Slashdot Mirror
Lost Credit Data Improperly Kept, Company Admits
Zak3056 writes "Last week, Mastercard announced that up to 40,000,000 credit card numbers may have been compromised by one of their processing companies. Today, the New York Times (registration, along with first born child, required) is reporting that the company in question, CardSystems Solutions, should not have been retaining that data to begin with. John M. Perry, CEO of the processor in question, claims the data was merely being kept for 'research purposes.' The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."
Am I reading this correctly? 40 million down to just over 60 thousand? I mean, if the latter figure is correct, this is a MUCH different (less major) story.
== Jez ==
Do you miss Firefox? Try Pale Moon.
I'm sure it's been mentioned every time a NYT article is posted, but use the NYT Link Generator .
Btw, NoReg for this article.
Your hair look like poop, Bob! - Wanker.
If I have been able to see further than others, it is because I bought a pair of binoculars.
the data was merely being kept for "research purposes."
well, that makes it ok then. NOT!
This isn't an error at all, it's actually a *feature* of your credit card agreement. Gets your card number out there so you don't have to bother giving it to retailers - they already have it!
or else!
If the people at MasterCard have any sense, they should drop that processing company just based on the fact alone that they were handling all of that sensitive information inside of a VB Script "application." Oh and that they weren't supposed to be holding that data anyway and it was stolen somehow.
Where is Google Wallet when we need it!!!
Go to the w3.org and put Slashdot.org through the validator.
We got a call today from Amex about our card possibly having unauthorized use at DunkinDonuts.com
Funny thing is we would probably shop there. All nicotine and caffeine diet and all.
...to hold your credit card data for "research purposes."
I'm researching a trip to the Bahamas.
my geeklog
Can you say "lawsuit"? This was a total lapse in judgement in keeping data they shouldn't have compounded with the fact that they didn't secure their network. I'd place money on this company not surviving this error. Even if the loss of money in settlements doesn't break them, I'd bet they will lose most of their future business because of this (and rightly so).
But why is the rum gone?
Here is the reg free and "fricken huge flash ad skip" link.
"We should not have been doing that," Mr. Perry said. "That, however, has been remediated." As for the sensitive data, he added, "We no longer store it on files."
Should be read
As for the sensitive data, he added, "We still store it, just not in files."
If I have been able to see further than others, it is because I bought a pair of binoculars.
I just heard that they revised the numbers again. Now it appears that the lost data is actually just 4 credit cards. And they're all Fashion Bug cards so it would be really easy to spot them if they were used illegally.
Pulp Audio Weekly - Geek News and Reviews
Apparently, keeping credit card numbers secure isn't working out. Why? Because it's just a number. The major credit companies need to revise how the whole credit system works. If they assume that everyone knows everyone else's credit card number by default, they should be able to devise a system a hell of a lot more secure than some 16 digit number. Your credit card number has to be retained by anyone you do business with so that they know who you are. Credit card security needs some major improvements, like a passphrase, password, or even a PIN. A 4-digit PIN would make a world of difference, but if you're going to fix it, you should fix it right. A passphrase would be best. Something that's communicated when the authorization is taking place, checked against a nice secure server, and then is forgotten and not retained. The fact that a system of this nature is not yet in place just shows that the major credit card companies just don't give a shit.
/end rant
Aero
Please stop hurting America -- Jon Stewart
I don't wanna be a troll here, but please, there are a dozen other sites that have the same article. Do we have to rely on a site that requires u to log in?3 513866/
http://www.internetnews.com/security/article.php/
Let's face it, credit cards have never been save and will never be save!
It's the price you have to pay for the convenience credit cards offer.
Are we hearing about this more, or is it happening more?
Pretty Pictures!
Internet connection - $30
Homemade Computer - $700
2 Liters of Mountain Dew - $2
Stealing 40 Million people's credit card information with your 1337 h@x0r s|i77z - Priceless.
There's somethings that money can't buy, but for everything else, there's MasterCard.
Don't take life so seriously. No one makes it out alive.
It makes sense that the companies that are retaining CC data improperly would be the ones most likely to allow it to be compromised.
The security of the data is nothing more than a second thought to many of these companies. If they feel they can keep around a huge data mine of everyone's data they can get their hands on, in violation of the proper procedures, it should come as no surprise that they wouldn't be that vigilant in securing it properly.
Once again, evidence that there should be criminal penalties for improper handling of personal information. If you collect it, you better make sure it's safe. Otherwise, stop collecting it.
