Security Breach Exposes 40M Credit Cards

The Good Reverend writes "MasterCard International announced today that a security breach at CardSystems Solutions, a third party processor of payment card data, potentially exposed more than 40 million cards. Mastercard is aware of the specific card numbers affected, and is giving its member financial institutions the numbers that may have been compromised. Unlike many of the past high profile cases this one involves a hacker rather than lost packages. CNN Money, the New York Times, Reuters, MSNBC, ZDNet, C|Net, and the Washington Post are also covering the story."

Proves that the hackers...

[bpuli]

will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream? Wonder how many more of these transactions processors have been compromised and don't even know it yet.

Re:Proves that the hackers...

[whovian]

will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream?

Agreed. One wonders how to trust your contractees and outsourcees. It would argue for the most data-secure companies to cut out the middleman and do their own processing.

The cynical side of me says that there lurks a propaganda campaign to be pushed here by those in favor of introducing new credit card feature, perhaps RFID or biometrics. I cannot say whether those are good solutions, but it certainly seems that some form of security that requires you to present physical evidence of your credit card or account seems in order -- may even a PIN?

Re:Proves that the hackers...

[Ian+Jefferies]

Just wait for the spam social engineering angle to kick in:

"Just enter your credit card details into this site to see if your credit card number was one of those stolen"

(Answer: not until 5 seconds ago)

Re:Proves that the hackers...

Have to agree here. I work for a large mailing house company which processes client data and sends out bank statements and tax details and all sorts of other private information.

Having a in depth security background, I can safely say that the security of this place is shocking. The guys handling this sensitive data are just kids straight out of uni. The banks etc themselves can go to great lengths to protect their clients data, but then they outsource to 3rd parties and hand over all their data to be processed.

Posting anonymously for obvious reasons.

Re:Proves that the hackers...

[Michael+Spencer+Jr.]

(I work in the payment processing industry, but other than the article I don't know any more about this incident than you guys do.)

That makes me wonder: how does the security of different payment processors correlate with their processing rates and operational cost? It seems to me, as a First National employee, that our fancy well-designed computer systems, our multiple security-related departments, etc., increase our cost of doing business, so we get beat on price by a lot of other processors. We're not the cheapest processor out there.

Since I'm not an industry expert, and I don't know what everybody else charges for processing, I'm curious: for any Slashdotters who are also merchants (own a business, accept credit card payments), does this ring true? Big company, big systems and good security, higher internal cost, higher prices? Small company, smaller systems and maybe less security, lower internal cost, lower prices?

Re:Proves that the hackers...

[Phil+Wherry]

It's about time for the financial services industry to step up and take responsibility for designing a payment infrastructure that can accomodate the current threat environment. A sixteen-digit reuseable number can't provide adequate security, even when coupled with real-time billing address and CVV2 tests. Payments need to be authorized individually by the accountholders, and these authorizations need to be tied to a specific date, time, merchant, and amount (or in the case of recurring payments, a time span, number of payments, and maximum aggregate amount). In this scheme, leakage of an account number doesn't connote authorization for payment--and leakage of a payment authorization doesn't enable re-use by others.

It will be hugely difficult and very expensive to make this change, of course, as it involves replacing a great deal of infrastructure. But ultimately it will be required due to the simplicity of fraud using today's technology. It's gotten to the point where most of the difficulty and expense isn't the technology for payment authorization; it's instead the cost associated with the changeover itself and with retraining consumers and merchants.

So, from where I sit, it looks like the costs of fraud being absorbed by the financial services industry (and, of course, being passed on to consumers in the form of higher fees) aren't being offset by a decrease in the eventual cost of making the system secure. It's time for the financial services community to take responsibility, then: accept the fact that it will be difficult and expensive to make the change, but also accept its necessity and inevitability.

A bit over 1/4 were mastercard branded...

[the+packrat]

But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet.

So when is the other shoe going to fall?

Re: A bit over 1/4 were mastercard branded...

[Black+Parrot]

> But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet. So when is the other shoe going to fall?

The news has been reporting for the last 14 hours (at least) that the four major credit cards are all affected.

Also, this has been known since May 22, but everyone was keeping it quiet.

If there's another shoe, it's going to be that the breach was even larger than reported, or that they got more information than we're being told.

RTFA PEOPLE

About 25 MILLION of the 40 WAS NOT a MasterCard, so there are a WHOLE bunch of credit card providers who like leaving you in the dark here people.

