8000 Credit Cards' Details Compromised In Australian Bank Breach

mask.of.sanity writes "Australia's largest bank, the Commonwealth Bank, has cancelled 8,000 credit cards after it detected a data breach at a merchant. Mastercard and Visa may issue penalties including fines to the acquiring bank under the payment industry's PCI-DSS compliance rules. News of breaches is uncommon in Australia because the nation does not have data breach disclosure laws."

1, 2, 3...

[koreaman]

I can't wait until this is wrongly attributed to "Anonymous" (which is more of a subculture than a group, anyway)

Re:1, 2, 3...

How do you know it wasn't?

Re:1, 2, 3...

Because they're a bunch of kids that hacker groups use as a scapegoat.

Re:1, 2, 3...

[koreaman]

Like I said, Anonymous isn't an organization. They're a subculture. Saying "Anonymous hacked this" has about as much value as saying "punks hacked this". "The punks" aren't a cohesive group and neither are Anonymous.

HELLO, I LOVE YOU !!

But this was not the work of we, who are ANONYMOUS !!

Thank you for thinking of us,
Betty

Anti-CBA spin?

[_merlin]

I don't get why so many stories are spinning this as though it's somehow CBA's fault. CBA detected the data breach, alerted the public, and cancelled affected cards. They failed to name and shame the company that suffered the breach, only indicating that it was a bank outside Australia. CBA deserves some credit for handling the situation as well as they could.

Re:Anti-CBA spin?

[robbak]

That's what I thought too. Even the statement about disclosure laws is out of place,as the laws that would apply are the laws in the country where the issuing bank and/or retailer is based.

CBA probably couldn't reveal the bank or retailer either, as they would probably end up fighting a defamation lawsuit.

Re:Anti-CBA spin?

[Hazel+Bergeron]

Because there are lots of ways of making credit cards far more secure which the banks refuse to use because the banks profit from a data breach.

If someone fraudulently uses a card, the bank will refund them by debiting the merchant's account, not out of its own infinite pool of generosity. And it'll usually fine the merchant, either per-transaction or by increasing the discount rate in the long term (or both).

Re:Anti-CBA spin?

[BiggerIsBetter]

CBA probably couldn't reveal the bank or retailer either, as they would probably end up fighting a defamation lawsuit.

Is speaking the truth not a defense against such lawsuits?

Re:Anti-CBA spin?

[jamesh]

CBA probably couldn't reveal the bank or retailer either, as they would probably end up fighting a defamation lawsuit.

Is speaking the truth not a defense against such lawsuits?

Depends on jurisdiction, but I think the truth is less relevant if the defamation was made maliciously . It could be that CBA noticed that the fraudulent activity was on cards which had previously been used at a common location (eg the merchant in question) and so it was only an alleged compromise at that merchant. It could also be that the merchant was a horse porn shop or something in which case they are also protecting their customers from having private information disclosed.

Re:Anti-CBA spin?

[dbIII]

Is speaking the truth not a defense against such lawsuits?

Not always. Some places instead have a "public interest" clause so that if it is true but it is successfully argued that it is not in the public interest you lose. The state where I live used to have defamation laws like that.

Re:Anti-CBA spin?

[Kalriath]

Except if said merchant had 3DS authentication (Verified by Visa or MasterCard SecureCode), then the bank cannot actually reverse the transaction, and must eat the cost itself.

Worst part

[CTU]

The worst part there will be people who don't know there cards were canceled and try to use it. It will not be a happy sign especially if they did not bring enough cash or a different card to pay with. So I wonder if they will be compensated or can sue for such damages. I know I would if it gets me into any trouble ether with the law or a restaurant or store because I found out my card was not valid a little to late.

Re:Worst part

[Ravadill]

People whose cards were cancelled were contacted via SMS or email to let them know (depending on what contact details were available.)

Re:Worst part

[am+2k]

That won't help people who check their mails monthly (and I know some of those).

Re:Worst part

[hackertourist]

Interesting. My bank has a policy of never contacting its clients via email. They made a lot of noise about this last year when a number of phishers tried sending emails to the bank's clients.

Instead they use either snail mail, or the bank's internet portal (which uses a challenge-response mechanism linked to my debit card so it's reasonably secure).