Sorry, we meant 68 thousand."
Oh okay, now there's a simple mistake.
What does CardSystems Solutions do "research" on, anyway? How to screw up decimal point placement?
No these idiots were completely hacked. The only thing they know for certain is that the files they were illegitimately retaining were unprotected and thus vulnerable duing the break in. But someone who could compromise them that badly might very well have been intercepting all the transactions they did not retain. Since these folks think vb scripts are good protection they are probably clueless about security and assessing intrusion.
Some drink at the fountain of knowledge. Others just gargle.
Now it all makes sense......
Quoted from article..
"The standards themselves are very effectively written," said Tom Arnold, a partner at Payment Software Company, a consulting firm in San Francisco that advises and provides security assessments for merchants and processors. "The challenge in the industry can be when people don't fully comply or try to cut corners."
Tom Arnold !! No wonder. He needs to find another Roseanne Barr quick before he's homeless !
Success is not the result of spontaneous combustion, you must set yourself on fire.
Translation: ``We've come up with some fiction which will let us maintain plausible deniability next time we lose data we shouldn't have had in the first place.''
As for the sensitive data, he added, "We no longer store it on files."
Translation: ``We're going to come up with some nifty new word to replace the word `file', so we can truthfully say that we no longer have your data in our files.''
More seriously, it makes good sense to me that they were retaining data for research purposes. They'd be irresponsible not to, just as surely as they were irresponsible not to have an air gap between that data and the internet.
See what I've been reading.
I'm on the run from the feds so I couldn't register and read the article, but their excuse is that they were keeping it for research purposes? Seriously? That's the best they could come up with? "Oops" is better than "we were keeping it for research purposes." 'Cause I'm pretty sure none of your customers are going to be happy that you're being negligent with the thing that gives people access to huge amounts of their money so you can keep track of how much toilet paper they buy.
We need a new system based on PGP or something. A system where we have single-use transaction numbers, and you have give a PGP signature for each usage of a transaction number. Right now it's way to easy for hackers to steal credit card information, or for unethical merchants to make unauthorized charges. We need to put the consumer back in charge of their own finances.
Currently , any 'merchant' can charge whatever they want once they have your credit card number. Sure, you can issue a chargeback or contest the charges, but why should *you* have to clean up after someone messes with your account? It's ridiculous.
Computers are useless. They can only give you answers.
-- Pablo Picasso
"The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."
Is that so? I'm going to have to throw the bullshit flag on this one. Any numbers that add up to a nice round number like '200,000' are complete crap that someone pulled directly out of their arse.
I'm sorry, but I just don't buy it. I say they don't have a fucking clue how many numbers were exposed.
Aero
Please stop hurting America -- Jon Stewart
People have to realize that privacy isn't just some criminal's ideal to keep from getting caught. If the data is out there it will be seen, hacked, sold and abused.
----
Go canucks, habs, and sens!
For those people who pay attention to the news, 40,000,000 cards compromised, that would be basically every card they handle assumed to have ben compromised, an imprtessive feat indeed. The person would have had to have a consistent and unnoticedconne3ction to the server, or walked out with a burned dvd or two of information.
The other interesting mathimatical issue that came up was the child molester in Oregon, he was reported to have molested 30,000 kids over 35 years, 12 of which he spent in jail, hmmmm
that would be over 4 seperate kids a day.
I can't even find a way to molest 4 seperate drunk girls in a night with out at least one of them telling someone. I am calling bullshit on this one.
Like arts? Like cheesy little Indie mags? Check out www.artwerkmag.com, and don't laugh at the bad coding please.
What more proof does anyone need that no one gives a flying-FUCK about us average people?
I'm writing my congressman, we shouldn't have to deal with this shit.
Statesmen serve to better the country and help the people.
Politicians serve to better themselves and help friends.
"MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been "exported from the system."
So in reality, they are only saying that they know of 68k that were downloaded. I believe it should be treated as if the other 39 million were compromised. I mean if someone cracks a system on your network do you only consider passwords used on that machine to be compromised? No, you change them all!
According to the article, the company in question has *never* been in compliance with MC's security rules. Since MC is supposedly doing audits and all, why have they not terminated the account and awarded it to someone else? They're leaving themselves wide open, and they're a much bigger target than the company that got caught.
I didn't have to log in. The ratilce just appeared when I clicked. I'm not registered with the Times, as far as I can recall.
Damn it, I'm sick of this weekly news of credit card security breaches. In this case the data wasn't even encrypted.
