VISA, MasterCard Warn of 'Massive' Breach At Credit Card Processor

← Back to Stories (view on slashdot.org)

VISA, MasterCard Warn of 'Massive' Breach At Credit Card Processor

Posted by Soulskill on Friday March 30, 2012 @03:10AM from the your-security:-priceless dept.

concealment writes with news that VISA and MasterCard have been warning banks of an incident at a U.S. card processor that may have compromised as many as 10 million credit card numbers. From the article: "Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area." According to the Wall Street Journal, the breached company is Global Payments Inc.

164 comments

Min score:

Reason:

Sort:

No Source? by MrJones · 2012-03-30 03:11 · Score: 4, Insightful

The article has no credible source. Is this Spam?

--
Get my e-mail after a captcha test in: http://tinymailt
1. Re:No Source? by Anonymous Coward · 2012-03-30 03:17 · Score: 5, Informative
  
  Krebs is all over it:
  http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/
2. Re:No Source? by EliSowash · 2012-03-30 03:17 · Score: 5, Informative
  
  No, it's real. I saw it on Krebs earlier. http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/
3. Re:No Source? by buchner.johannes · 2012-03-30 03:18 · Score: 4, Informative
  
  One of these perhaps
  https://www.networkworld.com/news/2012/033012-visa-mastercard-breach-257824.html
  http://www.cnbc.com/id/46904168
  https://www.google.com/news?ned=us&q=VISA%2C%20MasterCard%20Breach&btnG=Search+News
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
4. Re:No Source? by Anonymous Coward · 2012-03-30 03:18 · Score: 1
  
  http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html
5. Re:No Source? by CuriousGeorge113 · 2012-03-30 03:38 · Score: 4, Interesting
  
  It seems like all of the links pertaining to this story point back to the Krebs blog as the source for the information. Yet, Krebs provides no 3rd party verification to the story other than a 'source'
  Shit like this is how rumors get started. Can anyone verify with a statement from Visa/MC, a bank, etc? I'm not saying it isn't true, but even the WSJ article is referencing the Krebs blog.
  
  --
  No man is an island, But if you take a bunch of dead guys and tie them together, they make a pretty good raft.
6. Re:No Source? by ohnocitizen · 2012-03-30 03:42 · Score: 5, Insightful
  
  This actually impacted me. I live in NY, and was contacted my my credit card company. They informed me I was getting a new card, that visa and mastercard said there was a breach - but were not required to report who had compromised my credit card number. "At least they tell us there is a breach". This right here is why "the market" is insufficient protection for consumer rights. We need a law requiring credit card companies to disclose businesses that compromise data.
7. Re:No Source? by Dyinobal · 2012-03-30 03:48 · Score: 2
  
  Strange, my bank called me and told me that my credit card was possibly compromised back when Valve got hacked and then I got a new one two days later in the mail.
  Perhaps you were just faster than they were, it does take time for them to contact people.
8. Re:No Source? by binarylarry · 2012-03-30 03:51 · Score: 3, Informative
  
  You aren't on the hook for the fraudulent charges.
  Unless they can prove you actually made them, they have to pay for the charges.
  If it's all on them, why do they need to give you a detailed breakdown?
  
  --
  Mod me down, my New Earth Global Warmingist friends!
9. Re:No Source? by scubamage · 2012-03-30 04:01 · Score: 3, Insightful
  
  Most likely its a numbers thing. If visa has 300 call center reps and they have to call 20 people, it'll be done in a few minutes. However 300 reps calling 10 million will take a much, MUCH longer amount of time. Now these numbers are hyperbolic, but you get the idea. Most likely your branch office didn't have that many people affected by the valve hack (thankfully).
10. Re:No Source? by Anonymous Coward · 2012-03-30 04:09 · Score: 0
  
  Should've used bitcoin ;).
  In all seriousness though, the CC model is broken. You want $5 for parking? Sure, let me give you enough personal information to charge me up to my credit limit...
11. Re:No Source? by berashith · 2012-03-30 04:09 · Score: 5, Insightful
  
  100% agree. I just went through this a few weeks ago. VISA told my card issuer that there had been a breach. They actually sent me a new card, but didnt tell me until fraudulent use occured. This was before my new card arrived, which actually shortened the amount of time that I had no credit card. I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.
12. Re:No Source? by Taty'sEyes · 2012-03-30 04:13 · Score: 4, Funny
  
  You haven't parked in NYC have you?
  
  --
  We show geeks how to get their dream girl at EyesOfOdessa.com
13. Re:No Source? by knarfling · 2012-03-30 04:14 · Score: 3, Informative
  
  The WSJ has an updated story here. http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html?mod=WSJ_hp_LEFTTopStories
  From the link, Global Pay seems to be the processor, and it appears that only 26,094 VISA cards were affected. It did not mention how many MasterCard cards were affected. While that is a lot, it is nowhere near the 10 million speculated.
  
  --
  Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
14. Re:No Source? by wickerprints · 2012-03-30 04:15 · Score: 5, Insightful
  
  Because all borrowers end up indirectly paying for the cost of fraud. As is the case with many forms of financial risk, a lender typically insures against identity theft and credit card fraud. The cost of that insurance is factored into their interest rate and fee calculations and is passed on to the borrower.
  Granted, insurance doesn't completely absolve the insured of all responsibility, in as much as a driver with car insurance would not think to be totally careless about driving. Lending institutions still have an interest in preventing fraud despite being insured. The point is that when fraud increases, or if there's a catastrophic breach (as in this case, opposed to isolated small-scale instances of ID theft), the associated financial costs eventually reach the borrowers.
15. Re:No Source? by Aladrin · 2012-03-30 04:17 · Score: 2
  
  Because you want to know who was lazy with your private information, so you can deal with that situation.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
16. Re:No Source? by buglista · 2012-03-30 04:23 · Score: 1
  
  You should do your homework before sounding off. Mr Krebs knows his stuff - he's a journalist, not some guy sitting round in his pants writing the first thing that comes into his head.
17. Re:No Source? by binarylarry · 2012-03-30 04:26 · Score: 1
  
  If you make a fraud complaint and your lender jacks the interest rate way up, move to a different provider.
  They have to give you advance notice so you can agree to the new terms anyway.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
18. Re:No Source? by NoNonAlphaCharsHere · 2012-03-30 04:26 · Score: 0
  
  Krebs is now returning 404 Page Not Found - although their home page has the same link, also returning 404.
19. Re:No Source? by magarity · 2012-03-30 04:27 · Score: 0
  
  What would you do if you knew whose system was compromised? Tie up the courts with lawsuits? Head over in a mob and smash their front windows? What are you going to do if their initial suspect turns out not to be at fault? File more suits? Form more mobs?
20. Re:No Source? by krept · 2012-03-30 04:38 · Score: 1
  
  Also when you try to read the full story it gives you a pleasant 404.
  
  --
  None of us know everything. Therefore we're all naïve.
21. Re:No Source? by Pope · 2012-03-30 04:38 · Score: 2
  
  Why is this labelled "Funny?" There's no link in the submission, and clicking on the submitter's name goes to some site that has no story about this either. Talk about editor fail.
  
  --
  It doesn't mean much now, it's built for the future.
22. Re:No Source? by krept · 2012-03-30 04:39 · Score: 1
  
  Edit - Nevermind. It works now.
  
  --
  None of us know everything. Therefore we're all naïve.
23. Re:No Source? by Anonymous Coward · 2012-03-30 04:39 · Score: 0
  
  No it is not.
  Please send me your credit card number, expiration date, CVV, pin code, bank account number, address, social security number, drivers license number, mothers maiden name, password to slashdot, passport number and name of first pet and we'll get right on checking if you're affected.
24. Re:No Source? by 1s44c · 2012-03-30 04:43 · Score: 1
  
  If it's all on them, why do they need to give you a detailed breakdown?
  Because whoever screwed up deserves to suffer for it.
25. Re:No Source? by Anonymous Coward · 2012-03-30 04:49 · Score: 2, Insightful
  
  Maybe not do business with them anymore? All this free market bullshit rests on the assumption that consumers are (or at the very least can be) informed about the companies they're dealing with. If you can't even know about the company you might be interacting with, then how are you supposed to "vote with your dollars"?
26. Re:No Source? by Anonymous Coward · 2012-03-30 04:55 · Score: 0
  
  If they disclose data before the investigation is over, it could make it harder to find out who is behind this. They should disclose it later on though.
27. Re:No Source? by CuriousGeorge113 · 2012-03-30 04:58 · Score: 3, Insightful
  
  Credible sources are still fallible.
  
