Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lost Credit Data Improperly Kept, Company Admits

Posted by timothy on from the just-researching-your-privacy-loss-tolerance dept.

Zak3056 writes "Last week, Mastercard announced that up to 40,000,000 credit card numbers may have been compromised by one of their processing companies. Today, the New York Times (registration, along with first born child, required) is reporting that the company in question, CardSystems Solutions, should not have been retaining that data to begin with. John M. Perry, CEO of the processor in question, claims the data was merely being kept for 'research purposes.' The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."

18 of 272 comments (clear)

  1. Re:Slight difference? by Tuxedo+Jack · · Score: 5, Insightful

    Even so, the issue is that it was still improperly retained - and that corporate America isn't giving a damn about security for the average joe's accounts and such.

    --

    Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
  2. Re:Slight difference? by trmj · · Score: 2, Insightful

    The 68k were cards issues by MasterCard alone, with another 132k cards issued by other companies.

    This is still an apporximation, but a much nicer one than the 40 million that were "potentially" compromised originally.

    Yes, it's still completely intolerable for this to have happened, as the processor shouldn't store that data any longer than it takes to process the charge.

    At least Mastercard is stepping up and taking control of this situation, I haven't seen a story about the other companies taking anything more than a corrolary role in this process.

    --
    Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
  3. This isn't working out.. by aero2600-5 · · Score: 4, Insightful

    Apparently, keeping credit card numbers secure isn't working out. Why? Because it's just a number. The major credit companies need to revise how the whole credit system works. If they assume that everyone knows everyone else's credit card number by default, they should be able to devise a system a hell of a lot more secure than some 16 digit number. Your credit card number has to be retained by anyone you do business with so that they know who you are. Credit card security needs some major improvements, like a passphrase, password, or even a PIN. A 4-digit PIN would make a world of difference, but if you're going to fix it, you should fix it right. A passphrase would be best. Something that's communicated when the authorization is taking place, checked against a nice secure server, and then is forgotten and not retained. The fact that a system of this nature is not yet in place just shows that the major credit card companies just don't give a shit.
    /end rant

    Aero

    --
    Please stop hurting America -- Jon Stewart
    1. Re:This isn't working out.. by bracher · · Score: 4, Insightful

      I agree that something more secure than a 16-digit number is certainly feasible and needed. But it shouldn't be something that needs to be passed through a third party. The card should be a smart card capable of signing a transaction, and only the signature should be transmitted.

      Something that's communicated when the authorization is taking place, checked against a nice secure server, and then is forgotten and not retained.

      The essential point you're missing here is that, currently, your 16-digit card number _is_ this something. The core of the problem (this time at least) is that the processing company wasn't following those rules. What keeps them from holding on to your passphrase for 'analysis'?

    2. Re:This isn't working out.. by Stonehand · · Score: 4, Insightful

      Well, judging by the article, Mastercard specifically told the processor *not* to retain information -- and the latter did, anyway. The policy already existed.

      No, to block things you'd need to do more than tell them not to retain information. You'd need to make sure that even if they did, it was useless. This might point towards requiring people to generate one-time passwords, which would probably be a fair expensive.

      --
      Only the dead have seen the end of war.
    3. Re:This isn't working out.. by spood · · Score: 3, Insightful

      Credit card fraud is not a technical problem. Using the old adage, we cannot apply a technical solution. All of the extra verification proposed implies an added cost that will still not solve the problem - if you require a passphrase or some secondary authentication, thieves will just steal the second factor as well.

      The best solution is to shift the responsibility for fraud to those that are responsible for allowing it - the merchants who process card transactions. This is how it is already done, and the fact that plenty of merchants still do business with credit cards proves that the system works, despite the fact that CC companies don't "give a shit."

      As a consumer, I'd be perfectly fine with everyone knowing my credit card number because I'm not responsible for fraudulent purchases by law. This is a system that works.

      What you should really be upset about it is the system that allows identity theft to run rampant. Though the two are related, there is a fundamental difference between someone else using a credit card you've established in your name and someone else using a credit card that they've established in your name.

      The current system is much weaker against this type of activity because the burden of responsibility for fraud is still heavily on the consumer rather than the parties that allow identity theft to be profitable (mainly banks, but to a lesser extent any industry that relies on credit reporting). The solution to this problem is not so clear.

      --
      ---- Just another spud server.
  4. convinience vs. security by American+In+Berlin · · Score: 2, Insightful

    Let's face it, credit cards have never been save and will never be save!

    It's the price you have to pay for the convenience credit cards offer.

  5. They have No clue as to how many were stolen by goombah99 · · Score: 2, Insightful

    No these idiots were completely hacked. The only thing they know for certain is that the files they were illegitimately retaining were unprotected and thus vulnerable duing the break in. But someone who could compromise them that badly might very well have been intercepting all the transactions they did not retain. Since these folks think vb scripts are good protection they are probably clueless about security and assessing intrusion.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  6. Why isn't there one company that isn't this stupid by CosmeticLobotamy · · Score: 2, Insightful

    I'm on the run from the feds so I couldn't register and read the article, but their excuse is that they were keeping it for research purposes? Seriously? That's the best they could come up with? "Oops" is better than "we were keeping it for research purposes." 'Cause I'm pretty sure none of your customers are going to be happy that you're being negligent with the thing that gives people access to huge amounts of their money so you can keep track of how much toilet paper they buy.