"Zero liability for customers means that fraudulent charges come out of a bank or store's coffers in the form of higher merchant transaction fees. 'The retailers will pay for it and the issuing banks will get rich off it,' Ms. Litan said. 'It's just another revenue stream.'"
Sorry, I call bullshit. Retailers pass the higher costs onto you and I.
"'We should not have been doing that,' Mr. Perry said. 'That, however, has been remediated.' As for the sensitive data, he added, 'We no longer store it on files.'"
Thats just fine Mr. Perry. Now may I have the credit card numbers, addresses, phone numbers, ss#'s, etc. of you, your family and the execs at Cardsystems Solutions? I *promise* to keep them safe and give them the same care you provided the other customers....
From TFA:
Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.
Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, "This particular processor was not following Visa's security requirements when we found out there was a potential data compromise."
Question:
Why is CardSystems Solutions still a processor for Visa and MasterCard?
The article alludes to fraudulent activity starting back in mid-April leading to an investigation of this particular card processor in mid-May. That suggests that the card companies do some rather interesting statistical analyses on fraud patterns to find commonalities. In this case, they were able to detect that an unusual number of cards with fraudulent transactions had, at some point, a transaction that shared a common card processor sometime in the past.
Obviously, someone (I assume its Mastercard, Visa, etc.) is storing sufficient volume of historical transactions (including metadata such as the 3rd-party transaction processor) to analyze patterns such as this. With some 60 billion card transactions per year worldwide, this would make for a very large dataset and a very interesting analysis problem.
Two wrongs don't make a right, but three lefts do.
because sooner or later, this is going to become damning to the victims. It's already the onus of the victim to fix their identity theft problems, when it should be completely on the offendding party.
I think that companies that allow this kind fo breach to occur should be held in the harshest light and prosecuted federally, not at the state level. Federal sentences tend to be harsher and there is no parole. Just today they sentenced Rigas to 15 years. He should have gotten life as should his son. Bernie Ebbers and Scott Sullivan should both get life in prison for what they did also.
They said (and have since the first announcement AFAIK) that there were as many as 40 million cards at risk. The official MC line never said there were 40M cards compromised. Merely at risk. Some media outlets may have reported this wrong, but every report I, personally, heard since last week got it right.
John M. Perry, CEO of the processor in question, claims the data was merely being kept for "research purposes."
Well, that makes it all OK, then, doesn't it? So long as it was for Science.
-EvilMagnus
cards to choose from? :)
Credit cards never have been safe, but that doesn't mean that they can't ever possibly be safe.
There are ways to do secure payments, usually involving cryptography. Generally, it works like a "digital check" where you create an authorization for a payment, digitally sign and date it, and then hand it over. They never have access to your credit card number, because the real secret is your private key, which never leaves your PDA/smart card/phone/etc. Your bank ensures that the "check" is only cashed once, and because of the crypto it can't be forged or altered without immense resources.
So why haven't we implemented this yet? Infrastructure, mostly. There's a LOT of infrastructure for the present system. It's expensive. Smart cards are expensive. The only thing that's more expensive is credit card companies getting massively ripped off. Perhaps you'll be getting your smart card right soon.
Perhaps not. Another reason is that the infrastructure represents a substantial agreement between the major credit card companies. Changing it involves getting a lot of people to agree on something. That's hard to do, especially when it has to be RIGHT. If they choose the wrong crypto algorithm, or if there are other weaknesses in the system they choose, you could be WAY more doomed than 68,000 missing credit card numbers.
So while there is a tradeoff between convenience and security, there are clearly better balance points than the one we have. Sadly, as long as inertia is an even stronger attractor, we may live this way for a while longer.
can we say one-way hash...
-- -- --
Help my mini cause: My journal
What are the contractual damages for violating there agreement?
I think $50 / incident is probably reasonable. That's enough to get the attention of the mom and pop store that might be facing damages of ten thousand dollars for improperly storing the CC numbers of a few hundred customers, but it's no so overwhelming that they would be forced out of business.
A major processor that held 40M records (assuming that that was the number of improperly held records, and the lower number were just those that might have been exposed). They deserve a $2 billion contractual damage.
Mastercard would never collect that much in damages, of course, but it would be a corporate death sentence to any company -- and its executives -- deciding to do illicit "research." One prominent case could go a long way towards restoring confidence.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
...are horrendously obsolete and insecure.
