Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Breach Exposes 40M Credit Cards

Posted by Zonk on from the consider-the-planet-hacked dept.

The Good Reverend writes "MasterCard International announced today that a security breach at CardSystems Solutions, a third party processor of payment card data, potentially exposed more than 40 million cards. Mastercard is aware of the specific card numbers affected, and is giving its member financial institutions the numbers that may have been compromised. Unlike many of the past high profile cases this one involves a hacker rather than lost packages. CNN Money, the New York Times, Reuters, MSNBC, ZDNet, C|Net, and the Washington Post are also covering the story."

23 of 304 comments (clear)

  1. Proves that the hackers... by bpuli · · Score: 5, Insightful

    will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream? Wonder how many more of these transactions processors have been compromised and don't even know it yet.

    --
    BP http://www.card-central.com
    1. Re:Proves that the hackers... by Ian+Jefferies · · Score: 5, Funny

      Just wait for the spam social engineering angle to kick in:

      "Just enter your credit card details into this site to see if your credit card number was one of those stolen"

      (Answer: not until 5 seconds ago)

      --
      A physicist is an atom's way of thinking about atoms
    2. Re:Proves that the hackers... by Anonymous Coward · · Score: 5, Informative

      Have to agree here. I work for a large mailing house company which processes client data and sends out bank statements and tax details and all sorts of other private information.

      Having a in depth security background, I can safely say that the security of this place is shocking. The guys handling this sensitive data are just kids straight out of uni. The banks etc themselves can go to great lengths to protect their clients data, but then they outsource to 3rd parties and hand over all their data to be processed.

      Posting anonymously for obvious reasons.

  2. A bit over 1/4 were mastercard branded... by the+packrat · · Score: 3, Insightful

    But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet.

    So when is the other shoe going to fall?

    --
    Nihil Illegitemi Carborvndvm
    1. Re: A bit over 1/4 were mastercard branded... by Black+Parrot · · Score: 4, Insightful


      > But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet. So when is the other shoe going to fall?

      The news has been reporting for the last 14 hours (at least) that the four major credit cards are all affected.

      Also, this has been known since May 22, but everyone was keeping it quiet.

      If there's another shoe, it's going to be that the breach was even larger than reported, or that they got more information than we're being told.

      --
      Sheesh, evil *and* a jerk. -- Jade
  3. RTFA PEOPLE by Anonymous Coward · · Score: 3, Informative

    About 25 MILLION of the 40 WAS NOT a MasterCard, so there are a WHOLE bunch of credit card providers who like leaving you in the dark here people.

  4. Lesse by yotto · · Score: 3, Funny

    Interest rate: 20%
    Annual Fee: $40
    Randomly being declined because the machine is on the fritz: $1-$1000 purchase down the drain.
    Being the target of fraud through no fault of your own: Priceless.

    --
    Pulp Audio Weekly - Geek News and Reviews
  5. What I would like to see by Timesprout · · Score: 4, Interesting

    since people here (Ireland) and the UK are basically being encouraged to rack up debt is some one to crack Mastercard/Visa and wipe out all the amounts owed on credit cards. Might encourage the financial institution to be a little less carefree with their lending policies.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
    1. Re:What I would like to see by timeOday · · Score: 3, Interesting
      On the other hand, we could always ask the "responsible" adults who take out these credit cards to actually take responsibility for once and only take out and use credit they can afford to pay back?
      It's counterintuitive, but I don't think this is what the creditors want, really.

      Yes, they would like everybody to be in debt up to their eyeballs and still get 100% repayment, but the simple fact is some percentage of people who borrow to the max will have a period of unemployment, or divorce, or health problems, or simply get discouraged and choose to flake out.

      Getting closer to 100% repayment would require significantly lower levels of personal debt and higher savings. It works out better for creditors, and perhaps even for the GDP of nations, to keep individuals highly motivated - on the edge of financial disaster. The ocassional losses are more than compensated by high balances at high interest.

      Creditors like to take on this victim complex whenever somebody fails to repay. But in fact, all investments have risk, including loaning money to people through credit cards. That level of risk is already reflected in the high interest rates that borrowers pay on the cards. Why do companies offer these risky "payday loans"? Because the usurious interest rates and penalty fees more than make up for the losses.

      Creditors also like to blame deadbeats for placing an extra burden on the rest of us good, hardworking and honest citizens. But this too is mostly false, since people are placed in different pools depending on their payment history. Those with significant credit history blemishes are already paying sky-high interest rates - a sort of security against the credit, which they will never get back even if they are perfect borrowers for the rest of their lives.

      And in case you're wondering, no, I don't have bad credit. But I do have only so much pity for the credit card companies, with their crocodile tears, as they demand bankruptcy reform (favorable to themselves, of course) while socking away truckloads of profit. If our law were really putting creditors in an unfair disadvantage, credit would be hard to get, and that would be a problem. Instead, payday loan outfits are sprouting on every corner like mushrooms, and college students with no income can get as many credit cards as they like. That doesn't sound like an under-profitable industry to me.

  6. being a site full of geeks by circletimessquare · · Score: 3, Interesting

    everyone here will be proposing a technical solution

    but let me posit my own nontechnical solution: the processor must pay for a replacement card for every single victim

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:being a site full of geeks by gweihir · · Score: 4, Insightful

      the processor must pay for a replacement card for every single victim

      An one more: Processors should have mandatory insurance against this event. Then the insurance company would check their security with a keen eye....

