Slashdot Mirror

← Back to Stories (view on slashdot.org)

VISA, MasterCard Warn of 'Massive' Breach At Credit Card Processor

Posted by Soulskill on from the your-security:-priceless dept.

concealment writes with news that VISA and MasterCard have been warning banks of an incident at a U.S. card processor that may have compromised as many as 10 million credit card numbers. From the article: "Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area." According to the Wall Street Journal, the breached company is Global Payments Inc.

49 of 164 comments (clear)

  1. No Source? by MrJones · · Score: 4, Insightful

    The article has no credible source. Is this Spam?

    --
    Get my e-mail after a captcha test in: http://tinymailt
    1. Re:No Source? by Anonymous Coward · · Score: 5, Informative

      Krebs is all over it:

      http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/

    2. Re:No Source? by EliSowash · · Score: 5, Informative

      No, it's real. I saw it on Krebs earlier. http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/

    3. Re:No Source? by buchner.johannes · · Score: 4, Informative

      One of these perhaps
      https://www.networkworld.com/news/2012/033012-visa-mastercard-breach-257824.html
      http://www.cnbc.com/id/46904168
      https://www.google.com/news?ned=us&q=VISA%2C%20MasterCard%20Breach&btnG=Search+News

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    4. Re:No Source? by CuriousGeorge113 · · Score: 4, Interesting

      It seems like all of the links pertaining to this story point back to the Krebs blog as the source for the information. Yet, Krebs provides no 3rd party verification to the story other than a 'source'

      Shit like this is how rumors get started. Can anyone verify with a statement from Visa/MC, a bank, etc? I'm not saying it isn't true, but even the WSJ article is referencing the Krebs blog.

      --
      No man is an island, But if you take a bunch of dead guys and tie them together, they make a pretty good raft.
    5. Re:No Source? by ohnocitizen · · Score: 5, Insightful

      This actually impacted me. I live in NY, and was contacted my my credit card company. They informed me I was getting a new card, that visa and mastercard said there was a breach - but were not required to report who had compromised my credit card number. "At least they tell us there is a breach". This right here is why "the market" is insufficient protection for consumer rights. We need a law requiring credit card companies to disclose businesses that compromise data.

    6. Re:No Source? by Dyinobal · · Score: 2

      Strange, my bank called me and told me that my credit card was possibly compromised back when Valve got hacked and then I got a new one two days later in the mail.

      Perhaps you were just faster than they were, it does take time for them to contact people.

    7. Re:No Source? by binarylarry · · Score: 3, Informative

      You aren't on the hook for the fraudulent charges.

      Unless they can prove you actually made them, they have to pay for the charges.

      If it's all on them, why do they need to give you a detailed breakdown?

      --
      Mod me down, my New Earth Global Warmingist friends!
    8. Re:No Source? by scubamage · · Score: 3, Insightful

      Most likely its a numbers thing. If visa has 300 call center reps and they have to call 20 people, it'll be done in a few minutes. However 300 reps calling 10 million will take a much, MUCH longer amount of time. Now these numbers are hyperbolic, but you get the idea. Most likely your branch office didn't have that many people affected by the valve hack (thankfully).

    9. Re:No Source? by berashith · · Score: 5, Insightful

      100% agree. I just went through this a few weeks ago. VISA told my card issuer that there had been a breach. They actually sent me a new card, but didnt tell me until fraudulent use occured. This was before my new card arrived, which actually shortened the amount of time that I had no credit card. I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.

    10. Re:No Source? by Taty'sEyes · · Score: 4, Funny

      You haven't parked in NYC have you?

      --
      We show geeks how to get their dream girl at EyesOfOdessa.com
    11. Re:No Source? by knarfling · · Score: 3, Informative

      The WSJ has an updated story here. http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html?mod=WSJ_hp_LEFTTopStories
      From the link, Global Pay seems to be the processor, and it appears that only 26,094 VISA cards were affected. It did not mention how many MasterCard cards were affected. While that is a lot, it is nowhere near the 10 million speculated.

      --
      Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
    12. Re:No Source? by wickerprints · · Score: 5, Insightful

      Because all borrowers end up indirectly paying for the cost of fraud. As is the case with many forms of financial risk, a lender typically insures against identity theft and credit card fraud. The cost of that insurance is factored into their interest rate and fee calculations and is passed on to the borrower.

