Lost Credit Data Improperly Kept, Company Admits

Zak3056 writes "Last week, Mastercard announced that up to 40,000,000 credit card numbers may have been compromised by one of their processing companies. Today, the New York Times (registration, along with first born child, required) is reporting that the company in question, CardSystems Solutions, should not have been retaining that data to begin with. John M. Perry, CEO of the processor in question, claims the data was merely being kept for 'research purposes.' The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."

Slight difference?

[jez9999]

Am I reading this correctly? 40 million down to just over 60 thousand? I mean, if the latter figure is correct, this is a MUCH different (less major) story.

Re:Slight difference?

[Tuxedo+Jack]

Even so, the issue is that it was still improperly retained - and that corporate America isn't giving a damn about security for the average joe's accounts and such.

Re:Slight difference?

[vandon]

...corporate America isn't giving a damn about security for the average joe's accounts and such.

But they'll charge you sky-high intrest rates when your credit is messed up because someone used your information to open 30 accounts across the nation. I really hate to say it, but we need a personal/banking information 'PATRIOT' act to force all these companies to take security seriously.

Re:Slight difference?

[alan_dershowitz]

Well, that's kind of true and kind of not. The credit card companies are a few days from requiring vendor compliance with a strict standard for credit card information processing and storage. Basically, if you are not implementing this security standard, you will not be able to use credit cards in your place of business. (this is for online businesses and Point of Sale service providors, not like restaurants and stuff.)

CISP and PCI compliance

If data in a vendor's system is compromised, Visa and Mastercard will charge fines upward of a hundred thousand dollars per violation, and by the time a third violation occurs, your place of business may be denied use of credit card services permanently.

That's a good thing for everyone, but when crap like this happens it pisses me off. Credit Card companies are (correctly) requiring the strictest standards for storing cardholder data by vendors, but at the same time they themselves are losing 40 million cardnumbers, losing unencrypted backup tapes in shipping, etc. What pisses me off is that if I screw up and lose a credit card number into the wild, I get fined 100K. If they lose 40 million cards, what are they gonna do, fine themselves?

No Reg Link

[OverlordQ]

I'm sure it's been mentioned every time a NYT article is posted, but use the NYT Link Generator .

Btw, NoReg for this article.

Credit Card Doublespeak

[Qzukk]

"The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."

Should be read as

"The number of compromised Master Card accounts from accountholders in California where we actually have to report this is about 68,000. Another 132,000 people in California with Visa, American Express, and other credit card companies' cards also had their account information taken"

this is not an error

[nilbog]

This isn't an error at all, it's actually a *feature* of your credit card agreement. Gets your card number out there so you don't have to bother giving it to retailers - they already have it!

Re:Full text of the article

[w98]

As for the sensitive data, he added, "We no longer store it on files."

Now they store it on tape so UPS can lose it instead.

Lawsuit

[fdiskne1]

Can you say "lawsuit"? This was a total lapse in judgement in keeping data they shouldn't have compounded with the fact that they didn't secure their network. I'd place money on this company not surviving this error. Even if the loss of money in settlements doesn't break them, I'd bet they will lose most of their future business because of this (and rightly so).

Re:Lawsuit

[griffjon]

I'd place money...

Hey, for betting; do you take credit cards?

Ad Free Link

[ravenspear]

Here is the reg free and "fricken huge flash ad skip" link.

Newly revised figures...

[yotto]

I just heard that they revised the numbers again. Now it appears that the lost data is actually just 4 credit cards. And they're all Fashion Bug cards so it would be really easy to spot them if they were used illegally.

This isn't working out..