We should be allowed to tell the store guy "I'll give you credit online." We should be able, within a reasonable period, to go home and specify the store to give credit to, along with the credit needed.
Example: I want the latest pair of Nikes. I'd try my size on, and tell the store clerk I want to pay with credit. He'd give me a voucher with a unique code that can be used to give him credit (a bit like wiring money).
Within 7 days (a month if it was a car or something) I go to my credit card company's site (either from home or at a credit-pay computer nearby), type Firstname Surname and p#a$s%s123 or something, and I'd have an option to "Pay Store by Code." I type vendorCode456 and $100 and the vendor gets the money--and ONLY that money without compromising cardholder identity. If we don't wire the full credit in time, we must forfeit the purchase, or take a nice job in Rikers Island.
This would prevent card companies from taking advantage of our going over credit limits, since the limits would be right in front of us on the site. Also, we would not even need a credit card, since in theory anyone could have a code, and the online payment would probably give the vendor a mail voucher with the payment. We would remain completely anonymous.
What do you all think? Better than easy-to-steal account numbers, right?
You can hold down the "B" button for continuous firing.
This story on npr says that the credit card companies can actually wind up making money when a fraudulent charge is made. Does this create an incentive for them to keep things safe?
--- http://davidnehme.blogspot.com
We used them as processors for about a year. We couldn't get rid of them fast enough. They hid all sorts of fees in our merchant charges and the "great deal" we got from them had so many exceptions that it was worthless. It left a real bas taste in my mouth. I sure hope they get the same treatment in reverse. Ha!
if card solutions is acting like a RICO outfit, treat 'em like a RICO outfit. shut 'em down and auction off the office chairs for reimbursement.
keep no numbers, folks, pass 'em or bilge 'em.
if this is supposed to be a new economy, how come they still want my old fashioned money?
That's what I want to know: when will companies that mishandle data like this be held 100% responsible to the people whose data they mishandled for the losses, fraud, etc.? I'm of the opinion that only when mishandling data results in actual financial consequences to the mishandler will things change.
>> He said the data was in a file being stored for "research purposes"
So aggregate data for 40 million accounts is being used for research. I can buy that, but why in the hell did the personal data attached to the transactions need to be stored? This sounds like crap to me.
I hope they go bankrupt from this.
http://request-header.info
Last week, after the whole 40m CC flap, a helicopter transporting six executives of MBNA Financial Services-- the company implicated in the security breach-- crashed into the East River.
a se/national-46/1119097504217410.xml&storylist=paho mepage
http://www.pennlive.com/newsflash/pa/index.ssf?/b
Things that make you go HMMMMM.
Intolerance for ambiguity is the mark of the authoritarian personality.
Remember, although only 68,000 cards had the necessary secondary information on that site to exploit, that secondary information may otherwise be available. It just won't be provable that it's this company's fault.
Personally, I'd like to see a new law introduced, in which the loss of any personal information due to neglect, wilfull insecurity or sheer incompetence should be finable at a rate of $25,000 (plus losses) per person per piece of information per incident.
Assuming the fine to be taxable, this would almost be enough to pay for the inconvenience AND the national debt.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The bad news Mrs. Adams is that all of your credit card numbers have been stolen by hackers. The good news is, well ermm there is no good news for you other than we can charge you a 32% APR since you've maxed out all your cards. Oh by the way, we'll need your keys for collateral...
Doesn't American Express Blue (or whatever) allow you to generate one shot credit card numbers for online purchases?
It's easier for them to detect fraud in progress than it is to prevent it. When I say easier, I mean that it interferes less with their tertiary marketing of your personal data to make more money on top of interest payments and "membership fees."
These lenders have a cost of funds of under 5%. They're charging "good" customers as little as 9.9% and "bad" customers 20-30% interest. Even with high levels of fraud (as long as they can shut the fraudsters down relatively quickly upon discovery) and the money they're making selling your account/demographic information to advertisers, the banks are making money hand over fist. They have no fear of losing customers since our economy more or less forces you to have a credit card for many transactions. So there isn't any incentive for them to tidy up until the fraud begins to encroach on profits or the inconvenience of consumers causes pressure from lawmakers (who aren't inclined to buck the system since the banks donate heavily to political campaigns).
So what is a consumer to do? Boycott credit cards? You can't even do that. I was just declined for a consulting gig because my "credit score" was too low. I don't owe anyone any money and haven't owned a credit card in 10+ years. Having "no credit" seems to be worse than having "bad credit." There's no winning.