  --
  No man is an island, But if you take a bunch of dead guys and tie them together, they make a pretty good raft.
28. Re:No Source? by jdavidb · 2012-03-30 05:11 · Score: 1
  
  This right here is why "the market" is insufficient protection for consumer rights. We need a law requiring credit card companies to disclose businesses that compromise data.
  You have not tested "the market." You have tested "the market with regulation." If you had tested "the market," then you could take your business elsewhere to someone who tells you what you need to know.
  
  --
  Secession is the right of all sentient beings.
29. Re:No Source? by tlhIngan · 2012-03-30 05:12 · Score: 3, Insightful
  
  This was before my new card arrived, which actually shortened the amount of time that I had no credit card. I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.
  And what makes you think it was the *business* that was hacked? Retailers obtain a merchant account and the merchant bank provides the processing equipment. That equipment talks to a credit card processor who handles the transactions and transfers and such.
  A credit card processor being breached means it affects MANY retailers at once. Boycotting one business over the breach may mean you're still vulnerable as your new go-to place can use the same processor.
  For many businesses, there's nothing to breach - the information is temporairly stored on that terminal you use for the duration, and the only thing the retailer has is the tiny slip of paper they get at the end. Which is probably why credit card processors get attacked, rather than individual companies.
  Even online companies do the same - that box you enter your information into may be temporarily hosted by the store, but the information is promptly forwarded to a credit card processor and forgotten by the store's server to reduce PCI requirements. Some make it obvious when they forward you to Google, Amazon or Paypal, or to a processor's site directly. Most don't, even though in the back end they're really proxying the processor's site.
30. Re:No Source? by Anonymous Coward · 2012-03-30 05:15 · Score: 0
  
  What rights were violated? You were notified, card was replaced, and you're not responsible for any unauthorized charges. Sounds like your "right" to be informed of things that won't hurt you was the only thing violated.
31. Re:No Source? by slew · 2012-03-30 05:30 · Score: 4, Interesting
  
  ...I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.
  I don't know if you can believe the story, but if the breach occured with a credit card processor and not the retailer. The Credit card processor is the retailer's vendor (e.g., the company that the retailer contracts with to process credit card batches). This vendor relationship is not unlike the company that the retailer buys paperclips from, or the company that processes their payroll. Credit card processing is a highly competitive industry. Some retailers will often switch processors every few years when competing companies offer promotions with lower merchant fees (the fees/percentage that they charge the retailer for processing a credit card transaction).
  Even if you had been told what retailer the fraudulent charges were made at, since there are so many credit card processing companies, it's quite likely that the retailer didn't use the same processing company. Additionally, because of credit card merchant contracts, retailers are supposed to follow certain "merchant" rules (e..g, no minimum*** or maximum purchase amounts, no steering to different forms of payment, not allowed to require ID, etc, etc). So even if the retailer wanted to be more careful when trying to accept this apparently frauduant card transaction, they probably aren't allowed by contract to be as paranoid as you apparently want them to be...
  So feel free to throw the baby out with the bath water, but it's might be just as likely that the retailer you want to disown actually helped the credit card company identify the fraudulent transaction before it appeared on your credit card statement. If that were the case, perhaps you should be thinking about thanking them, before you disown them?
  *** As of part of the Dodd-Frank wall street reform act of 2010, retailers are now allowed by law to imposed a minimum transaction amount up to $10 (this law supercedes the language in the contracts in place with the credit card companies)
32. Re:No Source? by Bigby · 2012-03-30 05:31 · Score: 1
  
  He can find $5 parking; There are several places where you can park for 10 minutes for around that price.
33. Re:No Source? by Anonymous Coward · 2012-03-30 05:34 · Score: 0
  
  At least here in Ohio, state law waives our liability if we go public about the breach. There is a timeline for going public and police can dictate that you not go public under which case the deadline does not apply. Obviously, credit cards you primary liability comes from fines that you agree to as part of your merchant account agreement, but I still really like the law.
  I'll give an example, we had a laptop stolen with a bunch of SSN's on it. Based on the nature of what happened, it was beileved that the person who stole it had no idea what was on it. Thus we were told to keep quite and way beyond the deadline a news release was finally released. I know they had been search pawn shops etc hoping to retreive the laptop and ensure it had been wiped; at which case they would have made the release. They immediately notified those potentially affected and we offered them free credit monitoring, so basically the idea was to not tip of the theif that the data may be more valueable than the laptop.
34. Re:No Source? by Anonymous Coward · 2012-03-30 05:46 · Score: 0
  
  not some guy sitting round in his pants
  Good to know, I wouldn't trust anyone wearing pants, they're trying to hide something.
35. Re:No Source? by wickerprints · 2012-03-30 05:57 · Score: 4, Insightful
  
  Your response indicates you have entirely failed to grasp the meaning of my previous post.
  Government regulation of the credit card industry prevents a lender from penalizing a fraud victim in the manner that you describe. A penalty in the form of a higher interest rate may only be applied if the borrower fails to pay an outstanding balance in a timely manner. A late fee may also be assessed. This is legal because a borrower's failure to repay the incurred debt is a reflection of their poor creditworthiness relative to other borrowers who pay their balance on time. However, a victim of fraud may not have had anything to do with the theft of the information that precipitated that fraud, which is the case with this data breach.
  In relation to my previous post, then, the cost of insuring against losses due to fraud is passed on IN AGGREGATE to the entire pool of borrowers in the form of higher interest rates and/or fees, just like the way in which they factor in other costs of doing business (such as worker salaries, marketing, customer service, and legal representation). Competition between lenders exerts pressure to keep the interest rate low, but if the overall rate of fraud increases across ALL lenders, then the overall financial risk of lending money in this manner has also increased, and therefore the interest rate must also increase to reflect this risk trend.
  To be absolutely clear, I am not talking about a scenario in which an individual borrower reports fraudulent activity on their account, and the lender then decides to punish that borrower by increasing their interest rate. What I am talking about is the big picture, in which the cost of credit card fraud and ID theft is spread out over the entire pool of borrowers because the risk of fraud is one component of the risk of lending money, and the risk of lending is part of why interest exists. Granted, this is a gross simplification of the way things actually work (as I do not discuss the role of merchants in this process, for example), but the basic point remains valid: the cost of fraud is eventually paid by the borrower. Even the merchants purchase insurance for their business, and factor these costs in the pricing of the goods and services they sell to consumers. All of it eventually falls on the shoulders of the consumer, who pays for it in the form of higher prices or higher interest.
36. Re:No Source? by MacGyver2210 · 2012-03-30 05:58 · Score: 1
  
  Seems like there's plenty of sources, and it looks like they're updating it with more as they roll in.
  
  --
  If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
37. Re:No Source? by berashith · 2012-03-30 06:11 · Score: 2
  
  you are correct, it may have been a processor and not the front end business. Even just that on its own would be good information to know, but that would undermine faith in the system, so VISA has a vested interest in not revealing that kind of info. I have worked in several PCI businesses, which have kept customer information on site, and which VISA performs regualtory checks on. The certification process is a bit of a smokescreen, and knowing that, I would really have liked to know if it was that type of business that screwed up.
  I see no help in not letting me have information as to what happened, except for preventing people from starting to see how much they shouldnt blindly trust these companies ( so no help to me or consumers) .
  In my specific case, no vendor helped. There was apparently a watch on a very large amount of CC numbers for anything suspicious. When I purchased 10 copies of McAfee for 100 bucks a pop, someone at the CC company took notice. As I said, there was already a new card on the way to me and likely many thousands of others. If nothing happened by the time I got the new card, then I call and activate and the stolen numbers can be forgotten. If something did happen ( which it did) then they were just more suspicious. I understand that they couldnt call every customer on that watch list, and this was the fastest way of dealing with the theft with as little interuption as possible. I still think that my request for more information should have a better answer than " They wont tell us that , so we have nothing to give you". It is all a shell game propping up fake security.
38. Re:No Source? by berashith · 2012-03-30 06:12 · Score: 1
  
  nothing make me think for sure that a business was hacked. I would like to have had my question answered so I could know for certain what happened to my account.
39. Re:No Source? by helix2301 · 2012-03-30 06:18 · Score: 1
  
  It's been all over the internet today FOX news reported it and there one of the best breaking news coverages around.
  
  --
  http://www.thetechnologygeek.org
40. Re:No Source? by ohnocitizen · 2012-03-30 06:27 · Score: 1
  This makes no sense at all.
  