[aero2600-5]

Apparently, keeping credit card numbers secure isn't working out. Why? Because it's just a number. The major credit companies need to revise how the whole credit system works. If they assume that everyone knows everyone else's credit card number by default, they should be able to devise a system a hell of a lot more secure than some 16 digit number. Your credit card number has to be retained by anyone you do business with so that they know who you are. Credit card security needs some major improvements, like a passphrase, password, or even a PIN. A 4-digit PIN would make a world of difference, but if you're going to fix it, you should fix it right. A passphrase would be best. Something that's communicated when the authorization is taking place, checked against a nice secure server, and then is forgotten and not retained. The fact that a system of this nature is not yet in place just shows that the major credit card companies just don't give a shit.
/end rant

Aero

Re:This isn't working out..

[bracher]

I agree that something more secure than a 16-digit number is certainly feasible and needed. But it shouldn't be something that needs to be passed through a third party. The card should be a smart card capable of signing a transaction, and only the signature should be transmitted.

Something that's communicated when the authorization is taking place, checked against a nice secure server, and then is forgotten and not retained.

The essential point you're missing here is that, currently, your 16-digit card number _is_ this something. The core of the problem (this time at least) is that the processing company wasn't following those rules. What keeps them from holding on to your passphrase for 'analysis'?

Re:This isn't working out..

[Stonehand]

Well, judging by the article, Mastercard specifically told the processor *not* to retain information -- and the latter did, anyway. The policy already existed.

No, to block things you'd need to do more than tell them not to retain information. You'd need to make sure that even if they did, it was useless. This might point towards requiring people to generate one-time passwords, which would probably be a fair expensive.

Re:This isn't working out..

[spood]

Credit card fraud is not a technical problem. Using the old adage, we cannot apply a technical solution. All of the extra verification proposed implies an added cost that will still not solve the problem - if you require a passphrase or some secondary authentication, thieves will just steal the second factor as well.

The best solution is to shift the responsibility for fraud to those that are responsible for allowing it - the merchants who process card transactions. This is how it is already done, and the fact that plenty of merchants still do business with credit cards proves that the system works, despite the fact that CC companies don't "give a shit."

As a consumer, I'd be perfectly fine with everyone knowing my credit card number because I'm not responsible for fraudulent purchases by law. This is a system that works.

What you should really be upset about it is the system that allows identity theft to run rampant. Though the two are related, there is a fundamental difference between someone else using a credit card you've established in your name and someone else using a credit card that they've established in your name.

The current system is much weaker against this type of activity because the burden of responsibility for fraud is still heavily on the consumer rather than the parties that allow identity theft to be profitable (mainly banks, but to a lesser extent any industry that relies on credit reporting). The solution to this problem is not so clear.

NYT ?? What gives

[Rac3r5]

I don't wanna be a troll here, but please, there are a dozen other sites that have the same article. Do we have to rely on a site that requires u to log in?
http://www.internetnews.com/security/article.php/3 513866/

It's like the commercials

[jim_v2000]

Internet connection - $30
Homemade Computer - $700
2 Liters of Mountain Dew - $2

Stealing 40 Million people's credit card information with your 1337 h@x0r s|i77z - Priceless.

There's somethings that money can't buy, but for everything else, there's MasterCard.

Not Surprising

[ravenspear]

It makes sense that the companies that are retaining CC data improperly would be the ones most likely to allow it to be compromised.

The security of the data is nothing more than a second thought to many of these companies. If they feel they can keep around a huge data mine of everyone's data they can get their hands on, in violation of the proper procedures, it should come as no surprise that they wouldn't be that vigilant in securing it properly.

Support legislation making this a crime.

[Bamfarooni]

Once again, evidence that there should be criminal penalties for improper handling of personal information. If you collect it, you better make sure it's safe. Otherwise, stop collecting it.

Re:Support legislation making this a crime.

[cdavies]

In the UK it is already a crime under the 1988 Data Protection Act, under the heading of recklessly disclosing personal information.

Thats why this never happens in the UK.

So, there's a new name for a file?

[RealAlaskan]

"We should not have been doing that," Mr. Perry said. "That, however, has been remediated."