US numbers only?

[mr_tap]

I wonder if it was only US CC numbers or if we all have to worry?

Re:US numbers only?

[Curtman]

I think we all have to worry anyway. This kind of shit happens all the time. They're going to find the people responsible for these, and the corporations that allow it to happen will get off with only a bit of bad publicity. That's the real tragedy. There ought to be a law that if you are going to retain someone's personal information then you are responsible for keeping it safe. Same as I'm responsible for keeping my PIN number safe.

Lesse

[yotto]

Interest rate: 20%
Annual Fee: $40
Randomly being declined because the machine is on the fritz: $1-$1000 purchase down the drain.
Being the target of fraud through no fault of your own: Priceless.

Re:Lesse

[StupidKatz]

I fail to see why this is made out to be such a big deal by the consumers. Have any of you read the service agreement/contract for any of the major credit cards? Do you know what you are liable for in the event of a fraudulent/unauthorized charge? If you did, you'd probably be unable to care less about stories like this.

The basic liability for consumers under MasterCard and Visa is $50 (probably per incident). Now, that could be a problem, except for the fact that MC and Visa waive that liability. So, what are your responsibilities when it comes to reporting fraud? Simple: you report the unauthorized charge to your bank, usually via the 800 number on the back of the card, within 24 (or possibly 48) hours after discovering the fraudulent activity. This means that if you don't open your bill for two months, and so discover the charge six weeks after it happened, you can call in the next day and have ZERO liability. The best part is, since it was a credit card, it's not YOUR money that is lost - unlike a debit card. Hint hint: always use a credit card to buy stuff, not debit or ATM cards.

The real losers here are the merchants, who get stuck with the ~4% per transaction fee and often have to eat the cost of the fraudulent purchase. OTOH, how many merchants can afford NOT to honor the major credit cards?

Cost of re-issuing cards

[00squirrel]

I've always wondered why credit card companies don't simply cancel and re-issue cards when somthing like this happens. I read in the MSNBC article that it costs $10.00 per card to do that, which means this particular incident would cost the credit card companies about $400,000,000.00 to reissue cards. That is a ton of money!

What I would like to see

[Timesprout]

since people here (Ireland) and the UK are basically being encouraged to rack up debt is some one to crack Mastercard/Visa and wipe out all the amounts owed on credit cards. Might encourage the financial institution to be a little less carefree with their lending policies.

Re:What I would like to see

[j0e_average]

It's a double-edged sword....what responsiblity should the card companies take for thier irresponsible lending practices. For goodness' sake, if you can fog a mirror, you can get credit. If fact, the way the rates are structured on credit cards, the credit card companies EXPECT to write off a percentage of the portfolio. This write-off is insignificant (in relative terms) to the profit they make on the poor saps out there paying 21+% on their accounts. The overnight rate on this money is what, 4%? And being the ever-greedy corporate pigs, the banks now petition congress to pass "Bankruptcy reform" laws, which essentially prevent Mom and Pop consumers from walking away from their debts after filing bankruptcy. I'm not saying it's morally or ethically right to allow folks to take a free ride on the system, but at the same time, the credit card companies have at least half the blame due to their lending policy. The difference is that they (the banks) have deep pockets with which they can buy legislation. Yes, I do work at a bank...and no I would NEVER contribute to their PAC.

Re:What I would like to see

[timeOday]

On the other hand, we could always ask the "responsible" adults who take out these credit cards to actually take responsibility for once and only take out and use credit they can afford to pay back?

It's counterintuitive, but I don't think this is what the creditors want, really.

Yes, they would like everybody to be in debt up to their eyeballs and still get 100% repayment, but the simple fact is some percentage of people who borrow to the max will have a period of unemployment, or divorce, or health problems, or simply get discouraged and choose to flake out.

Getting closer to 100% repayment would require significantly lower levels of personal debt and higher savings. It works out better for creditors, and perhaps even for the GDP of nations, to keep individuals highly motivated - on the edge of financial disaster. The ocassional losses are more than compensated by high balances at high interest.

Creditors like to take on this victim complex whenever somebody fails to repay. But in fact, all investments have risk, including loaning money to people through credit cards. That level of risk is already reflected in the high interest rates that borrowers pay on the cards. Why do companies offer these risky "payday loans"? Because the usurious interest rates and penalty fees more than make up for the losses.