Re:Worst part

[jamesh]

I know I would if it gets me into any trouble ether with the law or a restaurant or store because I found out my card was not valid a little to late.

It's an offence in Australia to purchase goods (eg eat food in a restaurant or fill your car up with petrol) when you have or should have knowledge that you can't pay for it... I assume other countries have similar laws.

Not being aware that your card was just cancelled does not meet the above criteria though so I think you'd be safe from the law. The restaurant might be a little pissed, but i'm sure it wouldn't be the first time and they'd have a way of dealing with it (can you wash dishes? :)

Re:Worst part

[iamhassi]

SMS and email? Really? That's their notification method for letting me know that my main payment source for everything has been cancelled? Seems like this should be handled better, perhaps letters and phone calls would be more appropriate for something this important.

Re:Worst part

[iamhassi]

In the US you could be arrested, put in jail, released on bail (if you can afford thousands of dollars) whenever the judge sets your bail (next business day, so you might be there the weekend), and then when you go to the hearing you could bring the email or letter showing proof you didn't know. If you can't afford bail then you sit in jail for several weeks until the hearing.

of course all of this depends on if the cop wants to arrest you or not, he could just write a ticket if he wants to be nice.

Re:Worst part

[CTU]

True,but I expect they will be getting a few angry calls from people who did not hear anything when then find out there card was declined.

Re:Worst part

"My bank has a policy of never contacting its clients via email."
Then your bank assumes you are stupid.

If your bank is going to go to the effort of making "a lot of noise about" it, then they shouldn't properly educate their customers to never give out information via email, and to never click links in emails, and to instead only access the bank website through the main page and to only provide information over an HTTPS connection.

MY bank, the commonwealth bank, REFUSED to take identifying information over HTTPS, insisting that it be done over an insecure telephone line instead. Eventually, they ended up EMAILING me requesting the same information! (so they could reissue a credit card to me)
Of course, I refused to reply to the email, and only provided the info via HTTPS.

I'll repeat that: The commonwealth bank send a legitimate email requesting identification information.

And the merchant was...?

[jamesh]

So who was the merchant? I'm not a CBA customer but if it was a merchant who had a breach, surely it isn't just CBA customers who were affected?

Re:And the merchant was...?

[halowolf]

One of the random TV news stories I saw, mentioned that the breach spread to Westpac too. Since it was a merchant that had the breach, I would expect most CC providers to be affected to some degree.

Re:And the merchant was...?

[dakameleon]

Usually, there's a single bank that provides the POS equipment to process the transactions - you'll see it as the branded card processing machines at the register. This leads to the conclusion that CBA was the POS provider for this particular merchant - the question of their liability could be due to a flaw in their system allowing the data to be compromised.

NAB has them too

[MavEtJu]

In the last two years I have been given a replacement credit-card from the NAB bank twice.

One day everything work fine, the next day they don't work anymore and three days later when you call them they say that they are in the process of re-issueing them.

Thanks for not letting me know on day one, and thanks for not being able to buy anything for two weeks.

Re:NAB has them too

[BarryHaworth]

This must be why I couldn't use an ATM last Thursday.

I'm with the CBA, and twice in the last few years I've had my card cancelled and reissued. The first time it was because of a data breach like this one - a card skimmer had been used on one of the ATMs in my area and all people who had used ATMs in the vicinity had cards cancelled & reissued. The more recent time it was just me - someone had skimmed my card and used it to make a purchase in London.

Both times the bank was very efficient, and while there was the inconvenience of waiting for a new card and, in the second instance, waiting for the stolen money to be recovered there was otherwise no problem.

Re:NAB has them too

And you are drawing cash from an ATM using a credit card?
Eh? Wtf? What is the interest rate you are going to have to pay on that?
More fool you I say.

Re:NAB has them too

[MavEtJu]

Australia has the concept of Debit "Credit-Cards", which immediately deduct the money from the account.

I assume the person you replied to has one of them.

Re:NAB has them too

[unreadepitaph]

It's called a cash advance.
Since they now have pin numbers on Credit Cards you can withdraw from ATM's using it.
The interest rate on cash advances are generally the same or 1% higher than the cards (If you have a base rate of like 11% or a little higher they will be about 19-20%) interest rate except they apply straight away.
So you're not paying that much interest on top of them anyway.