Translation: ``We've come up with some fiction which will let us maintain plausible deniability next time we lose data we shouldn't have had in the first place.''

As for the sensitive data, he added, "We no longer store it on files."

Translation: ``We're going to come up with some nifty new word to replace the word `file', so we can truthfully say that we no longer have your data in our files.''

More seriously, it makes good sense to me that they were retaining data for research purposes. They'd be irresponsible not to, just as surely as they were irresponsible not to have an air gap between that data and the internet.

Time for a new system

[lawpoop]

It's time for a new system. This credit card BS is getting ridiculous. Credit card numbers are easy to hack/steal, so cc comapnies start asking for address verification, or for that 3-digit 'security' code on the back. Now, address and security code information are being stolen.

We need a new system based on PGP or something. A system where we have single-use transaction numbers, and you have give a PGP signature for each usage of a transaction number. Right now it's way to easy for hackers to steal credit card information, or for unethical merchants to make unauthorized charges. We need to put the consumer back in charge of their own finances.

Currently , any 'merchant' can charge whatever they want once they have your credit card number. Sure, you can issue a chargeback or contest the charges, but why should *you* have to clean up after someone messes with your account? It's ridiculous.

Tougher privacy laws.

[Goalie_Ca]

People have to realize that privacy isn't just some criminal's ideal to keep from getting caught. If the data is out there it will be seen, hacked, sold and abused.

Time to teach some math skills...

[multi-flavor-geek]

For those people who pay attention to the news, 40,000,000 cards compromised, that would be basically every card they handle assumed to have ben compromised, an imprtessive feat indeed. The person would have had to have a consistent and unnoticedconne3ction to the server, or walked out with a burned dvd or two of information.
The other interesting mathimatical issue that came up was the child molester in Oregon, he was reported to have molested 30,000 kids over 35 years, 12 of which he spent in jail, hmmmm
that would be over 4 seperate kids a day.
I can't even find a way to molest 4 seperate drunk girls in a night with out at least one of them telling someone. I am calling bullshit on this one.

Not just one

[Roadkills-R-Us]

According to the article, the company in question has *never* been in compliance with MC's security rules. Since MC is supposedly doing audits and all, why have they not terminated the account and awarded it to someone else? They're leaving themselves wide open, and they're a much bigger target than the company that got caught.

We end up paying in the end...

[Toadius]

Damn it, I'm sick of this weekly news of credit card security breaches. In this case the data wasn't even encrypted.

"Zero liability for customers means that fraudulent charges come out of a bank or store's coffers in the form of higher merchant transaction fees. 'The retailers will pay for it and the issuing banks will get rich off it,' Ms. Litan said. 'It's just another revenue stream.'"

Sorry, I call bullshit. Retailers pass the higher costs onto you and I.

"'We should not have been doing that,' Mr. Perry said. 'That, however, has been remediated.' As for the sensitive data, he added, 'We no longer store it on files.'"

Thats just fine Mr. Perry. Now may I have the credit card numbers, addresses, phone numbers, ss#'s, etc. of you, your family and the execs at Cardsystems Solutions? I *promise* to keep them safe and give them the same care you provided the other customers....

Why are they still in business?

[stinerman]

From TFA:

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, "This particular processor was not following Visa's security requirements when we found out there was a potential data compromise."

Question:

Why is CardSystems Solutions still a processor for Visa and MasterCard?

Re:Why are they still in business?

[jimicus]

Why is CardSystems Solutions still a processor for Visa and MasterCard?

Because the CEO's PA gives good head to visitors.

An interesting data analysis problem

[G4from128k]

The article alludes to fraudulent activity starting back in mid-April leading to an investigation of this particular card processor in mid-May. That suggests that the card companies do some rather interesting statistical analyses on fraud patterns to find commonalities. In this case, they were able to detect that an unusual number of cards with fraudulent transactions had, at some point, a transaction that shared a common card processor sometime in the past.