  1. You assume switching credit cards and shutting down an old account is easy and consequence free. Closing a credit card account impacts your credit. Some banks use visa or mastercard as their vendor for credit and debit cards.
  2. Visa and Mastercard are the big players. You assume switching from them won't impact your ability to do business with companies that only accept one or the other.
  3. With nothing to require them to disclose, what real pressure is there for them to disclose? Why should they when it could cost them business to do so?
  4. Should market pressure be the only thing between us and how a company treats us? If the market as a whole did not care that a company killed puppies, should we allow that company to continue to do so?
  5. There's no reason to suspect that in this mythical "the market" you refer to, there would be someone who does tell you what you need to no.
  6. There is no "market" that is pure and free of all regulation. This is like saying "communism works in theory".
41. Re:No Source? by wickerprints · 2012-03-30 06:34 · Score: 2
  
  I would also like to clarify that an individual cardholder may be subject to a change in their contract terms or revocation of cardholder privileges if repeated instances of fraud are reported, because this is an indicator that a cardholder may be doing something that is increasing their exposure to fraud. One fraud report, even if it is for a series of large amounts, isn't going to set off any alarms. But if, say, you had three reports in a six-month period, that would definitely look suspicious to the lender. They would be entirely within their rights to wonder what you could possibly be doing that would cause your credit card information to be stolen on three separate occasions in such a short period of time. Unless you have a really good explanation, they may well decide not to lend you money at all.
  On a personal note, I was a victim of credit card fraud some years ago. The physical card was not stolen--I was always in possession of it--but it could have been cloned or skimmed by an unscrupulous employee of one of the merchants I visited. I deliberately keep my credit limit low, so the thief could only charge a few hundred dollars before the card hit its limit. But they did it really fast, because in under 24 hours, my card was declined, which was my warning that something was wrong. I immediately contacted my bank and after filling out the paperwork, it was resolved and I was assigned a new card. While it didn't cost me any money, it was an upsetting and disruptive experience, one that left me feeling violated. I asked my bank if I could do anything to help them investigate, but they basically looked at the amount, shrugged their shoulders, and said it wasn't really worth it because the cost of their investigation would easily be many times more than the dollar amount of fraud.
  If you want to prevent yourself from being a victim of credit card fraud, one thing you should do is to keep your limits low. It's better to have multiple smaller accounts (not too many, though, as opening too many accounts will decrease your credit score) than one large account. If you need to make large purchases from time to time, then have one account with a very low limit like $500 to be used for everyday purchases, and one account with a large limit that you only use for important things. Also, watch where you use your cards online, keep track of your balances, and try to sign up with a lender that will send you text alerts when you use your card. Avoid using a card in situations where it's out of your sight--restaurant staff are very common sources of fraud; pay in cash if possible. And don't lose your wallet or purse. Do your part to prevent rising costs of borrowing by being a responsible borrower and taking advantage of the security measures that your creditor offers.
42. Re:No Source? by ohnocitizen · 2012-03-30 06:37 · Score: 1
  
  I want to know if a specific vendor has security issues. It would impact whether I use them again. I used to shop at Zappos, but the way they handled the data theft made me feel insecure about continuing to use their service.
43. Re:No Source? by slew · 2012-03-30 06:52 · Score: 1
  
  It is all a shell game propping up fake security.
  Of course it is a shell game (that is what "money" is).
  The only thing that give "money" any value at all is the belief that you can exchange it for something you value at some time in the future. Credit cards just like "money" in that respect, you get something of value today from the retailer and they hope to get some value out of that credit card transaction they made with you some time in the future. If you don't trust money will have any value in the future (or say a particular credit card transaction), the system doesn't work. Most folks trust that "money" has some value because they trust the government to make it so (fiat currency). Vendors trust that credit card transactions have some value because credit cards issuers hold your credit history as collateral.
  The only reason you worry about security of a credit card transaction is that you worry about your collateral. However, I submit to you that by applying for the credit card in the first place, you have already lost that game, regardless of what you do (or what someone else does) with your credit card. Possession is 9/10ths of the law, and they have your collateral. The only way to "win" is to not play the credit game.
  The security you talk about is not for your (or other card holders') benefit, it is simply loss prevention by the credit card issuers. It cost some amount of effort to prevent a certain amount of loss and they just trade that off. To get companies handling credit cards to pay more attention to their customers' collateral (as opposed to their own losses), it needs to cost them (e.g., financial penalty for security breaches that affect credit histories). Right now those penalties are nominal (basically erasing fraudulent transactions and a year of "free" credit monitoring), so there is only that level of incentive for credit card handling companies (including retailers), to protect your collateral (that is, your credit history) and that incentive is scarily near zero.
44. Re:No Source? by fistfullast33l · 2012-03-30 06:56 · Score: 1
  
  In Hoboken, you can park for $5. There's no way you can park for 10 minutes in Manhattan for $5.
45. Re:No Source? by Aighearach · 2012-03-30 07:14 · Score: 1
  
  That doesn't mean they're presumed wrong.
46. Re:No Source? by gcatullus · 2012-03-30 07:24 · Score: 2
  
  And that is the reason PCI compliance is security theater. merchants can be as secure as possible, yet they are on the hook for the information once it passes out of their hands. The entities that could secure the process, Visa/Mastercard and the issuing banks, won't because they have nothing to lose because the merchants are responsible. Other than the TJ Max breach the large breaches have been third party ISOs who handle the credit card processing.
47. Re:No Source? by CuriousGeorge113 · 2012-03-30 07:39 · Score: 1
  
  Nor should they be presumed correct.
  
  --
  No man is an island, But if you take a bunch of dead guys and tie them together, they make a pretty good raft.
48. Re:No Source? by cmburns69 · 2012-03-30 08:05 · Score: 1
  
  With credit cards, though, the cost of fraud is passed on to the merchant (apparently in an attempt to motivate them to improve their CC acceptance policies and procedures).
  The actual cost is passed on to other customers of the defrauded merchants, NOT (as is commonly believed) to the pool of borrowers.
  
  --
  Online Starcraft RPG? At
  Dietary fiber is like asynchronous IO-- Non-blocking!
49. Re:No Source? by Aighearach · 2012-03-30 08:12 · Score: 1
  
  Nor should they be presumed correct.
  Well if you're not familiar with the source, then no. If the source is a known expert in the field who is broadly respected, then it is reasonable to give them some presumption of cluefulness.
50. Re:No Source? by Anonymous Coward · 2012-03-30 08:35 · Score: 0
  
  No Krebs is a Russian ordering salad I'm not going there
51. Re:No Source? by Anonymous Coward · 2012-03-30 08:44 · Score: 0
  
  The market is insufficient? The banking sector is one of the most heavily regulated in the whole economy and yet you liberal douchbags still find a way to blame freedom.
  How about the government removes all the draconian licensing costs and compliance laws that drive up the cost of the money processing business, then maybe there would actually be some competition instead of just VISA, Mastercard, etc. But no; the government erects all these barriers to entry which shut out the little guys and then you beg for more stifling regulations, which is exactly the problem.
52. Re:No Source? by soundguy · 2012-03-30 08:54 · Score: 1
  
  Exactly. Cardholders, card issuers (mostly banks), merchant account issuers (mostly banks), processing gateways (Authorize, etc), and network operators (Visa, MC, Disc) never lose a dime on credit card fraud. All costs are born by the merchants who accept cards for goods and services. Not only are the disputed amounts forcibly taken from the merchant's bank account, an additional administrative/punitive fee of between $20 and $75 (depending on the merchant account issuer) is levied for EACH chargeback.
  In this case, Visa/MC may issue steep fines to the entity that had the security breach, but ultimately any fraudulent transactions made with the stolen card numbers will be absorbed by the merchants, and those costs will be passed onto you - the consumer - in the form of higher prices on goods and services purchased with credit cards.
  
  --
  Nothing worthwhile ever happens before noon
53. Re:No Source? by KevReedUK · 2012-03-30 09:10 · Score: 1
  
  Somewhat off-topic as my experience is in the UK, not the US, but over here, VISA and MasterCard also administer DEBIT cards, where the law does not (IIRC) demand that the lender is on the hook for any fraudulent use.
  
  Indeed, most lenders will refer to the indemnification of borrowers by the lender for fraudulent purchases demanded by the Consumer Credit Act 2006 as one of the main reasons to have a credit card to use online instead of a debit card. Whilst I cannot recall the particular section/paragraph of the act which provides for this, I can certainly remember that when working in customer services for a bank here in the UK (please don't expect me to name and shame), our managers regularly pressed us to try to sell more credit facilities to customers (regardless of whether that was their reason for calling) and encouraged us to use this particular hook to try to bait them in (thank $deity I no longer work there!).
  
  Granted, most banks will have a policy of re-imbursing you for any fraud, but, contractual and policy obligations aside, this is a goodwill measure.
  
  --
  Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
54. Re:No Source? by KevReedUK · 2012-03-30 09:15 · Score: 1
  
  No Krebs is a Russian ordering salad I'm not going there
  I thought it was german for cancer... definitely not something I would want to get involved with!
  
