone else (attorneys can be very persuasive in court sometimes). anyway, as a result, they would get paid a lot more to take that risk and the cost of credit would increase. security, however, would stay laughable as it is today.
upon public indignation, the government steps in and recognizes this fact and implements some stupid, ineffective piece of legislation to appease stockholders, requiring a lot of static, law-mandated checks in an ever-changing environment (security) and the cycle never ends.
as said before, costs to the consumer only go up and up, because corporations might contract insurance against those unknown risks (its way easier to do a financial settlement with an insurance co than carrying a fully-fledged change management program in a large-size corp) and because legislation usually requires yet another layer of auditors who are contracted just to make sure that the company is in compliance with something hackers circumvented long ago.
END RANT
there's a more polished treatment of this kind of reasoning under the name "agency theory", so this is not entirely based on paranoia, but if you think all this is just too stark and cynical, i am not ashamed to agree with you.
and damn, that was a long rant.
Ooops, sorry, cut-and-paste missed a line. Here, look for yourself: http://toolbar.netcraft.com/site_report?url=http:/ /www.cardsystems.com
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Read on down to the end of MasterCard's press relesase.
. asp?ID=61946
... We have tracking systems in place to find the common point of interaction."
The U.S. Government is currently considering legislation to expand the Gramm-Leach-Bliley law requiring better security procedures for personal financial information. Currently MasterCard is subject to this law - third party processors are not. I would not be at all surprised if no real accounts have actually been compromised, but then I like tin foil hats.
In fact, Master Card is already backtracking:
http://www.accessnorthga.com/news/ap_newfullstory
Now the number of cards considered "at risk" is only 68,000 - and the spokesperson for Master card says "It wasn't a large amount of fraud, just an abnormal pattern that triggered our system.
Of course, no person who isn't a criminal could oppose "protecting" your personal information better, could they? Especially if it helps protect the children...
Final 2006 "Proof of Global Warming" US Hurricane Count -> 0
First of all, the modern credit cards, i.e. smart cards, allow you to use PKI if you are using chip reader. There are certificates of Visa, of your bank and reader manufacturer's. However, the same card has a magnetic stripe, which only holds credit card number, expiration date and some other value like possible limits.
What is important, is that you can not eliminate legacy authentication method, i.e. number and expiration date, just because you will have no possibility then to authorize offline transactions. If you will not allow offline transactions, then it will paralyze commerce on some places like cruise ships, mountains, gas stations etc. Communications are expensive these days, and new technologies like GSM card readers are expensive as well. Millions of such readers required, and even they have their own flaws, like the stupid PKI implementation and WiFi/GSM bugs.
And more. Why your proposed system is stupid. Just because it depends not from VISA or MasterCard, but from specific bank, and there is a bunch of banks even in Paraguay, and I can only imagine how many of them operates in New York. So imagine a small shop, a half of it is occupied by super-secure card readers.
However, what you described is a simplified version of current smart card PKI infrastructure. The point is - it should not be used alone, although it is more secure.
But if to think more on this subject, I think that in the future, don't know how near, all your bank cards, no matter of system, VISA or Amex, will be on one card, one chip, the same as in your mobile phone. In fact, it will be on your mobile phone chip. It is possible, and the only difficulty here is who will own this card - mobile operator, or bank, or you...
"ONLY front end"? These idiots at CardSystems Solutions put insecure Microsoft software at the front end and expect that this concept is secure. My grandmother could have told them that every component has the be secure, in particular the front end, not just the back end. When will they learn? When will they pay the price? http://uptime.netcraft.com/up/graph?site=www.cards ystems.com