Obviously, someone (I assume its Mastercard, Visa, etc.) is storing sufficient volume of historical transactions (including metadata such as the 3rd-party transaction processor) to analyze patterns such as this. With some 60 billion card transactions per year worldwide, this would make for a very large dataset and a very interesting analysis problem.

For Science!

[EvilMagnus]

John M. Perry, CEO of the processor in question, claims the data was merely being kept for "research purposes."

Well, that makes it all OK, then, doesn't it? So long as it was for Science.

Moral Hazzard?

[DaveInAustin]

This story on npr says that the credit card companies can actually wind up making money when a fraudulent charge is made. Does this create an incentive for them to keep things safe?

When will these companies be held responsible?

[Todd+Knarr]

That's what I want to know: when will companies that mishandle data like this be held 100% responsible to the people whose data they mishandled for the losses, fraud, etc.? I'm of the opinion that only when mishandling data results in actual financial consequences to the mishandler will things change.

Read here for how Visa/Mastercard control this crp

[twigles]

Ok, Visa and Mastercard have a set of thresholds and guidelines for data security, retention and the like. How it works in a nutshell is once a business, be it your local cable provider or some card processing company or whatever, hits some number (not sure what that is) of transactions or money, they have to conform to a set of "best practices" defined by Visa/Mastercard (the two have agreed to the same set of requirements). Look here for more info or just google for "visa cisp".

Essentially they are just that: best practices. I just did an audit prepping a company for Visa CISP certification and most things they require are pretty standard like password complexity, physical security, encryption used over public links, etc.. However the security all revolves around the credit card number so it's a little more focused than a normal security gig.

Also, Visa/Master require that vendors store as little info as possible in as few places as possible, and that they encrypt it in storage. Specifically no one is EVER supposed to store the CVV/CVC code or any portion of the magnetic stripe info. Also specific to this set of requirements, a subpoint of it being CC#-centric, is that even non-mission-critical systems have to have the same high level of security if they store CC info. So no one gives a shit if you are doing "research" or just processing sales, you HAVE to protect the numbers, ideally by encrypting that field in Oracle or something equivalent so when FedEx loses your backup tape it isn't a disaster.

One last caveat is that the program is still ramping up. It started about 4 years ago but most companies are struggling to implement the reqs still, and Visa is very understanding since if they are too stringent and cut off the offending vendor they lose revenue.

Looks like I was hit

[Urgo]

I got two emails from my bank today (10:52am and 4:59pm EST).

Dear Customer,

An incident involving unauthorized access into a third party processor system has occurred. A company which processes transactions for physical retail merchants and Internet merchants was the victim of a computer hacker between September 2004 and May 2005. They have identified your check and/or credit card as one of the cards possibly exposed. Information compromised includes account numbers and expiration dates, as well as cardholder names and addresses.

We understand that you will most likely be concerned when you read this. Rest assured that if you information has fallen into the wrong hands, you will not be liable for any unauthorized transactions using your Check Card or VISA Card*. However, it is very important that you monitor your account(s) closely and notify us immediately of any unauthorized transaction. If such a transaction does occur, you will need to complete a VISA dispute form, available through the maintenance area of our online banking system, in order to receive provisional credit for the amount of the transaction. We recommend, as a precaution, that you call Customer Support to block your card and we will re-issue a new one. Our Banking Specialists and Loan Representatives will make that decision with you on a case-by-case basis, as we do not want to hamper your use of the card.

We also understand that you will have other questions, such as the identity of the processor. When we receive notifications of this variety from VISA, VISA does not and will not reveal the name of the merchant or processor unless the incident has already been made public by the merchant.

Again, we do ask that you monitor your account carefully in the weeks ahead by making use of our telephone, wireless, and online banking systems. If you have any questions or concerns, please contact a Banking Specialist or Loan Representative for more information.

Thank you for banking with us.

*This limit on liability does not apply to PIN-based ATM or point-of-sale transactions.