  --
  Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
55. Re:No Source? by Anonymous Coward · 2012-03-30 09:34 · Score: 2, Informative
  
  So feel free to throw the baby out with the bath water, but it's might be just as likely that the retailer you want to disown actually helped the credit card company identify the fraudulent transaction before it appeared on your credit card statement.
  As an online merchant, I can tell you from experience that this is highly unlikely. When fraud was committed through my site, I used to proactively contact card issuers to let them know that their customer's card details had been stolen and were being used to commit fraud. Just about every one of them was dumbfounded by a merchant calling them to report fraud. There had even been a couple of cardholders that called to inquire about the transaction on their card, and every one I asked said that their card issuer had not contacted them about the fraud. It eventually became apparent that reporting the fraud to the issuers was a completely pointless waste of time.
56. Re:No Source? by Anonymous Coward · 2012-03-30 09:57 · Score: 1
  
  You would be surprised how many online stores still keep credit card data unencrypted in an SQL database. PCI certification, like many others, only cares about what's on paper. If you answer every single question in their certification questioner "correctly" then you pass. If the store owner says they do not keep credit card data, nobody actually checks if that is true or not.
57. Re:No Source? by jdavidb · 2012-03-30 10:01 · Score: 1
  
  You assume switching credit cards and shutting down an old account is easy and consequence free.
  No, I don't assume that.
  
  Closing a credit card account impacts your credit
  You assume a monopolistic credit rating system..
  
  You assume switching from them won't impact your ability to do business with companies that only accept one or the other
  No, I don't.
  
  With nothing to require them to disclose, what real pressure is there for them to disclose? Why should they when it could cost them business to do so?
  My entire thesis is that you are more likely to get this when there are true competitors, because they will happily slit each other's throats.
  
  If the market as a whole did not care that a company killed puppies, should we allow that company to continue to do so?
  Yes.
  
  There's no reason to suspect that in this mythical "the market" you refer to, there would be someone who does tell you what you need to no.
  There's certainly more reason to suspect it in that system than in the one we have now.
  
  There is no "market" that is pure and free of all regulation.
  That's like saying, in 1600s England, "There is no 'freedom of religion' that is pure and free of a state church."
  
  --
  Secession is the right of all sentient beings.
58. Re:No Source? by rgbrenner · 2012-03-30 12:41 · Score: 1
  
  They definitely don't do that. What you're missing is what happens behind the scenes. When you call your bank, and say you don't recognize a charge, they:
  1) (optional) submit an information retrieval request to the merchant. They merchant has a certain amount of time to respond (a couple of weeks usually). The merchant must provide all of the information they have for the order. If they fail to do this, your bank will nearly always go to step 2:
  2) submit a reversal of the charge. This pulls the money from the merchant's bank account. They then reverse the charge on your statement.
  Note, that this entire process is in the hands of YOUR bank. Their loyalty is to you (they make no money from the merchant.. all of their money comes from you, since you're their customer)... so they nearly always side with you and against the merchant.
  Also note, your bank lost nothing here. They recovered every dime from the merchant's account.
  The only case where your bank will lose money on your account, is if you declare bankruptcy/refuse to pay.. and they will jack up your interest rates for that. But fraud? They really don't care about that.. that's the merchant's responsibility (literally says so in the merchant credit card agreement).
59. Re:No Source? by sjames · 2012-03-30 16:37 · Score: 1
  
  Sadly, it's worse. The costs get passed on to ALL consumers, even the ones who pay cash. The credit companies go to great lengths in their merchant contracts to make sure the costs don't fall exclusively on credit card users.
  Naturally, they do that because then it would become apparent that the real costs of their carelessness are significant and might drive consumers back to cash and check.
60. Re:No Source? by Anonymous Coward · 2012-03-30 21:52 · Score: 1
  
  In short, the customer ALWAYS pays.
61. Re:No Source? by Kalriath · 2012-03-31 10:50 · Score: 1
  
  Some countries are starting to wise up to that. Over here in NZ, our consumer protection agency (the Commerce Commission) overturned the clauses in the credit card merchant agreement preventing merchants from setting minimum transaction amounts or charging more to credit card customers. Signs saying "2.5% extra charge for credit cards" and "$30 minimum for Visa/Mastercard" are common, and becoming more common by the day.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
62. Re:No Source? by Kalriath · 2012-03-31 10:53 · Score: 1
  
  Not entirely true. If Verified by Visa or Mastercard SecureCode is attempted, something called Liability Shift happens, where the liability you refer to is "shifted" off the merchant and placed squarely on the issuing bank. As a merchant, you're a moron if you aren't attempting 3DS on every transaction for that alone (so much so that my own provider makes 3DS mandatory on all transactions). Obviously, this only applies to card not present transactions.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
63. Re:No Source? by eugene+ts+wong · 2012-03-31 13:08 · Score: 1
  
  That is really interesting. Because of you, I am now considering never going back to credit card.
  
  --
  testing out my trending skills
64. Re:No Source? by MrJones · 2012-04-01 15:06 · Score: 1
  
  Thanks! I was surprised to read an article without a link to the source. Maybe it was a typo
  
  --
  Get my e-mail after a captcha test in: http://tinymailt
65. Re:No Source? by plopez · 2012-04-02 03:41 · Score: 1
  
  "This right here is why an unregulated market is insufficient protection for consumer rights"
  Fixed that for you. What people don't get is that an unregulated market is not necessarily a free market. In a perfect world a security breach, or breaches, would be punished by people fleeing the vendor and finding a more secure alternative. But without disclosure requirements the consumer or contractor does not have enough information to make a market decision. Therefore, free market conditions do not exist and free market theory fails. Good regulation is sometimes required to create or protect a free market. Which is heresy to current Economic ideology (or perhaps dogma is a better word).
  
  --
  putting the 'B' in LGBTQ+
66. Re:No Source? by __aaltlg1547 · 2012-04-02 03:53 · Score: 1
  
  Because all borrowers end up indirectly paying for the cost of fraud. As is the case with many forms of financial risk, a lender typically insures against identity theft and credit card fraud. The cost of that insurance is factored into their interest rate and fee calculations and is passed on to the borrower.
  Granted, insurance doesn't completely absolve the insured of all responsibility, in as much as a driver with car insurance would not think to be totally careless about driving. Lending institutions still have an interest in preventing fraud despite being insured. The point is that when fraud increases, or if there's a catastrophic breach (as in this case, opposed to isolated small-scale instances of ID theft), the associated financial costs eventually reach the borrowers.
  That's a really basic problem with the system. Because they credit card industry can pass the costs on to their customers, they don't have any real incentive to fix the security problems. And the security problem is SEVERE. Anybody who gets your credit card number (including expiration date and "security code" which should be considered part of the card number) can make unauthorized charges. So at minimum, your credit card is exposed to every business you pay with that card -- for as long as that card is valid. If you use the card a lot, the account is exposed to hundreds of businesses, any one of which could have a dishonest employee recording card numbers.
  The big fraud schemes are going to get stopped pretty soon because they look fishy even to the banks, but the bank isn't going to find every fraudulent transaction because many fraudulent buys look legit. A restaurant where you eat could charge you for another meal, or your waitress might buy herself a new pair of shoes. These could go unnoticed, so you need to cross check every purchase you make versus your bill. Because if you don't challenge it, you are paying.
  And as wickerprints said, you're paying again even for the fraud the banks catch.
  So how do we create an incentive for consumer credit to be made more secure?
67. Re:No Source? by buglista · 2012-04-02 04:16 · Score: 1
  
  but he's not as it turns out. It's a little over the top to say "it's shit like this..." - unless you KNOW he's wrong. http://it.slashdot.org/story/12/04/02/1248252/up-to-15-million-visa-mastercard-credit-card-numbers-stolen
Article: by Anonymous Coward · 2012-03-30 03:13 · Score: 2, Insightful

http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/
Really, no fucking article? by Anonymous Coward · 2012-03-30 03:15 · Score: 5, Informative

And slashdot gets increasingly pathetic. Well, if anyone cares to RTFA:
http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html
Not a whole lot of info from any source, Krebs seems to be the best though:
http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/#more-14393
No Link! by Anonymous Coward · 2012-03-30 03:15 · Score: 1

No source, no reference, no ability to verify, no fine article to read, NO STORY.
I'm going to assume it's made up while I use my Mastercard to pay for parking my expensive car in New York City.
Some sources by Anonymous Coward · 2012-03-30 03:15 · Score: 0

http://www.forbes.com/sites/mickeymeece/2012/03/30/report-mastercard-and-visa-warn-of-massive-security-breach/
http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/
And many others. Amazing what a google search will find...
Shameless? by TheMadTopher · 2012-03-30 03:16 · Score: 2

People got ideas from watching Shameless?
Sketchy source is sketchy by milbournosphere · 2012-03-30 03:17 · Score: 3, Informative

Here's an article from the WSJ: http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html
That said, a window of 21 Jan to 25 Feb...that's quite a big window...
1. Re:Sketchy source is sketchy by Anonymous Coward · 2012-03-30 04:42 · Score: 0
  
  Meh, that's nothing. OSU waited twice that long before announcing they lost the social security number of everyone who ever applied to their college, worked for them (contractor, full time, etc.) or was ever affiliated with them. OSU isn't even a bank. It's certainly pathetic with all things considered, but blatant disregard for consumers seems to be the industry standard. And they still haven't announced what happened to this date. Oh, and the identity theft protection program they gave everyone? It's just a thing where some middle-man company takes your 1-credit-report-per-year and tells you if they see anything, and requires money if you want any of the services they say are provided for free. Sort of like shareware.
Let's hope by JamesP · 2012-03-30 03:19 · Score: 4, Funny

It had nothing to do with idiots like these: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants

--
how long until /. fixes commenting on Chrome?
1. Re:Let's hope by jeffmeden · 2012-03-30 03:27 · Score: 3, Funny
  
  It had nothing to do with idiots like these: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants
  Good read... From the story:
  
  PCI SSC have responded and are investigating him and the company. Our software has now moved on[...]
  Phew!
  