The problem is that a lot of companies want/need to keep your credit card information on record so that for example they can charge you monthly for a service. For obvious reasons they can't ask you to resupply a pin every time.
If you follow the guide lines laid out by Visa and Mastercard, they tell you how to store credit card information encrypted and securely. For example you're never allowed to store the CVC (3-4 digits on the back side of your CC) number in your database. The credit card number must be encrypted and all access to it must be logged. Also the system should never give out more information than neccessary to support a specific function. If you're caught being a company that leaked credit card information the fines by Visa and MC are pretty steep.
It's obvious that in the case of this article these guidelines weren't followed.
In a properly devised system you will store credit card information securely and track who access the data and for what purpose. Also credit card information is entered into a system, but can typically never be retrieved, instead when the company need to charge a customer they will ask the system to do it on their behalf e.g. charge customer id 123 with a $100 charge (this can be done without ever providing a human being the credit card information).
This is of course not a perfect solution and I could point out several severe weaknesses that exists in most online commerce sites, but until someone comes up with a better solution this is what we'll have to live with.
-- THis SIG was swiped and denied...
With all these Credit Card insecurities, along Social Security numbers (and reform?), isn't it time we had a single secure ID and authentication (powered by Micro$oft Passport) to keep us safe.
Wouldn't it be nice if the US govt could assist corporations in maintaining this secure ID? Why not use the new Federal ID instead! That way we can put our trust where it belongs, in the Whitehouse! Instead of these pesky insecure corporations.
I am currently participating in the process of getting certified by Visa/MC and am pretty familiar with the security requirements.. Visa/MC don't specify that you can't store card numbers, they just require you to do it in a secure method. This obviously would exclude saving this information in an unencrypted format in a text file. If you stick it (encrypted) in a database with two layers of firewalls limited to OTP access you're golden :)
The technology is based on digital signatures and electronic wallets. It's quite sophisticated. Perhaps it's time to dust it off and give it another whirl.
...how quickly they can get nailed with a class action lawsuit?
From this story:e pt%2C+company+admits/2100-1029_3-5753557.html?tag= nefd.top
http://news.com.com/Lost+credit+data+improperly+k
"The security breach was first reported Friday, when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that could extract data from the system, potentially compromising 40 million accounts of various credit cards."
They put this information on a laptop running Windows, connected to the internet, and it got Spyware... wow, what a surprise...
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Essentially they are just that: best practices. I just did an audit prepping a company for Visa CISP certification and most things they require are pretty standard like password complexity, physical security, encryption used over public links, etc.. However the security all revolves around the credit card number so it's a little more focused than a normal security gig.
Also, Visa/Master require that vendors store as little info as possible in as few places as possible, and that they encrypt it in storage. Specifically no one is EVER supposed to store the CVV/CVC code or any portion of the magnetic stripe info. Also specific to this set of requirements, a subpoint of it being CC#-centric, is that even non-mission-critical systems have to have the same high level of security if they store CC info. So no one gives a shit if you are doing "research" or just processing sales, you HAVE to protect the numbers, ideally by encrypting that field in Oracle or something equivalent so when FedEx loses your backup tape it isn't a disaster.
One last caveat is that the program is still ramping up. It started about 4 years ago but most companies are struggling to implement the reqs still, and Visa is very understanding since if they are too stringent and cut off the offending vendor they lose revenue.
This credit card account theft would not have occurred if we used smart cards capable of public key cryptography instead of numbers/passwords/passphrases/etc to authenticate our financial transactions. Ideally, the bank wouldn't even have to know your private key, which could be stored on a small device (such as a smart card).
Stealing a physical object (while this still may be a problem) is much harder than intercepting transactions on a trojaned server, where credit card numbers can be harvested millions at a time from companies that have little incentive to keep private data private.
I think what you really want is public key digital signatures. You can get smart cards now that do 2048 bit RSA. Why trust the credit card companies to not store private information when the technology exists to authenticate your transactions without divulging any private information whatsoever?
What if you where to use one of those RSA key card. You know the one where the number is only valid for 90 seconds. That matched with a password or pin it Authenticates you at that POS and you since its only valid for 90 Seconds they can't keep track of your card number.
The data was being kept kept for "research purposes ...
... of course.
and in other news, Japanese whalers are applying to double its kill to 25,000 next year.