Creditors also like to blame deadbeats for placing an extra burden on the rest of us good, hardworking and honest citizens. But this too is mostly false, since people are placed in different pools depending on their payment history. Those with significant credit history blemishes are already paying sky-high interest rates - a sort of security against the credit, which they will never get back even if they are perfect borrowers for the rest of their lives.

And in case you're wondering, no, I don't have bad credit. But I do have only so much pity for the credit card companies, with their crocodile tears, as they demand bankruptcy reform (favorable to themselves, of course) while socking away truckloads of profit. If our law were really putting creditors in an unfair disadvantage, credit would be hard to get, and that would be a problem. Instead, payday loan outfits are sprouting on every corner like mushrooms, and college students with no income can get as many credit cards as they like. That doesn't sound like an under-profitable industry to me.

Re:What I would like to see

[Ark42]

Of course, the CC companies DON'T CARE if you are trying to get some free stuff. They will happily issue chargebacks and give you your money back. The only person hurt here is the merchant, who loses the amount of the sale, a transaction fee of a few percent of the sale price in both directions (one for the sale, one for the chargeback), and a chargeback fee of at least $35 per item being forcefully refunded.

So as you can see, it is the merchants that people are abusing, not the CC companies. The CC companies pocket the chargeback fee as well as double the transaction fees, without having to pay out a cent to the merchant. The customer gets their free item and all of their money back, and the merchant is out one item and probably $40 or more, depending on that items cost.

I'm not suggesting that people should withhold from reporting fraudulant use of their cards, but it is easy for people to get away with stealing from merchants, and neither the theifs taking the CC numbers, nor the people abusing the situation and getting free stuff are hurting the CC companies at all.

being a site full of geeks

[circletimessquare]

everyone here will be proposing a technical solution

but let me posit my own nontechnical solution: the processor must pay for a replacement card for every single victim

Re:being a site full of geeks

[gweihir]

the processor must pay for a replacement card for every single victim

An one more: Processors should have mandatory insurance against this event. Then the insurance company would check their security with a keen eye....

The card number / expiry-date system is stupid

[mukund]

Banks and financial institutions need to start using public-key encryption to authenticate a user rather than a card number and expiry date. Many visa/master cards already come as smart cards these days and it should be easy to upgrade them to operate as a JavaCard for example. Couple this with a USB card reader issued by the bank. A website can then ask for a signed payment (to be signed in a chip inside the card) valid for a short time period and only usable once in the transaction only. You verify it by looking at the reader, or a display on the card itself and reading the name of the store you're making the payment for, and press a button on the card or on the reader to grant/deny it. In this way, no external software outside the card is involved with granting money which can be tampered with. The signature takes place in the card. No credit card numbers stored. Payment made. Everyone's happy.

Re:The card number / expiry-date system is stupid

[AdamInParadise]

Well, not really stupid, just outdated.

The system you're describing is called Finread.

Finread is more secure than previous solutions because its smart card reader is "smart". It has a pinpad, a screen, a Hardware Security Module and a smart card reader. It is designed to work with EMV smart cards (a public-key scheme). You put your card in the reader, the screen displays the amount and the recipient, you type your secret pin on the pinpad and voila, payment's made.

Since the reader "smart", the remote payment processing system can bypasses your spyware-infested Windows machine to communicate directly with the card through a small, dedicated piece of hardware that is much easier to secure than an computer. Keyloggers and spyware are inefficient because your computer does not process any sensible piece of information. It's like opening an bi-authenticated SSL channel between your card and the Visa or MasterCard processing systems.

Finread is far from perfect, but much better the current situation. The only drawback of Finread is that it is so good that when it will be cracked, banks will probably manage to claim that everything's fine for a long time.

Now, of course, for lost tapes, we still need something else.

Re:The card number / expiry-date system is stupid

[mukund]

Not to mention that a truly secure card reader would cost a lot more than $25. $150 would be much more realistic. To be even somewhat secure, it would need to at least have a display and its own network connection, which adds quite a bit to the cost.

No a `fully secure' card reader costs $25 today and expect prices to keep falling as demand goes up. To be somwhat secure? You still don't seem to get the idea of the signing operation of a transaction done on a card. I suggest you read up on how a JavaCard works.

Customers generally don't need to ship stuff to 20 different addresses, and it's not difficult to call your bank and have them add another authorized address. Most places will still ship to an alternate address, they will just call you first to confirm. Having to use special card reader hardware would be much more of a hassle.

No customers don't have to ship items to 20 addresses, but I'm not about to to register all my acquaintances' addresses to the credit card, just because I want to send them gifts directly.