  [...]to PayPal so we know it's safe,
  ah FUCK
2. Re:Let's hope by sl3xd · 2012-03-30 10:15 · Score: 1
  
  I enjoyed that read; thanks for the link.
  Guys like that auditor are wonderful data breaches.
  It's probably for the best his company wasn't disclosed; with competence like that (and the data he's collecting), a hack would be simple and the consequences dire.
  
  --
  -- Sometimes you have to turn the lights off in order to see.
3. Re:Let's hope by Anonymous Coward · 2012-03-30 21:46 · Score: 0
  
  Wow. Just.... wow.
Thankfully! by fuzzyfuzzyfungus · 2012-03-30 03:19 · Score: 5, Funny

Luckily, nobody would be stupid enough to build a money transfer system where the user ID and the authentication secret are identical, so this breach should be no big deal.

Oh wait.

Fuck.
1. Re:Thankfully! by Anonymous Coward · 2012-03-30 03:50 · Score: 5, Informative
  
  What do you expect when the parties that can best improve security (banks, VISA, Mastercard) have made sure that merchants (who can do very little about security) carry most of the liability from security failures?
  Banks, VISA, and Mastercard make tons of money from transaction fees, so they want to make transactions as easy as possible. They don't have to pay much for security breaches, so they are willing to sacrifice security for more transactions and more fees.
  If a buyer goes into a store with a stolen card, there is practically nothing a merchant can do to detect the fraud and stop the buyer from walking out the door with merchandise. Who pays for the fraud? The merchant.
  Until banks are on the hook for this fraud, nothing will change.
2. Re:Thankfully! by jeffmeden · 2012-03-30 04:20 · Score: 2
  
  What do you expect when the parties that can best improve security (banks, VISA, Mastercard) have made sure that merchants (who can do very little about security) carry most of the liability from security failures?
  Banks, VISA, and Mastercard make tons of money from transaction fees, so they want to make transactions as easy as possible. They don't have to pay much for security breaches, so they are willing to sacrifice security for more transactions and more fees.
  If a buyer goes into a store with a stolen card, there is practically nothing a merchant can do to detect the fraud and stop the buyer from walking out the door with merchandise. Who pays for the fraud? The merchant.
  Until banks are on the hook for this fraud, nothing will change.
  Never mind that the merchant can utter the words "can I see your ID?" and then, in one brilliant move, authenticate AND authorize the user of said card... But how many do that?
  On the other hand, pretty much any card can be used in debit/PIN mode but it affects how the transaction is processed and how much it will cost the merchant (why, exactly?) so thanks to the banks, there is a "Stigma" against using debit mode (and when its used against credit cards it often appears as a cash advance) and the merchants will try to steer you away from it on small purchases and steer you toward it on large purchases. Until all that is sorted out, no one wins.
3. Re:Thankfully! by Anonymous Coward · 2012-03-30 04:34 · Score: 0
  
  Look up these systems: VbV (Verified by Visa), MastercardSecurecode and 3D secure
  Essentially the same thing, but offer awesome protection when transacting online at the cost of some functionality and convenience (no auto renewals, no credit card payments over the phone, things like Amazon 1-click ordering not possible)
  Essentially, when using a protected card on a website that supports this system, the chances of your card being compromised are miniscule compared to the normal system
  Cards fallback to the normal system on non supporting websites though
4. Re:Thankfully! by Anonymous Coward · 2012-03-30 04:38 · Score: 3, Informative
  
  Never mind that the merchant can utter the words "can I see your ID?" and then, in one brilliant move, authenticate AND authorize the user of said card...
  Actually, Visa prohibits merchants from asking to see your ID. Lots of stores do it anyway, but it's a breach of their Terms of Service.
5. Re:Thankfully! by ackthpt · 2012-03-30 04:47 · Score: 1
  
  What do you expect when the parties that can best improve security (banks, VISA, Mastercard) have made sure that merchants (who can do very little about security) carry most of the liability from security failures?
  Banks, VISA, and Mastercard make tons of money from transaction fees, so they want to make transactions as easy as possible. They don't have to pay much for security breaches, so they are willing to sacrifice security for more transactions and more fees.
  If a buyer goes into a store with a stolen card, there is practically nothing a merchant can do to detect the fraud and stop the buyer from walking out the door with merchandise. Who pays for the fraud? The merchant.
  Until banks are on the hook for this fraud, nothing will change.
  Every time the Banks expose something like this I wish they would be punished. Punishment discourages repeats of behavior. Force they to have an audit or their system architecture, procedures, processes and who has access to what and then perform these audits on a regular basis.
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
6. Re:Thankfully! by Anonymous Coward · 2012-03-30 04:57 · Score: 0
  
  Never mind that the merchant can utter the words "can I see your ID?" and then, in one brilliant move, authenticate AND authorize the user of said card... But how many do that?
  VERY common for high value transactions in India (and required for transactions of over INR10k (USD200))
7. Re:Thankfully! by Anonymous Coward · 2012-03-30 04:58 · Score: 0
  
  Except I've dealt with large online merchants where this verification is completely ignored. They don't care if this goes through or not (the transaction is processed on their end irrespective of this measure, and I've gotten confirmation of that). What good does it do if it's handled like this? Security for the consumer is an inconvenience and is not important. The only thing of importance is getting the money out of our pockets.
8. Re:Thankfully! by fuzzyfuzzyfungus · 2012-03-30 04:58 · Score: 2
  
  It's also a bit irrelevant in online transactions, unmanned POS terminals, etc. so anybody relying on ID checking to stop anything more sophisticated than utter morons buying a pack of cigs at 7-11 after a mugging is fooling themselves.
9. Re:Thankfully! by forand · 2012-03-30 05:03 · Score: 3, Informative
  
  As someone else who replied to your message noted: VISA (and in face MasterCard) explicitly forbid this in their terms of service. More can be found here which also links directly to the TOS in question.
10. Re:Thankfully! by Anonymous Coward · 2012-03-30 05:33 · Score: 2, Informative
  
  Merchants are not allowed to refuse credit card purchases because of ID. For example my wife can use my credit card, even though my name is on it. Visa wants to make sure that purchasing is as easy and frictionless as possible. The amount lost to fraud is miniscule compared to the profits made.
11. Re:Thankfully! by Anonymous Coward · 2012-03-30 05:39 · Score: 0
  
  I always refuse to present additional identification. I've never had any store refuse to complete the transaction. I know I'm being a bit of a PITA but I figure that if nobody complains nothing changes. I understand, and actually agree with, the idea of asking for additional ID in many cases. Until the policy changes I think people and stores should be aware of it and follow the rules. It would be helpful to point out the problem to police departments, too, since they frequently tell merchants that it is a good idea to require additional ID. On a side note, many years ago one of my favorite nation-wide department stores stopped asking for additional ID when I wrote checks. I asked a friend who worked there why they policy changed. His reply was informative: we figured out that people who passed bad checks had fake IDs.
12. Re:Thankfully! by Anonymous Coward · 2012-03-30 05:50 · Score: 0
  
  > But how many do that?
  Other than Best Buy, every company I know that did that ended-up paying huge fines. It is against the merchant agreements, and it is against state law in several states. Unless you're big enough to have congressmen in your pockets, you can't flaunt the law and contracts like that. You simply cannot break the law and break your agreement with your bank and illegally demand something you shouldn't.
13. Re:Thankfully! by Anonymous Coward · 2012-03-30 05:58 · Score: 0
  