Re:NAB has them too

[Calydor]

My bank issues as standard a MasterCard which also serves as a standard ATM card. Go to an ATM and it connects to your account, refusing to pay out money if you try to withdraw more than either your daily limit or the total on the account, whichever is lower.

It's a system that works pretty well, IMO.

Re:NAB has them too

[BlueScreenO'Life]

You know there are cards that can be used either as a credit card or as a debit card, right?

Re:NAB has them too

[iamhassi]

Debit credit cards are common in the US, AC was trolling

Re:NAB has them too

I don't have to pay any interest if I do it the right way.

Right now I'm overseas and my keycard has recently expired. Since I'm travelling, it's not easy to have my new keycard sent to me, so I can just use my Credit Card to withdraw cash if I need it. Credit Cards also have a PIN.

The "right way" I referred to is that I have preloaded my credit card with $1000 above my credit limit - I don't get charged ANY interest until I get back to the default balance.

Re:NAB has them too

[Zanadou]

Australia has the concept of Debit "Credit-Cards", which immediately deduct the money from the account.

I assume the person you replied to has one of them.

Not quite, (most) Australians hold credit cards that can be used to access/authorise withdrawals from a normal debit (savings) account that is "bundled" together to the same cardholder. In practice, this means that credit cards seem to "act" like debit cards... but actually it's just binding two accounts together so that they can be accessed via one piece of plastic. This is why Australian ATMs and POS machines give a person the choice to press a "saving"/"cheque" (debt account—cheque accounts are becoming rare now) button, or a "credit" button.

Back to the original topic: yes, the case of a cancelled or "captured" (retained in the ATM) "credit card" would also render you unable to access your debt (savaings) accounts too.

Re:NAB has them too

[lazybeam]

The "Cheque" button usually accesses a secondary "savings" account these days :) Or a business "cheque" account even if you don't have paper cheques to go with it.

And I think you mean that there's three buttons on EFTPOS machines: "Savings", "Cheque" and "Credit". Most ATMs seem to have an extra option or two for accessing other accounts.

I've had a Visa debit card for 10 years: it is basically a Visa card with $0 credit limit. Handy for buying stuff from the Internet (and the Internet itself) without having to get "credit" (I was a student at the time, and I've never needed to "upgrade" to a real credit card.)

Why fine the bank?

[hackertourist]

TFS mentions that "Mastercard and Visa may issue penalties including fines to the acquiring bank ". Why is that when the breach didn't occur at the bank, but at a merchant?

Re:Why fine the bank?

[hakey]

The summary removed the important bit. There is a second unnamed "acquiring bank" that is potentially responsible. From TFA: "Mastercard and Visa may issue penalties including fines to the acquiring bank, not CommBank, under the payment industry’s PCI-DSS compliance rules."

Re:Why fine the bank?

[xelah]

PCI DSS is enforced via contracts....so I presume that VISA/Mastercard have a contract with the acquiring bank, the acquiring bank has a contract with the merchant and the liabilities get passed along the chain. You can bet the merchant will end up paying unless it's so obviously the bank's fault that they can't get away with claiming otherwise.

It was more than just CommBank

[unreadepitaph]

All of the big 4 had to cancel and re-issue a heap of cards not just the Commonwealth Bank.

Which Bank?

[SwampChicken]

*smirk*

Re:Which Bank?

Very obscure reference to the old advertising..

Re:Which Bank?

[MrKaos]

Oh, I wish I had mod points

Re:Which Bank?

Knowing what you're talking about makes me feel OLD

the only reason this is news

the awful behaviour of banks in the US that go to extreme lengths to blame the credit card holder
here we have a bank outside the US that should be a decent example of what banks should do
- tell your customers that their cards no longer work and why
- priority issue them new cards as they may be reliant on the credit cards
- don't name who screwed the pooch. customers can contact the bank if they want more info
- the bank absorbs the cost of the fraudulent transactions (kept low by picking up on the activity early)

the actual story here is a bank (not cba) was requesting transactions into a merchant account
the commonwealth bank analysis software detected something very suspicious with the transactions
it subsequently cancelled all associated credit cards being used preventing further fraudulent transfers
it immediately generated new cards to issue those who were affected
it's unknown if other banks have detected similar transactions on their customers cards

frankly this could be a side effect of the psn breach for all we know
it might just be that other banks haven't detected / admitted the customers cards have been compromised

CBA? Lol Sony

[Xachariah]

As a reminder, the Sony hack involved 12.3 million credit cards. This isn't counting the 77 million people who 'just' had their data stolen.