For scientific research
"Cats like plain crisps"
I think that the lost credit data is a big problem. but a bigger problem is the fact that Mastercard has known about this theft since May. Companies are just not open enough with practices and information.
link (realaudio, wmp)
forget about the laptop part...I don't know where I got the bit about the laptop but rereading shows nothing about that. The quote is still valid though. It was a "rogue computer program"..... I guess they don't know that everyone else calls these Spyware programs.
Lob
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Does no one smell the coffee? What if all these cc numbers (quite a few million have been reported stolen in the last couple weeks) are used by Al Qaida in a future attack on America?
Just another inaccurate flame on windows. From every article i have read, not once does it say this inofrmation was on a windows based laptop..you made 2 false assumptions. #1 The company does not use windows based machines, citing cost effectiveness.And #2 i believe you were referring to an older story about the information being on a laptop that got stolen...And you got a karma bonus...do your homework before posting idiotic comments
~~"Of course, that's just my opinion. I could be wrong." ~~Dennis Miller
Presumably there are companies that aren't this stupid. This was one credit card processing company; there are hundreds of corporations in the industry.
/., for that matter)
The issue is that malicious hackers don't go after the processors which are well protected, and a story like "Responsible Company Follows Security Guidelines; Doesn't Get Hacked" probably won't make it to the front page of the NYT.
(or
I don't know where you get MBNA from - the compromised company was CardSystems Solutions.
That's exactly what it is, credit cards are just a way to "print your own money".
Why? With the wars, and space race, the USA's currency is not worth what it used to be.
Overpopulation cheapens the labor market. We get paid peanuts, but things cost a lot more, so we "print our own money". The Banks used to be so stingy with credit, now it's "help yourself".
Offers of credit cards with credit lines of tens of thousands of dollars pour in to your mailbox.
Do you suppose the government is "in" on this?
Sure. If prices and wages were fixed, then where would the value of the dollar come from? Your imagination? The USA is a nation of buyers of goods "Made in China". The Chinese get the money, as well as the middlemen here. We do nothing but spend. No value there. So, we have inflation.
Remember Germany after WWI? Inflation so bad it took a wheelbarrow full of marks to buy a loaf of bread. They did not know how to make "plastic", apparently. Also, the banks there were cheap bastards, not wanting to make any loans in an inflationary environment. Repay the loan with cheap money? Nope. No loan for You!
American Banks got into a credit card war in the early l960's, when Bank of America issued $300.00 cards, only to be faced with Bank of California $500.00 cards to each customer who paid off a loan with a satisfactory rating. I got two! ($1,000) limit. Whoopee! I had lunch and paid for it with money I might just not have to pay back, if I "expired prematurely". Great idea! Cheat the Grim Reaper! The bastard won't take you, because you own a greater demon, the Bank! Works for me! Now, you'll live to repay those damn credit cards!
What a royal mess!
I just got a call from my credit union about this. Seems they were notified this morning that a number of cards they issued were affected, and they're actually calling the customers to go over the recent transactions and to notify them that new cards will be issued! I'm so impressed.
"I don't think I ain't" -Thompson's Corollary to Descartes
I got two emails from my bank today (10:52am and 4:59pm EST).
Dear Customer,
An incident involving unauthorized access into a third party processor system has occurred. A company which processes transactions for physical retail merchants and Internet merchants was the victim of a computer hacker between September 2004 and May 2005. They have identified your check and/or credit card as one of the cards possibly exposed. Information compromised includes account numbers and expiration dates, as well as cardholder names and addresses.
We understand that you will most likely be concerned when you read this. Rest assured that if you information has fallen into the wrong hands, you will not be liable for any unauthorized transactions using your Check Card or VISA Card*. However, it is very important that you monitor your account(s) closely and notify us immediately of any unauthorized transaction. If such a transaction does occur, you will need to complete a VISA dispute form, available through the maintenance area of our online banking system, in order to receive provisional credit for the amount of the transaction. We recommend, as a precaution, that you call Customer Support to block your card and we will re-issue a new one. Our Banking Specialists and Loan Representatives will make that decision with you on a case-by-case basis, as we do not want to hamper your use of the card.
We also understand that you will have other questions, such as the identity of the processor. When we receive notifications of this variety from VISA, VISA does not and will not reveal the name of the merchant or processor unless the incident has already been made public by the merchant.
Again, we do ask that you monitor your account carefully in the weeks ahead by making use of our telephone, wireless, and online banking systems. If you have any questions or concerns, please contact a Banking Specialist or Loan Representative for more information.
Thank you for banking with us.
*This limit on liability does not apply to PIN-based ATM or point-of-sale transactions.