  The links in the article you referenced do not lead to the correct places anymore. I've looked up things like this in the past and find the search term "merchant agreement" useful when I really want to track down the official rules.
  Here is a reference to a Mastercard FAQ which has one entry dealing with additional identification. Basically, from reading other merchant agreements, a merchant can require additional identification when it is required for other reasons beyond mere acceptance of the card, for example, complying with local laws such as age confirmation before buying alcohol, filling out additional warranty or insurance information, making deliveries, etc. However, the merchant cannot make additional ID a requirement for completing a credit card transaction.
  http://www.mastercard.us/support/problems-using-mastercard.html
14. Re:Thankfully! by Anonymous Coward · 2012-03-30 05:59 · Score: 0
  
  And, these same companies require ID's in India
  http://www.rupeetimes.com/news/credit_cards/big_purchases_using_credit_cards_may_require_id_cards_2678.html
15. Re:Thankfully! by 0123456 · 2012-03-30 06:05 · Score: 1
  
  Essentially the same thing, but offer awesome protection when transacting online at the cost of some functionality and convenience (no auto renewals, no credit card payments over the phone, things like Amazon 1-click ordering not possible)
  I think you mean: 'encourage users to enter confidential information into random web sites and cause many people to abort their purchase and go somewhere else'.
  These crappy things are one of the main reasons why I keep my Amex card.
16. Re:Thankfully! by Lev13than · 2012-03-30 06:08 · Score: 2
  
  Luckily, nobody would be stupid enough to build a money transfer system where the user ID and the authentication secret are identical, so this breach should be no big deal.
  Reason #568 for the US to move to EMV. If this had happened in Europe or Canada, the card data would have been encrypted before getting sent to Global Payments, so using the info to clone cards would not have been possible.
  
  --
  When you have nothing left to burn you must set yourself on fire
17. Re:Thankfully! by Anonymous Coward · 2012-03-30 06:19 · Score: 0
  
  Especially given that VISA doesn't pay for fraud, merchants do.
18. Re:Thankfully! by dohnut · 2012-03-30 07:10 · Score: 1
  
  It's a double-edged sword. Someone skimmed my credit card several months ago and my number went on a shopping spree at some retailers in my area. The merchants visited all had self-service terminals so the card would never have to be handed to the merchant. This way the criminal can just take a random card, reprogram it and not even bother with making sure that the name, bank, card number, etc. actually reflect what's on the stripe. Yes, having your average sales person look at a card doesn't guarantee they'll notice it's a fake but It definitely makes the criminal's life easier when it's not even part of the equation.
  I will never hand a debit card (tied to my checking/savings account) to any human. I even avoid using it at self-service terminals. I use it at my bank and at my bank's ATMs and only after I've done my best to check for any 3rd party contraption attached to the ATM's card reader. While the credit card fraud has been rather painless for me, I rather not find out how long it will take to get my cash back after someone wipes out my checking account.
  The American credit card system needs a serious security overhaul. The amount of money lost to fraud each year is staggering.
  
  --
  Stupider like a fox! - H.S.
19. Re:Thankfully! by Anonymous Coward · 2012-03-30 07:17 · Score: 0
  
  Yes, I now realize the OP isn't talking about the credit card itself but an additional form of ID.
  Of course, that would make it only slightly more difficult as you could just have an ID with a matching credit card and then reprogram the stripe with any amount of fraudulent information. The merchant looks at the ID and the card, sees the match and everything looks good to them, even though the data on the stripe is someone else's.
20. Re:Thankfully! by Aighearach · 2012-03-30 07:23 · Score: 1
  
  pretty much any card can be used in debit/PIN mode but it affects how the transaction is processed and how much it will cost the merchant (why, exactly?) so thanks to the banks, there is a "Stigma" against using debit mode
  Nope. There is a difference in prices, but debit is way way cheaper. Some stores have a cash/debit discount for this reason. In supermarkets, debit is often the default. A lot of POS systems if you just swipe the card without pressing credit/debit and the card supports debit it will go straight to asking for the PIN number.
  Restaurants are the only places that often don't accept debit, and that is because the banks offer special deals to restaurants where the cheapest price structure doesn't even include debit. The banks get a larger cut if the restaurant uses credit, and the restaurant runs most as credit because they can bring the slip back to the table to be signed, and it isn't convenient to require the customer to come to the counter PIN pad. So the restaurant gets the credit-only option to save a few cents.
21. Re:Thankfully! by gcatullus · 2012-03-30 07:33 · Score: 1
  
  The problem is the banks don't expose themselves to anything they lay security almost 100% at the feet of the merchant. The only institutions who could create a secure system, the issuing banks and the Visa/Mastercard cartel, won't because they can blame the merchants. If they can't blame the merchants they can blame the ISO's or third party processors. Every card transaction that is swiped hits the merchants POS, then goes out on a network like Buypas and is handled by the third party processing company, then hits Visa/Mastercard and issuing bank. The merchants can't secure the system because they only have the data initially. The ISOs are on the hook if the merchant can't pay for the breach, Visa/Mastercard are not liable for anything.
22. Re:Thankfully! by Anonymous Coward · 2012-03-30 07:42 · Score: 0
  
  'encourage users to enter confidential information into random web sites and cause many people to abort their purchase and go somewhere else'.
  ALL sites in India require this system
  And, you dont enter your info on random websites, rather you enter your CC info on the merchant site as usual, and an additional password on the bank site which you are redirected to for authentication
23. Re:Thankfully! by Anonymous Coward · 2012-03-30 07:42 · Score: 0
  
  Luckily, nobody would be stupid enough to build a money transfer system where the user ID and the authentication secret are identical, so this breach should be no big deal.
  Oh wait.
  Fuck.
  The authentication is in comparing a picture ID to the name on the card.
  If you want to use solely PIN debit, cash, and credit cards with _other_ people's money what is keeping you?
24. Re:Thankfully! by arkane1234 · 2012-03-30 09:04 · Score: 1
  
  Not if the signature is missing on the back of the card.
  
  --
  -- This space for lease, low setup fee, inquire within!
25. Re:Thankfully! by KevReedUK · 2012-03-30 11:20 · Score: 1
  
  Largely depends on who you bank with. AFAIK, not all banks are signed up to the scheme.
  
  Furthermore, it also seems to depend on who you are buying FROM. I have encountered many websites (admittedly big name players) where the VbV box has not asked me to input any of my token, instead just saying that (and I'm paraphrasing here) due to the low risk of the vendor, we're not going to bother implementing this security feature for this transaction.
  
  Personally, I thought the whole point was to make sure that you (the named card-holder) are legit, not to make sure the vendor is legit. Prime example is my mobile-broadband PAYG top-up website. Bearing in mind that if someone can get close enough to me to lift my card (or clone it) they are more than close enough to lift my MBB modem and as long as you are accessing the top-up website via the modem, you don't need a password to get in (which is why I would never do anything remotely security-centric via that modem. If their security is that screwed up, I ain't going to trust any of my personal data to that connection. I only keep it so my step-kids can get internet access, but I hold onto it so that I am in control of their internet access as we haven't got the funds to throw at a decent home network at the moment.)!
  
  --
  Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
26. Re:Thankfully! by Kalriath · 2012-03-31 11:21 · Score: 1
  
  In which case the merchant is required to refuse to accept the card until the customer signs it.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
27. Re:Thankfully! by Kalriath · 2012-03-31 11:26 · Score: 1
  
  That's a little pointless. If the merchant accepts a transaction where 3DS authentication failed, then they are back on the hook for the fraud. Only if 3DS is unsupported or succeeds does the merchant get liability shift (where the issuing bank takes the hit for fraud instead of the merchant).
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
28. Re:Thankfully! by NotSanguine · 2012-04-01 17:24 · Score: 1
  
  Not if the signature is missing on the back of the card.
  Almost no one ever checks the signature. A few years back I'd routinely ask the person accepting the credit card who their favorite president was and then sign that name for the credit card charge. I must have done this at least a hundred times and not once did anyone even check the back of the card or even the name I used on the signature against the name on the card.
  
  --
  No, no, you're not thinking; you're just being logical. --Niels Bohr
Here's a source link by ISurfTooMuch · 2012-03-30 03:20 · Score: 0

My boss just sent me a link to an article about this. However, it's a Fox News link, so I feel sort of dirty even clicking on it and even more so for posting it. Please don't mod me down, since it's the only link I can find.
http://www.foxnews.com/us/2012/03/30/visa-mastercard-warn-massive-security-breach-report-says/
1. Re:Here's a source link by Anonymous Coward · 2012-03-30 03:25 · Score: 0
  
  Grow up
2. Re:Here's a source link by cvtan · 2012-03-30 03:33 · Score: 2
  
  Eeeww!
  