This hack is less than one fifteen hundreth in scope (1/1500th). To put it in car analogy form, if Sony's breach was a quarter mile drag race, CBA's breach would be rolling 10 inches forward at a stop light.

This doesn't mean that every breach of data is deplorable. Just remember how bad the Sony breach was.

Credit cards are too weak

[Stonefish]

The fact that a most credit card transactions are based upon a couple magic numbers and a date makes them easy to defraud. Fixing this problem isn't rocket science. With smartcards, crypto and near field readers this problems shouldn't be hard to make this go away. A vender generates a transaction, you digitally sign it and the vendor gets the signed result. You could even put the credit institution in the loop if you wished. Its funny but Google appears to be pushing the technology that would facilitate this. That would make google stops a buy and visa a sell for the longer term wouldn't it?

Re:Credit cards are too weak

[Raenex]

The fact that a most credit card transactions are based upon a couple magic numbers and a date makes them easy to defraud. Fixing this problem isn't rocket science. With smartcards, crypto and near field readers this problems shouldn't be hard to make this go away.

You are right. What's really pathetic is that public-private key crypto has been available for decades, yet the big credit card companies (Visa, MasterCard) have either been too afraid or stupid to move to it.

The last time they updated security, they added another secret number (that 3-digit number on the back of your card). The only difference was that this number is not supposed to be stored by the merchant.

There are hundreds of thousands of merchants. Trying to get them all tightly secured is a joke, yet that's what Visa pushes with their PCI DSS rules.

Re:Credit cards are too weak

[xelah]

Isn't that roughly what Chip and PIN does?

For distance sales something as simple as a button on the card/a device which displays a time-dependent number would make a huge difference. I already have a device for a company bank account which does this (but it uses a PIN as well). Merchants want to be able to perform repeat charges, do automated refunds, etc., but that could be done by issuing the merchant with a token only they can use during authorization.

Re:CBA? Lol Sony

[MrKaos]

As a reminder, the Sony hack involved 12.3 million credit cards. This isn't counting the 77 million people who 'just' had their data stolen. This hack is less than one fifteen hundreth in scope (1/1500th). To put it in car analogy form, if Sony's breach was a quarter mile drag race, CBA's breach would be rolling 10 inches forward at a stop light. This doesn't mean that every breach of data is deplorable. Just remember how bad the Sony breach was.

Incidentally, did you realise it's the commonwealth bank.

The Merchant Bank in question

'The Commonwealth Bank has cancelled some 8000 credit cards after it detected a data breach at a merchant .. The bank did not release the name of the affected merchant and its acquiring bank, or when the breach occurred.

“[CommBank] continuously monitors all credit card transactions to protect our customers from fraud and during this process we became aware of a potential credit card compromise through an Australian merchant acquired by another bank,”

So, it took CommBank to noticed the fraudulent transactions and inform the client before they even noticed anything wrong. Which begs the question as to what technology they were running their system on.

"Banking sources would not identify the merchant or bank involved, however St George Bank emerged as the only institution that would not flatly deny it was the bank in question."

' St.George Bank Cuts Server Deployment and Management Costs with Virtualized Infrastructure'

8,000?

[goodmanj]

8000 credit cards? Wow, that's twice as many cards as were stolen from TJX Companies in A SINGLE HOUR between 2005-2007.

Australia, I love you. You're both terrifyingly tough and adorably tiny. Like a snarling chihuahua.

Re:8,000?

[Geminii]

A _poisonous_ chihuahua. With fangs, spurs, tentacles, and the ability to drop out of trees onto you.

Re:CBA? Lol Sony

[laxguy]

You might also choose to remember that there were no reports of fraudulent charges on the cards that were involved because the security codes required to use the card were not taken.. just something to keep in mind when you're trying to flame Sony.