Your system has exactly the same problem. There is no foolproof way to identify a person remotely. Plus, your system is now susceptible to spyware: put some software on the customer's machine to hijack the card reader and you can do what you want with the credit card. If anything, it's LESS secure.

I believe you're just trying to knock me here, rather than actually first read up and understand how the system works. Read up on how a Java Card works. I'll explain once more for your benefit. The cryptographic signing operation takes place on the card. Your private key is stored on the card and there is no way you can extract the key from the card. You can only present a transaction to the card and have it signed, and retrieve the signed transaction. The signature is only valid for one transaction, done by a particular vendor only, because the signed data contains the transaction ID, the price which it's paying. The signature-request which is supplied to the card contains the price the person would pay for, the vendor details and the transaction ID. This is displayed *on the card* before a customer makes a payment by choosing an option *on the card*. These cards will not be significantly more expensive to manufacture in quantity. Remember card sized calculators? That was back in 1980.

No the system does not have the same problem, nor is it susceptible to spyware. You can hijack a card reader, but you can't hijack the card itself which needs to do the signing after reading the users' input *on the card* which is only powered by the card reader, which also provides the reader interface for communicating with the PC. The card reader is otherwise stupid. No other software on the PC has the private key to do this signing. Even if you were to tap the wire communication, you still cannot fool the system. If you do not follow this, I suggest you read up on even user land items like PGP Corporation's introduction to cryptography which should be reasonable for a newbie to follow. Read on digital signatures and how they are not susceptible to man/monkey in the middle attacks (when the card's public key is known and trusted by the bank), which is exactly what you're claiming by hijacking the card reader.

Let's slashdot the economy!

[Black+Parrot]

To ensure that no one places any fraudulent charges on our credit cards, let's all run out to our favorite toy stores and run up our cards to their limits.

My Card?

[valjean78]

Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised? :p

Re:My Card?

[arose]

I'm setting one up right now... :-P

This is simply the price of outsourcing.

[0xdeaddead]

See in the banking industry we run these "penetration scans" all the time, that are TOTALY WORTHLESS. I cannot emphasize this enough, that running the weakest setup possbile will pass their "tests" with flying colours. The people doing these tests (Some certified security specialists!) Think that firewalls are magical devices that know how to stop the pesky hackers. Bottom line is that people are involved, they are out of their element, and simply placeholders. Management in general needs to get out of this "placerholder" mentality when it comes to jobs, and just fire people that are not doing their jobs.

Ok enough ranting, but trust me, in the late 90s banks were trying to outsource as many things as possible from customer service, to invoicing, bills, credit collections, applications and so on. As you can see when the "Credit card company" becomes nothing more than a brand, and a board of execs, everything is out of their control, not to mention every peice of the old credit empire is open for attack.....

If anything the question is why did it take so long to find them?!

Re: Not just mastercard -- VISA, etc.

[Black+Parrot]

> Apparently the breach was detected by the company handling the cards (CardSystems Solutions, Inc.) on May 22

One source I read said it was detected by the credit card companies when they noticed an upturn in the number of fraudulent transactions being reported to them by banks, and only then traced back to the clearinghouse.

> VISA spokespeople claim that they did not announce it sooner because there was an ongoing FBI investigation.

Yeah, supposedly there was an agreement to silence (for good reasons or bad), and the other participants are surprised (and probably outraged) that M/C broke the news.

And while the "FBI investigating" story is at least a semi-plausible reason for silence, I suspect the real motivation was "OMFG, let's stall as long as we can and hope Jesus comes back before word gets out". As mentioned in other threads, there are estimates that it will cost a billion dollars to replace all those cards.

Also, IIRC, in the past these exposures have always turned out to be much larger than first reported.

Could someone be so kind to...

[MTO_B.]

Could someone be so kind to check if my credit card number was exposed?
My cc number is 5122-5655-1459-0444.
Reverse code: 444

If it was exposed I want to cancel it so the hacker cant use it.

Thanks. ;-)

Weakest link

[hellfire]

It's not surprising someone other than MasterCard actually had a list of card numbers stolen. I have customers all the time tell me how they don't like what they feel are draconian measures to protect the credit card numbers people have in their own systems. What they fail to understand is that Visa and Mastercard require us to do this, and the protections we have are customer service.