  --
  Sorry, but gray text on gray background is making my eyes bleed.
Twitter by rupert0 · 2012-03-30 03:21 · Score: 0

I think because the tweet is getting "popular" someone at slashdot posted this but forgot the source or decided to ommit
https://twitter.com/#!/briankrebs/status/185723872316882944

--
RUPERT! I TOLD YOU TO WATCH THE BAGS! You were looking at the boys again, WEREN'T YOU.
future systems should not rely on privldgd info by Anonymous Coward · 2012-03-30 03:21 · Score: 0

We are all becoming increasingly aware that in a well connected information based society, the idea of privileged information will become a relic of the past. As a civilization, we need to start moving towards a model where it is understood that anyone can potentially have access to any information, nothing is private, and change behaviors and systems of interaction to work around this.
Criminal by koan · 2012-03-30 03:23 · Score: 2

They should have to tell us who the processor is, by law.

It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.
https://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/#more-14393

--
"If any question why we died, Tell them because our fathers lied."
1. Re:Criminal by wiredmikey · 2012-03-30 04:09 · Score: 1
  
  It's Global Payments, Inc. Will have more info on it shortly!
2. Re:Criminal by LizardKing · 2012-03-30 04:20 · Score: 3, Informative
  
  Yup, WSJ confirms it: http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html
Not the first time MC & V by koan · 2012-03-30 03:33 · Score: 1

Have used sketchy processors.
http://www.redorbit.com/news/technology/180626/security_breach_costs_atlanta_based_credit_card_processor_two_huge/
http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm

--
"If any question why we died, Tell them because our fathers lied."
Re:Hahah. by mcavic · 2012-03-30 03:35 · Score: 1

the activity was geographically dispersed
http://majorgeeks.com/story.php?id=34000
Credit Card Fraud generates profits for banks by Dainsanefh · 2012-03-30 03:37 · Score: 3, Informative

because each time when there is a chargeback, the bank will take back the money from the merchant + $25 per transaction as a penalty. They have no incentives to make the system more secure.

--
Twitter: @dainsanefh
1. Re:Credit Card Fraud generates profits for banks by Anonymous Coward · 2012-03-30 03:49 · Score: 2, Informative
  
  $25 is overstating it (at least in my experience) but yeah, you don't get the % back you had to pay to take the transaction in the first place, and if you get too many you get dropped by the processor or penalized with a higher % charge.
  Keep in mind that the banks don't want merchants doing any kind of ID checks or anything that makes it harder to use the card (how could they have ads where the guy who pulls out his checkbook causes the whole line of people to crash into each other?)
2. Re:Credit Card Fraud generates profits for banks by rgbrenner · 2012-03-30 03:57 · Score: 2
  
  $15-$50 is the typical range for a chargeback fee. I would say $25 is about average.
3. Re:Credit Card Fraud generates profits for banks by Anonymous Coward · 2012-03-30 06:09 · Score: 0
  
  > $25 per transaction as a penalty
  Only if you're one of the big guys. The cheapest chargeback rate we found with our volume (about $2M/year) was $65. We make about sixty cents profit on the average transaction so a single chargeback can wipe-out the profit of more than a hundred orders. Fraud is very profitable for banks. That's why they do nothing to discourage it.
So where is all the vile, piss and hate? by Anonymous Coward · 2012-03-30 03:40 · Score: 0

I guess Im confused at how the internet was set on fire with blind and furious hatred towards sony for getting hacked. How everyone blamed them, sued them and was wishing death upon the big evil corporation and so on but no one seems to be hating visa/mastercard for letting 10 million cards be compromised. Then again square, bioware, hb gary, iraqi government, and hundreds of other places all got hacked as well but no one hated them for it.
Not to mention even the government was bitching about sony taking a week or announce the theft but this is only now being announced for events that happened back in JAN?
1. Re:So where is all the vile, piss and hate? by BronsCon · 2012-03-30 04:01 · Score: 2
  
  no one seems to be hating visa/mastercard for letting 10 million cards be compromised.
  Uhm... Because it wasn't Visa and Mastercard who let it happen?
  A payment processor used by some parking garages let it happen; that this company happens to process Visa and Mastercard payments is inconsequential to that fact.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I blame price gouging by New York parking garages by s_p_oneil · 2012-03-30 03:46 · Score: 1

I blame price gouging by New York parking garages:
"most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area"
When prices get so outrageous that a large group in the city joins forces to steal the funds to cover them, you know that price gouging has gotten way out of hand.
Re:Hahah. by tripleevenfall · 2012-03-30 03:47 · Score: 3, Funny

Suck it, Tri-State Area!
Parking Garages? by trongey · 2012-03-30 04:03 · Score: 2

They have milllions of accounts and all they can think to do is pay for parking? Sounds like the time my checking account got hijacked. I think what irritated me more than anything was that they went to the trouble of making a card then used it to buy a bunch of lame stuff at Kmart. I mean, if you're stealing people's money at least do something interesting with it.

--
You never really know how close to the edge you can go until you fall off.
1. Re:Parking Garages? by Dainsanefh · 2012-03-30 04:10 · Score: 1
  
  It probably just a test. Wait a few days to see the big-ticket stuff showing up on your statement.
  
  --
  Twitter: @dainsanefh
2. Re:Parking Garages? by Spykk · 2012-03-30 04:14 · Score: 2
  
  I suspect that the parking garage is where the card numbers were compromised. Someone likely dismantled the credit card reader when noone was around and added a simple device that tapped into the current MSRs signal line and logged everything to an sd card. They could even give it a bluetooth or wifi interface if they wanted to be fancy about it.
3. Re:Parking Garages? by Isis242 · 2012-03-30 04:54 · Score: 1
  
  I wonder if this was what happened to me last week. My card was declined when I tried to pay for coffee, when I called my bank they said it was their internal monitoring person and not the company they contract to detect fraud that spotted the problem. She said it was a test transaction at the Empire Hotel in NYC. They charge a small amount then back it out as soon as they see its authorized.
  If it is a different breach I guess I might have my third debit card number of the year. :(
4. Re:Parking Garages? by trongey · 2012-03-30 04:58 · Score: 1
  
  I certainly hope so. Oh, wait. Parking is actually about all they could pay for with my Mastercard right now.
  
  --
  You never really know how close to the edge you can go until you fall off.
5. Re:Parking Garages? by Anomalyst · 2012-03-30 05:01 · Score: 1
  
  So you are suggesting blackjack and hookers?
  
  --
  There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
6. Re:Parking Garages? by x1r8a3k · 2012-03-30 07:20 · Score: 1
  
  Those sorts of devices are actually pretty common, and vary from obvious boxes that clip on the bottom of the existing readers to an entire fake fascia for ATMs.
  They come back, get the device/SD card/data wirelessly. And makes a clone of the card from a blank.
  
  Krebs has a whole section on it. http://krebsonsecurity.com/tag/atm-skimmer/
7. Re:Parking Garages? by PeanutButterBreath · 2012-03-30 12:18 · Score: 1
  
  Sounds like the time my checking account got hijacked. I think what irritated me more than anything was that they went to the trouble of making a card then used it to buy a bunch of lame stuff at Kmart. I mean, if you're stealing people's money at least do something interesting with it.
  Similar thing happened to me with a credit card. Hundreds of dollars spent buying from lame gift websites. Some of the merchandise was ultimately delivered to me and it was 3 terrible souvenir-grade T-shirts (two were identical). The kind of crap some kid would give to their grandparent for their birthday ("funny" golf theme, IIRC). I almost thought that they did it on purpose as a gag, but that would mean that they only stole the card with the intent of confusing me with idiotic purchases (actually, I might respect that).
Global Processing by Anonymous Coward · 2012-03-30 04:44 · Score: 0

A birdy told me the source of the leak was Global Processing's direct merchant base.
Incentive to beef up security? Nope... by wwiiol_toofless · 2012-03-30 04:44 · Score: 1

Because those customers who were defrauded will be responsible for any illegal charges made, maybe taxpayer dollars... But Visa, Mastercard will not be financially responsible no, no, no.