Belive in Technology and AMAZE yourself. -- RIP ZDTV/TechTV
So basically, if my credit card company screws me, I have to grin and bear it. The alternative is to cancel the card(s) and incur poorer credit.
--"It's Bradford Company, slash your last name, dot your first name"
You know... register? You don't have to enter real data. That way you don't have to use anything generator, and can just click through directly to the article, while simultaneously not appearing childish for whining everytime an NYT link is posted.
It's not my liability. It's the credit card companies liability. If someone steals my card number and charges up on it, it's not my problem, it's theirs. The CC companies know that fraud is unavoidable without huge amounts of investment, and tolerate a certain amount because it still nets them a huge profit.
So, let them steal it, I don't care. I care much more about things I can't change or cancel, like my drivers license number or SSN. Now why can't I change those when they are stolen?
CardSystems Solutions was researching:
(1) how much additional revenue could be attained by selling this ancillary database on the open market ala Checkpoint Solutions,
(2) how far they could push the limits of corporate criminal liability,
(3) how tolerant the credit card issuers, their customers, would be to violations of their contractual obligations,
(4) how tolerant Federal lawmakers and prosecutors would be toward this company's gross financial malfeasance, or
(5) how big a contract they could get with Dubya's Department of Homeland Security for their data being included in the MATRIX program.
This slimey excuse for a corporation deserves to be legislated, prosecuted, and sued out of existance. The corporate officers need to spend some "quality time" breaking big rocks into small ones in a Federal prison, all while getting their proverbial "cherries" broken daily by their cellmates.
There is absolutely no excuse that the credit card issuers can validly make for continuing to do any further business with these asshats.
If you're talking about the US, then no, not really. A few years ago, the US dept. of labor changed the way the CPI is calculated to hide it a little better. If you calculate it the old way, there is actually quite a bit of inflation today. But they knew inflation was coming and didn't want people to know about it (since they tend to make a fuss), so the CPI is now designed to hide it.
Free Hans!
Evil corporations as the source of all our troubles? Ha! You wish!
You're acting like this new security disaster has been committed by some huge faceless monster. Nope, see, CardSystems is a small company, one of these relatively clueless offices. Clueless as in "running windows and getting a trojan".
You don't have to invoke the evil spirit of big corporations to explain carelessness and stupidity. Say, I bet you have at least one noisy asshole neighbor, don't you? I do. One of my neighbors routinely sets his boom box on his patio and set it to "annoyingly loud" on a radio channel that plays about 2 songs between each 10-minute commercial run. And then he leaves. That's right, we keep enjoying the boom box while he's gone. Is that sheer evilness? No, he's just completely clueless and easily distracted by shiny objects, that all. I'm sure that the day I finally lob a molotov coktail to his patio, he'll not even realize why I'm angry.
Well, when this kind of guy becomes a manager, he ends up working in joints like CardSystems: clueless, dumb and unaware that their utter obliviousness of the rest of the world might even cause a problem.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Heh, heh... There was a thread on one of the Yahoo finance forums that mentioned that the third-party company had been recently advertising for folks with Windows 2000 systems experience, etc.
No date was mentioned on the forum regarding when those ads were seen (or how old they might have been at the time) but I wonder if they haven't canned the dolt who was responsible for systems management and aren't trying to find a replacement. (I already pity the poor slob that comes into take over after this snafu. But just a little bit.)
CUR ALLOC 20195.....5804M
Admit what you're reading has value, and engage in the quid pro quo.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Why is this a /. article? It was in the MSM 24 hours ago.....
Have a smart chip on the card that reads the users pin number, generates an appropriate PK-signed authorization message, and transmits this to the bank.
So you have some sort of hybrid system, with a PIN for real life use and a passphrase for online use.
yes :-) thats what the hackers are doing right now, research into the uses of those cc numbers.
All you whingy ass nerds.....
Simple...
YOU DONT HAVE TO HAVE A CREDIT CARD!
Find a fincial institution that offers you a secure form way of obtaining credit....and stop whining
If they can't tell the difference between 40 million lost and 70 thousand, they're probably wrong about both. And probably wrong about the security of the rest. And by "wrong", I mean "lying". Because the stakes in this debacle are much higher than even the credit of the exposed cardholders. The stakes are pushing the public over the edge, and actually becoming liable for these serious abuses of cardholder security. Which will become much more expensive in aggregate to MasterCard than the maximum damage the breaches will do to their customers. Even just in increased insurance premiums.