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. The card number / expiry-date system is stupid by mukund · · Score: 3, Insightful

    Banks and financial institutions need to start using public-key encryption to authenticate a user rather than a card number and expiry date. Many visa/master cards already come as smart cards these days and it should be easy to upgrade them to operate as a JavaCard for example. Couple this with a USB card reader issued by the bank. A website can then ask for a signed payment (to be signed in a chip inside the card) valid for a short time period and only usable once in the transaction only. You verify it by looking at the reader, or a display on the card itself and reading the name of the store you're making the payment for, and press a button on the card or on the reader to grant/deny it. In this way, no external software outside the card is involved with granting money which can be tampered with. The signature takes place in the card. No credit card numbers stored. Payment made. Everyone's happy.

    --
    Banu
  8. Let's slashdot the economy! by Black+Parrot · · Score: 3, Funny


    To ensure that no one places any fraudulent charges on our credit cards, let's all run out to our favorite toy stores and run up our cards to their limits.

    --
    Sheesh, evil *and* a jerk. -- Jade
  9. My Card? by valjean78 · · Score: 5, Funny

    Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised? :p

    1. Re:My Card? by arose · · Score: 4, Funny

      I'm setting one up right now... :-P

      --
      Analogies don't equal equalities, they are merely somewhat analogous.
  10. This is simply the price of outsourcing. by 0xdeaddead · · Score: 5, Interesting
    See in the banking industry we run these "penetration scans" all the time, that are TOTALY WORTHLESS. I cannot emphasize this enough, that running the weakest setup possbile will pass their "tests" with flying colours. The people doing these tests (Some certified security specialists!) Think that firewalls are magical devices that know how to stop the pesky hackers. Bottom line is that people are involved, they are out of their element, and simply placeholders. Management in general needs to get out of this "placerholder" mentality when it comes to jobs, and just fire people that are not doing their jobs.

    Ok enough ranting, but trust me, in the late 90s banks were trying to outsource as many things as possible from customer service, to invoicing, bills, credit collections, applications and so on. As you can see when the "Credit card company" becomes nothing more than a brand, and a board of execs, everything is out of their control, not to mention every peice of the old credit empire is open for attack.....

    If anything the question is why did it take so long to find them?!

  11. Weakest link by hellfire · · Score: 4, Interesting

    It's not surprising someone other than MasterCard actually had a list of card numbers stolen. I have customers all the time tell me how they don't like what they feel are draconian measures to protect the credit card numbers people have in their own systems. What they fail to understand is that Visa and Mastercard require us to do this, and the protections we have are customer service.

    But they still complain, because their customers and they themselves don't ever notice. Hell at one point I was told by a demanding customer to remove the protections because he said "I'll risk it." I was tempted to show him how insecure he was by remotely accessing his system, getting his list of customer phone numbers, and telling all his customers that he was careless with credit card numbers and their numbers could have easily been stolen from his system.

    People are pretty careless about credit card security. It's usually in the name of convenience and visible customer service. Credit card security is invisible service. Being able to purchase something conveniently flies right in the face of having security which just might prevent you from selling something to someone, so some people don't care, as long as they are selling. Owners care once they find out that they'll be issued chargebacks, but individual salesreps will write down every credit card number on a piece of paper if it means making money for them personally.

    Visa and Mastercard have the right idea, and in the press release I like how they said that they gave cardsystems a "limited amount of time" to basically get their act together so this doesn't happen again. Education and enforcement of regulations... nice to see an organization, especially one that is a corporation, actually give a damn.

    --

    "All great wisdom is contained in .signature files"

  12. The only way by BCW2 · · Score: 4, Insightful

    To end this kind of thing is to make the companies handling records financialy responsible for any problems. Triple the amount in damages to each misused account. They won't do anything until it affect the P&L severely. It's the only thing big corporations understand.

    --
    Professional Politicians are not the solution, they ARE the problem.
  13. cardsystems.com/careers.html by St.+Arbirix · · Score: 3, Informative

    It's worth mentioning that they're hiring people with VMS and WindowsNT experience. Small wonder the malicious code got in there.

    --
    Direct away from face when opening.
  14. There are some numbers hackers can't steal. by game+kid · · Score: 5, Funny

    there are some numbers hackers can't steal

    for everything else there's MasterCard

    (Accepted all over, even if it's not yours.)

    --
    You can hold down the "B" button for continuous firing.
  15. Re:Also proves that.. by Curtman · · Score: 3, Insightful

    Even on Slashdot hackers get a bad name. Hackers are people who love to play with technology, not cause carnage and destruction. This guy is a "criminal".

  16. imagine a similar disaster by e**(i+pi)-1 · · Score: 4, Insightful

    Now imagine a headline in 10 years: "120 Million biometric data stolen" It seems that the technical challenges to keep data secure has sunk in already. This credit card data breach could support these concerns.

  17. Re:US numbers only? by Curtman · · Score: 4, Informative

    I think we all have to worry anyway. This kind of shit happens all the time. They're going to find the people responsible for these, and the corporations that allow it to happen will get off with only a bit of bad publicity. That's the real tragedy. There ought to be a law that if you are going to retain someone's personal information then you are responsible for keeping it safe. Same as I'm responsible for keeping my PIN number safe.