But they still complain, because their customers and they themselves don't ever notice. Hell at one point I was told by a demanding customer to remove the protections because he said "I'll risk it." I was tempted to show him how insecure he was by remotely accessing his system, getting his list of customer phone numbers, and telling all his customers that he was careless with credit card numbers and their numbers could have easily been stolen from his system.

People are pretty careless about credit card security. It's usually in the name of convenience and visible customer service. Credit card security is invisible service. Being able to purchase something conveniently flies right in the face of having security which just might prevent you from selling something to someone, so some people don't care, as long as they are selling. Owners care once they find out that they'll be issued chargebacks, but individual salesreps will write down every credit card number on a piece of paper if it means making money for them personally.

Visa and Mastercard have the right idea, and in the press release I like how they said that they gave cardsystems a "limited amount of time" to basically get their act together so this doesn't happen again. Education and enforcement of regulations... nice to see an organization, especially one that is a corporation, actually give a damn.

Reset the Debt

[jvmatthe]

Remember how a notable movie (based on a notable novel) a few years ago had, as part of its plot, a plan to reset the credit card debt of the world? With the rate of security breaches we've seen, I have to wonder if the system won't lead to such a problem on its own, not through someone wanting to reset the debt but rather from a massive case of distributed fraud as the result of these kinds of security breaches.

I mean, what do you do when something like 40 million transactions could be legit ... or could be bogus? There's no human way to know what's real and what's not if you have to check every one of them. I'm sure they have computerized methods, but I'd imagine that there is still a level of distributed low-level (i.e. not buying boats and plasma TVs) fraud that would disrupt the system in some critical way.

The only way

[BCW2]

To end this kind of thing is to make the companies handling records financialy responsible for any problems. Triple the amount in damages to each misused account. They won't do anything until it affect the P&L severely. It's the only thing big corporations understand.

Good thing I have online banking!

[MtViewGuy]

That way, I can closely monitor all my bank's account activity to make sure somebody isn't trying to hack into my accounts to steal my money. That was how I was able to find out somebody did an inside job identity theft of my checking account and they stomped out that fraud (and got the "perp" pretty quickly).

However, before you do online banking, I would recommend you have both antivirus and firewall programs active and run anti-spyware programs at least once a day to keep out keystroke loggers.

cardsystems.com/careers.html

[St.+Arbirix]

It's worth mentioning that they're hiring people with VMS and WindowsNT experience. Small wonder the malicious code got in there.

There are some numbers hackers can't steal.

[game+kid]

there are some numbers hackers can't steal

for everything else there's MasterCard

(Accepted all over, even if it's not yours.)

Re:Also proves that..

[Curtman]

Even on Slashdot hackers get a bad name. Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".

ABN-AMRO uses such a system

[nietsch]

My bank over here in holland uses a similar system to authenticate it's online banking. You have your card (with a chip on it) you know your PIN (very weak password IMHO) and you get a standalon reader that you have to put your card in, punch in your pin and a 8 digit number generated by them. It generates a 6 digit code that you have to enter in the webpage.
It has no connection to your computer, so no inpompabilities for mac/linux users and no chances of spyware/keyloggers making off with valuable passwords. You indentify with wath you know and what you have. The processor only has to know the public part of the keypair (the private one is on your card, probably 'encrypted' with your pin). If such a processor is breached, they will not get any info on the card.

Re:Also proves that..

[LiquidCoooled]

Yes and gay people walk around happy all day (actually, they might, but the usage of the word has changed)

Deal with it.

imagine a similar disaster

[e**(i+pi)-1]

Now imagine a headline in 10 years: "120 Million biometric data stolen" It seems that the technical challenges to keep data secure has sunk in already. This credit card data breach could support these concerns.

Re:Also proves that..

[Curtman]

Yes and gay people walk around happy all day

That would be a good analogy if only there was a culture of straight gay people that was upset about being associated with homosexuals.

Re:I think that we'll see more of this

[Xyrus]

Here's the ting though, the credit card companies aren't suffering financial losses.

When fradulent charge is made, you call them. They call the merchant and say, "Sorry bud, you just got pwned."

The merchants take the hit. So credit card companies could really care less.

~X~

Re:Also proves that..

[LordEd]

By now, most slashdot hackers should be aware of the differences between the media use of 'hacker' and the proper use of hacker. Just like being desensitized to violence on TV.

Re:Also proves that..

[raehl]

Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".

Hackers are people who love to play with technology, who *MAY* also like to cause carnage and destruction.

White or black, a hack is a hack.