--
make install -not war
A day or two before this story broke I happened to be talking with my credit card company and noticed a few 1, 3, and 4 dollar charges on the card. I had no idea what they were and had all of them cancelled. 40 million cards x $1 - %50 of peopel who catch the charge = retire in luxury on an island.
.
-shpoffo
I used to hate the fact that I never established any credit. I simply do not have a number. No credit cards... I'm laughin now...
in theory, walmart could store a good hash of the card, say a SHA1#, and then use that as the key in the database to lookup transactions. Steal the DB and all you get are a set of SHA1 values, pretty meaningless on their own.
I say in theory, as you could do the same with SSN numbers, but as we know, everyone is too lazy to do that.
At least the card companies do care more about loss of card numbers than the government cares about SSN abuse.
for each number or personal information stolen from the company holding said information, force said company to make a payment of $10,000 on the card holders credit account and hold the responsible to back up any theft or loss due to lost information. This would tighten up information policies in all companies and this private information will be considered as precious and sacred item that it is.
This would be controlling wanton capitalism and global companies and force them to be responsible and accountable.
Figuring out how to control huge companies without bankrupting them, should be the platform of one of the political parties. Or at least there should be two positions upon it pronounced by the the two major political parties.
This is a test!
Statement from CardSystems Solutions, Inc.
(June 17, 2005)
CardSystems Solutions, Inc., identified a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident. CardSystems immediately began a remediation process to ensure all systems were secure. Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security.
Since that time, concurrent to the investigation proceedings, CardSystems is completing the installation of enhanced/additional security procedures recommended by the security assessor involved in the investigation.
We understand and fully appreciate the seriousness of the situation. Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this matter. Our goal is to cooperate fully with the FBI to complete the investigation and ensure that we do nothing that might compromise the investigation.
For Further Information:
Bill Reeves
Senior Vice President, Marketing and Communications
CardSystems Solutions, Inc.
Phone: (770) 395-2959
Fax: (678) 306-4813
Email: media@cardsystems.com
---
Translation: we know we're screwed.
And even better, they make a big deal of their "Unique, proprietary authorization network" hahahaha:
http://cardsystems.com/about.html
State-of-the-Art Technology
What on earth would they use the actual card numbers for, if the data was used for research purposes?
This would never have been a problem if the employer hadn't been snooping on it's employees right? Then every card holder could continue in blissful ignorance and the privacy of the employee that exported the data would have been protected.
Seriously though, this just proves the point: If you own a business where your employees have access to sensitive data, you have an obligation to know what they're doing. Basically, if you own the box, then the resposibility for how it gets used or misused is yours regardless of the smuck you hired to sit at it.
B) Eliminate all the stupid users. This is frowned upon by society.
Man,
If you think cardsystems is in trouble think about how much trouble their auditor is going to be in.
They certified that cardsystems were not storing credit card numbers. Now everyone relying on their audit will come after them!
As a Payment Card Industry auditor, who audits payment card providers, I'll be paying more attention to troubleshooting and "research" activities!!
When I first heard about this, I thought: with so many good tech people looking for work, I hope everyone remotely associated with this is fired and replaced.
Later I thought it would be better if the company went out of business, and everyone who used to work there, right down to the janitor, has a permanent red flag attached to their resume' ensuring they never work within 50 feet of a computer again in their lives, while the people actually responsible for this are strung up in the public square and flogged 10 times by each of their 40 million victims.
Eventually I began to wonder why we continue to tolerate databases with OUR information in them. It is time to turn this entire system inside out. MY information is MINE dammit and NOBODY should get to store ANYTHING about me except ME! You want to mail me some marketing crap and you need my mailing address? Gotta get it from MY data server. Oops, it looks like you're not authorized. Sorry. So I move to a new address, only update the data once. Any good data engineer will tell you not to store multiple copies.
Can we focus the brainpower of slashdotters to design a data storage system using encryption, strong authentication, personal data servers [conceptually a bit like personal web servers] and (almost) worldwide instant network access?
And make it easy enough that Joe Sixpack can still pay for his pron (anonymously) without being distracted to the point where he loses his wood?
Inflation is bad for elections, just ask Jimmy Carter. The dept. of labor is part of the executive branch, and they have a vested interest in avoiding the appearance of inflation. Whether or not they actually avoid inflation is irrelevant. Just so people can't tell.
Free Hans!
Kool Cash
Howcome their webserver runs Windows 2000.
~AC