--
the mods may say you posted flamebait, but to me it's a flame that warms my heart. rock on, brother! --chebucto
1. Re:Incentive to beef up security? Nope... by icebraining · 2012-03-30 05:37 · Score: 1
  
  1. It wasn't VISA/MC who suffered the leak.
  2. It's the merchant who pays, not the customers (directly, at least)
  
  --
  Dilbert RSS feed
Re:Hahah. by Anonymous Coward · 2012-03-30 04:45 · Score: 1

Curse you, Perry the Platypus!
Translation: by LanceUppercut · 2012-03-30 04:48 · Score: 1

"Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach" Translation: US State Department dispatched armed propaganda-enforcement teams who are currently holding the PR departments of Visa and MasterCard at gunpoint, forcing them to immediately come up with an official explanation that would tie the crime to "Russian crooks", as is usually required by the State Department's censorship and propaganda guidelines.
There are some ideas so idiotic by mombodog · 2012-03-30 04:57 · Score: 1

"There are some ideas so idiotic that only an intellectual could believe them" George Orwell
I think mine was one of them by Anonymous Coward · 2012-03-30 05:01 · Score: 0

Just recently I was notified by my bank that my Visa card had been compromised. I still had it in my possession, so I knew the card wasn't stolen. It turns out that I was in NYC recently and had used it there. However, I didn't patronize any parking garages. Hmm.
Re:I blame price gouging by New York parking garag by sunderland56 · 2012-03-30 05:12 · Score: 1

They also say "10 million accounts". I have a hard time seeing how 10 million different people parked in NYC in a one month period (21 Jan to 25 Feb).
Use Hypberbole Much? by FreeUser · 2012-03-30 05:12 · Score: 2

What would you do if you knew whose system was compromised? Tie up the courts with lawsuits? Head over in a mob and smash their front windows? What are you going to do if their initial suspect turns out not to be at fault? File more suits? Form more mobs?
What a silly assumption. I can't speak for the poster, but as one who agrees with him 100%, I'll tell you what I would do:
STOP GIVING THE COMPROMISED VENDOR MY CREDIT CARD NUMBER
If it's a parking garage I use, I'd start paying the bill in cash, with receipt. Ditto for any other vendor I need to use but is compromised. If it is someone I don't need to use, I'd dump them for a smarter or less corrupt competitor. Probably someone who vets their employees, or at least doesn't use a call center housed in the local penitentary.
I don't think anyone (except you) is thinking law suits, smashed windows, or forming mobs. We're just thinking about how to avoid having it happen a second (or third, or fourth) time.
But if the bank won't tell you who is stealing your credit card, you have no way of taking preventative measures, and getting a new credit card is a pain in the ass, particularly if you've set up most of your bills to clear through the card to amass reward points (which at 2-5% of your purchases can be very worthwhile), and have to go back through and do it all again, all the time wondering if one of them is the culprit.

--
The Future of Human Evolution: Autonomy
1. Re:Use Hypberbole Much? by magarity · 2012-03-30 06:36 · Score: 0
  
  How does Visa know that you personally won't do anything drastic? For their own liability reasons they can't tell you who did it. One of the headlines on Yahoo news is 'man shoots wife because her dog pooped on the floor'. You think in New York City there isn't anyone who might have a strong reaction to a credit card system breach?
  Suppose you're running a parking lot. You're no IT expert; you just buy vendor X's credit card kiosk widget and plug it in. If there's a problem with security, sure it's your lot but you're standing there in the little booth and last thing you need is a hot headed customer in your face. All you need is vendor X and/or Visa need to send a technician to update the kiosk so the problem doesn't happen again and meanwhile all the compromised cardholders get new cards. Until you hear there's complicit acts by the company owners or employees instead of just a data security problem with all the interrelated third party systems involved in credit card processing, it's rather hard to find an appropriate target for you to act against.
Now, now by ThatsNotPudding · 2012-03-30 05:21 · Score: 1

Let's not go breathing on the House of Cards that is modern Western Economic policy!
1. Re:Now, now by berashith · 2012-03-30 06:13 · Score: 1
  
  exactly
"150 million identities stolen from IRS" by peter303 · 2012-03-30 05:39 · Score: 1

Is a headline I expect some day due to weak government security. They do protect themselves somewhat by working in COBOL, OS-360 and tape drives. Few hackers are interested in those.
hmm.... by Anonymous Coward · 2012-03-30 05:41 · Score: 0

For once the email warning in my spam folder DID come true
Re:I blame price gouging by New York parking garag by s_p_oneil · 2012-03-30 06:04 · Score: 1

My comment was meant as a joke. It was so ridiculous that I don't see how anyone could take it seriously.
PayPal by Anonymous Coward · 2012-03-30 07:00 · Score: 0

I have 2 Visa and 1 MasterCard credit cards, all of them issued by different banks.
I recently received a call from each of my banks stating that "Visa International" or MasterCard had warned them my credit cards were used on a website that was compromised.
I use the MasterCard for online shopping all the time, at all kinds of sites. However, one of my Visas is used only via PayPal when shopping online, and the other one I received very recently and used it only to purchase once with PayPal, I didn't buy anything else in any other place, and a week later I received the call stating that a site where I used it had been breached.
I don't know if it's related to the alleged breach in the article, but at least for me seems like PayPal lost my credit card information.
Re:I blame price gouging by New York parking garag by psydeshow · 2012-03-30 07:12 · Score: 1

They also say "10 million accounts". I have a hard time seeing how 10 million different people parked in NYC in a one month period (21 Jan to 25 Feb).
Yep. Too big a number. Dwarfs the number of metered parking spots in the city, which is 62,000 according to this page: http://www.parking.org/media/overview-of-the-us-parking-industry.aspx
Congestion pricing studies from a few years ago talked about 800,000 cars per day entering Manhattan. http://wirednewyork.com/forum/showthread.php?t=6044 But most of those would be the same account over and over. And the number of cars entering the other boroughs would presumably be lower than that. Certainly there is less demand for commercial parking garages outside of Manhattan.
Re:I blame price gouging by New York parking garag by Anonymous Coward · 2012-03-30 08:29 · Score: 0

I'm not completely sure, but I think sunderland56's response was also intended as a joke, although it was just not as funny.
Re:I blame price gouging by New York parking garag by arkane1234 · 2012-03-30 09:07 · Score: 1

I donno man, the level of idiocy has reached a pretty harsh level where that could have been one of them ;)

--
-- This space for lease, low setup fee, inquire within!
A victim... by xushi · 2012-03-30 12:49 · Score: 0

Very strange but it makes sense now..
My wife might be a victim. We noticed a charge of about US$4,700 from "Emirates New York" a few days ago on my Citibank supplementary card. No idea how that happened as we only got our cards 1 month ago, never used them online or in places other than our supermarket (Carrefour) or high-end restaurants.
We're based in Singapore...
Where is the government regulation to protect us? by asjk · 2012-03-30 13:15 · Score: 1

oh wait, never mind.
Hmmmmm. It effected me. Really It did. by Anonymous Coward · 2012-03-30 15:09 · Score: 0

Let's see. They purchased a brand new Porchse 911 turbo 5 minutes ago along with some diamond earring and let's seeeee what else do I need.
I'm foreign and I just realised I was affected by acid06 · 2012-03-30 15:23 · Score: 1

I'm Brazilian and a few weeks ago I was contacted by my bank regarding some very odd charges which seemed fraudulent - these transactions were made on New York parking garages (something like, NYC DOT Parking). The cancelled the credit card, cancelled the charges and sent me a new one.
I visited New York in July 2011 so I was thinking that maybe they stole my credit card details back then and kept the info until they finally decided to use it for fraudulent purchases. It seemed like a long shot, but it was the best explanation I could think of. When I read the story it ringed a bell: I was probably affected by this issue.
Not sure if it was due to online purchases I did in the last few or if it was related to my visit to NYC last year (and this credit card processor could have stored my CC info somewhere for all these months - who knows).
So, yeah, this is actually a global issue - not sure if it's because of tourism or the internet. Personally I think it's nice that they made these news public since this explains a lot for me.
1. Re:I'm foreign and I just realised I was affected by xushi · 2012-03-30 19:36 · Score: 0
  
  Same here, My wife and I are affected and we're in Singapore.
  Worst of all, after reporting it to the bank they didn't bother blocking the transaction.. It came through successfully and my balance has an extra $6,500. They said they'll credit my account with the amount, i just hope they don't stall until the statement is due :/
  Damn it people.. either sharing is caring or stop it! :)
Visa, Mastercard by Anonymous Coward · 2012-03-31 05:04 · Score: 0

Why are we still pretending that they're not the same company?
Good Luck by dcxdan · 2012-03-31 07:51 · Score: 1

Whoops..... So when you have a credit problem and ID theft, don't expect Mastercard and Visa to be of much help!
What abou transparency? by nosyferret · 2012-03-31 20:26 · Score: 1

I was in NYC from Jan 14 2012 to Jan 25 on holidays from Sydney. About a week after I returned I was informed that there ahd been fraudulent activity on my Visa and my card was re-issued. I probably used it in a taxi; reports are saying taxis and parking garages were compromised. The interesting thing is that this activity was detected quickly beteween Jan 21 and Feb 25, but not reported until March 30. Meantime cards have been monitored and reissued and, presumeably, some malcreants have been apprehended. What happend to transparency? Wasn't Sony and Steam suppose to notify customers immediately a breach was detected? Global Paymaents, Visa and Mastercard are still not confirming anything? Any PCI experts out there know what the law says about this?