  7. Time for a new system by lawpoop · · Score: 3, Insightful
    It's time for a new system. This credit card BS is getting ridiculous. Credit card numbers are easy to hack/steal, so cc comapnies start asking for address verification, or for that 3-digit 'security' code on the back. Now, address and security code information are being stolen.

    We need a new system based on PGP or something. A system where we have single-use transaction numbers, and you have give a PGP signature for each usage of a transaction number. Right now it's way to easy for hackers to steal credit card information, or for unethical merchants to make unauthorized charges. We need to put the consumer back in charge of their own finances.

    Currently , any 'merchant' can charge whatever they want once they have your credit card number. Sure, you can issue a chargeback or contest the charges, but why should *you* have to clean up after someone messes with your account? It's ridiculous.

    --
    Computers are useless. They can only give you answers.
    -- Pablo Picasso
    1. Re:Time for a new system by Anonymous Coward · · Score: 1, Insightful

      So what, you have $50 max liability by law but Visa and the other cc guys guarantee no liability. You know how easy it is to dispute charges?

      Are you so incredibly stupid that you don't know
      YOU and all credit card users are paying for every single penny that is stolen? The credit card companies pay nothing at all! If
      they did, they would be broke by now.

  8. Bullshit Flag.. by aero2600-5 · · Score: 2, Insightful

    "The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."

    Is that so? I'm going to have to throw the bullshit flag on this one. Any numbers that add up to a nice round number like '200,000' are complete crap that someone pulled directly out of their arse.

    I'm sorry, but I just don't buy it. I say they don't have a fucking clue how many numbers were exposed.

    Aero

    --
    Please stop hurting America -- Jon Stewart
  9. Tougher privacy laws. by Goalie_Ca · · Score: 3, Insightful

    People have to realize that privacy isn't just some criminal's ideal to keep from getting caught. If the data is out there it will be seen, hacked, sold and abused.

    --

    ----
    Go canucks, habs, and sens!
  10. We end up paying in the end... by Toadius · · Score: 3, Insightful

    Damn it, I'm sick of this weekly news of credit card security breaches. In this case the data wasn't even encrypted.

    "Zero liability for customers means that fraudulent charges come out of a bank or store's coffers in the form of higher merchant transaction fees. 'The retailers will pay for it and the issuing banks will get rich off it,' Ms. Litan said. 'It's just another revenue stream.'"

    Sorry, I call bullshit. Retailers pass the higher costs onto you and I.

    "'We should not have been doing that,' Mr. Perry said. 'That, however, has been remediated.' As for the sensitive data, he added, 'We no longer store it on files.'"

    Thats just fine Mr. Perry. Now may I have the credit card numbers, addresses, phone numbers, ss#'s, etc. of you, your family and the execs at Cardsystems Solutions? I *promise* to keep them safe and give them the same care you provided the other customers....

  11. Why are they still in business? by stinerman · · Score: 5, Insightful

    From TFA:

    Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

    Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, "This particular processor was not following Visa's security requirements when we found out there was a potential data compromise."

    Question:

    Why is CardSystems Solutions still a processor for Visa and MasterCard?

  12. Find a different balance point by jfengel · · Score: 2, Insightful

    Credit cards never have been safe, but that doesn't mean that they can't ever possibly be safe.

    There are ways to do secure payments, usually involving cryptography. Generally, it works like a "digital check" where you create an authorization for a payment, digitally sign and date it, and then hand it over. They never have access to your credit card number, because the real secret is your private key, which never leaves your PDA/smart card/phone/etc. Your bank ensures that the "check" is only cashed once, and because of the crypto it can't be forged or altered without immense resources.

    So why haven't we implemented this yet? Infrastructure, mostly. There's a LOT of infrastructure for the present system. It's expensive. Smart cards are expensive. The only thing that's more expensive is credit card companies getting massively ripped off. Perhaps you'll be getting your smart card right soon.

    Perhaps not. Another reason is that the infrastructure represents a substantial agreement between the major credit card companies. Changing it involves getting a lot of people to agree on something. That's hard to do, especially when it has to be RIGHT. If they choose the wrong crypto algorithm, or if there are other weaknesses in the system they choose, you could be WAY more doomed than 68,000 missing credit card numbers.

    So while there is a tradeoff between convenience and security, there are clearly better balance points than the one we have. Sadly, as long as inertia is an even stronger attractor, we may live this way for a while longer.

  13. Contractual damages? by coyote-san · · Score: 2, Insightful

    What are the contractual damages for violating there agreement?

    I think $50 / incident is probably reasonable. That's enough to get the attention of the mom and pop store that might be facing damages of ten thousand dollars for improperly storing the CC numbers of a few hundred customers, but it's no so overwhelming that they would be forced out of business.

    A major processor that held 40M records (assuming that that was the number of improperly held records, and the lower number were just those that might have been exposed). They deserve a $2 billion contractual damage.

    Mastercard would never collect that much in damages, of course, but it would be a corporate death sentence to any company -- and its executives -- deciding to do illicit "research." One prominent case could go a long way towards restoring confidence.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  14. Re:Moral Hazzard? by dkf · · Score: 2, Insightful

    Whatever the merits of that story, the main credit card companies are going to be focussed on stamping this sort of thing out. The last thing they want is for consumers to lose confidence in their payment system, as that would make them go to some other mechanism that doesn't give them their cut. Their globally optimal strategy is probably to splat these bad-egg processors back into the stone age.

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"