Slashdot Mirror
Lost Credit Data Improperly Kept, Company Admits
Zak3056 writes "Last week, Mastercard announced that up to 40,000,000 credit card numbers may have been compromised by one of their processing companies. Today, the New York Times (registration, along with first born child, required) is reporting that the company in question, CardSystems Solutions, should not have been retaining that data to begin with. John M. Perry, CEO of the processor in question, claims the data was merely being kept for 'research purposes.' The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."
Am I reading this correctly? 40 million down to just over 60 thousand? I mean, if the latter figure is correct, this is a MUCH different (less major) story.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Can you say "lawsuit"? This was a total lapse in judgement in keeping data they shouldn't have compounded with the fact that they didn't secure their network. I'd place money on this company not surviving this error. Even if the loss of money in settlements doesn't break them, I'd bet they will lose most of their future business because of this (and rightly so).
But why is the rum gone?
It makes sense that the companies that are retaining CC data improperly would be the ones most likely to allow it to be compromised.
The security of the data is nothing more than a second thought to many of these companies. If they feel they can keep around a huge data mine of everyone's data they can get their hands on, in violation of the proper procedures, it should come as no surprise that they wouldn't be that vigilant in securing it properly.
Once again, evidence that there should be criminal penalties for improper handling of personal information. If you collect it, you better make sure it's safe. Otherwise, stop collecting it.
For those people who pay attention to the news, 40,000,000 cards compromised, that would be basically every card they handle assumed to have ben compromised, an imprtessive feat indeed. The person would have had to have a consistent and unnoticedconne3ction to the server, or walked out with a burned dvd or two of information.
The other interesting mathimatical issue that came up was the child molester in Oregon, he was reported to have molested 30,000 kids over 35 years, 12 of which he spent in jail, hmmmm
that would be over 4 seperate kids a day.
I can't even find a way to molest 4 seperate drunk girls in a night with out at least one of them telling someone. I am calling bullshit on this one.
Like arts? Like cheesy little Indie mags? Check out www.artwerkmag.com, and don't laugh at the bad coding please.
According to the article, the company in question has *never* been in compliance with MC's security rules. Since MC is supposedly doing audits and all, why have they not terminated the account and awarded it to someone else? They're leaving themselves wide open, and they're a much bigger target than the company that got caught.
The article alludes to fraudulent activity starting back in mid-April leading to an investigation of this particular card processor in mid-May. That suggests that the card companies do some rather interesting statistical analyses on fraud patterns to find commonalities. In this case, they were able to detect that an unusual number of cards with fraudulent transactions had, at some point, a transaction that shared a common card processor sometime in the past.
Obviously, someone (I assume its Mastercard, Visa, etc.) is storing sufficient volume of historical transactions (including metadata such as the 3rd-party transaction processor) to analyze patterns such as this. With some 60 billion card transactions per year worldwide, this would make for a very large dataset and a very interesting analysis problem.
Two wrongs don't make a right, but three lefts do.
...are horrendously obsolete and insecure.
We should be allowed to tell the store guy "I'll give you credit online." We should be able, within a reasonable period, to go home and specify the store to give credit to, along with the credit needed.
Example: I want the latest pair of Nikes. I'd try my size on, and tell the store clerk I want to pay with credit. He'd give me a voucher with a unique code that can be used to give him credit (a bit like wiring money).
Within 7 days (a month if it was a car or something) I go to my credit card company's site (either from home or at a credit-pay computer nearby), type Firstname Surname and p#a$s%s123 or something, and I'd have an option to "Pay Store by Code." I type vendorCode456 and $100 and the vendor gets the money--and ONLY that money without compromising cardholder identity. If we don't wire the full credit in time, we must forfeit the purchase, or take a nice job in Rikers Island.
This would prevent card companies from taking advantage of our going over credit limits, since the limits would be right in front of us on the site. Also, we would not even need a credit card, since in theory anyone could have a code, and the online payment would probably give the vendor a mail voucher with the payment. We would remain completely anonymous.
What do you all think? Better than easy-to-steal account numbers, right?
You can hold down the "B" button for continuous firing.
This story on npr says that the credit card companies can actually wind up making money when a fraudulent charge is made. Does this create an incentive for them to keep things safe?
--- http://davidnehme.blogspot.com
Gets your card number out there so you don't have to bother giving it to retailers - they already have it
First of all, the hacked system in question belonged to a payment processor, not a merchant. Second, merchants already do keep them. Walmart's central data warehouse has a consumer's entire transaction, including credit card number, within 15 minutes of the POS transaction. I went to Home Depot to make a return without a receipt and with a swipe of my cc the cashier had the transaction on screen in just a couple of seconds. Scary! Cash at HD from now on for me!
That's what I want to know: when will companies that mishandle data like this be held 100% responsible to the people whose data they mishandled for the losses, fraud, etc.? I'm of the opinion that only when mishandling data results in actual financial consequences to the mishandler will things change.
Think that's bad?
You know all of the development work that has been outsourced to India, etc.? Guess what they are using for 'test data'.
I work for a major US bank which had plans to distribute all of our data to India for the developers to test against.
Fortunately those of us in the fraud area complained long and hard about this, so the bank changed it's mind and will now only export fully obfuscated data.
What's your bank, insurance company, investment company, etc. sending over there?
The technology is based on digital signatures and electronic wallets. It's quite sophisticated. Perhaps it's time to dust it off and give it another whirl.
So you made a return without a receipt, and they were able to pull up your transaction to make the return without a problem... and you want to forfeit that?
Security is fine and all, but I really like convenience, and I really like that when someone screws up, my bank fixes it. They can go hand in hand.
- oZ
// i am here.
I got two emails from my bank today (10:52am and 4:59pm EST).
Dear Customer,
An incident involving unauthorized access into a third party processor system has occurred. A company which processes transactions for physical retail merchants and Internet merchants was the victim of a computer hacker between September 2004 and May 2005. They have identified your check and/or credit card as one of the cards possibly exposed. Information compromised includes account numbers and expiration dates, as well as cardholder names and addresses.
We understand that you will most likely be concerned when you read this. Rest assured that if you information has fallen into the wrong hands, you will not be liable for any unauthorized transactions using your Check Card or VISA Card*. However, it is very important that you monitor your account(s) closely and notify us immediately of any unauthorized transaction. If such a transaction does occur, you will need to complete a VISA dispute form, available through the maintenance area of our online banking system, in order to receive provisional credit for the amount of the transaction. We recommend, as a precaution, that you call Customer Support to block your card and we will re-issue a new one. Our Banking Specialists and Loan Representatives will make that decision with you on a case-by-case basis, as we do not want to hamper your use of the card.
We also understand that you will have other questions, such as the identity of the processor. When we receive notifications of this variety from VISA, VISA does not and will not reveal the name of the merchant or processor unless the incident has already been made public by the merchant.
Again, we do ask that you monitor your account carefully in the weeks ahead by making use of our telephone, wireless, and online banking systems. If you have any questions or concerns, please contact a Banking Specialist or Loan Representative for more information.
Thank you for banking with us.
*This limit on liability does not apply to PIN-based ATM or point-of-sale transactions.
Belive in Technology and AMAZE yourself. -- RIP ZDTV/TechTV