      Granted, insurance doesn't completely absolve the insured of all responsibility, in as much as a driver with car insurance would not think to be totally careless about driving. Lending institutions still have an interest in preventing fraud despite being insured. The point is that when fraud increases, or if there's a catastrophic breach (as in this case, opposed to isolated small-scale instances of ID theft), the associated financial costs eventually reach the borrowers.

    13. Re:No Source? by Aladrin · · Score: 2

      Because you want to know who was lazy with your private information, so you can deal with that situation.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    14. Re:No Source? by Pope · · Score: 2

      Why is this labelled "Funny?" There's no link in the submission, and clicking on the submitter's name goes to some site that has no story about this either. Talk about editor fail.

      --
      It doesn't mean much now, it's built for the future.
    15. Re:No Source? by Anonymous Coward · · Score: 2, Insightful

      Maybe not do business with them anymore? All this free market bullshit rests on the assumption that consumers are (or at the very least can be) informed about the companies they're dealing with. If you can't even know about the company you might be interacting with, then how are you supposed to "vote with your dollars"?

    16. Re:No Source? by CuriousGeorge113 · · Score: 3, Insightful

      Credible sources are still fallible.

      --
      No man is an island, But if you take a bunch of dead guys and tie them together, they make a pretty good raft.
    17. Re:No Source? by tlhIngan · · Score: 3, Insightful

      This was before my new card arrived, which actually shortened the amount of time that I had no credit card. I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.

      And what makes you think it was the *business* that was hacked? Retailers obtain a merchant account and the merchant bank provides the processing equipment. That equipment talks to a credit card processor who handles the transactions and transfers and such.

      A credit card processor being breached means it affects MANY retailers at once. Boycotting one business over the breach may mean you're still vulnerable as your new go-to place can use the same processor.

      For many businesses, there's nothing to breach - the information is temporairly stored on that terminal you use for the duration, and the only thing the retailer has is the tiny slip of paper they get at the end. Which is probably why credit card processors get attacked, rather than individual companies.

      Even online companies do the same - that box you enter your information into may be temporarily hosted by the store, but the information is promptly forwarded to a credit card processor and forgotten by the store's server to reduce PCI requirements. Some make it obvious when they forward you to Google, Amazon or Paypal, or to a processor's site directly. Most don't, even though in the back end they're really proxying the processor's site.

    18. Re:No Source? by slew · · Score: 4, Interesting

      ...I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.

      I don't know if you can believe the story, but if the breach occured with a credit card processor and not the retailer. The Credit card processor is the retailer's vendor (e.g., the company that the retailer contracts with to process credit card batches). This vendor relationship is not unlike the company that the retailer buys paperclips from, or the company that processes their payroll. Credit card processing is a highly competitive industry. Some retailers will often switch processors every few years when competing companies offer promotions with lower merchant fees (the fees/percentage that they charge the retailer for processing a credit card transaction).

      Even if you had been told what retailer the fraudulent charges were made at, since there are so many credit card processing companies, it's quite likely that the retailer didn't use the same processing company. Additionally, because of credit card merchant contracts, retailers are supposed to follow certain "merchant" rules (e..g, no minimum*** or maximum purchase amounts, no steering to different forms of payment, not allowed to require ID, etc, etc). So even if the retailer wanted to be more careful when trying to accept this apparently frauduant card transaction, they probably aren't allowed by contract to be as paranoid as you apparently want them to be...

      So feel free to throw the baby out with the bath water, but it's might be just as likely that the retailer you want to disown actually helped the credit card company identify the fraudulent transaction before it appeared on your credit card statement. If that were the case, perhaps you should be thinking about thanking them, before you disown them?

      *** As of part of the Dodd-Frank wall street reform act of 2010, retailers are now allowed by law to imposed a minimum transaction amount up to $10 (this law supercedes the language in the contracts in place with the credit card companies)

    19. Re:No Source? by wickerprints · · Score: 4, Insightful

      Your response indicates you have entirely failed to grasp the meaning of my previous post.

      Government regulation of the credit card industry prevents a lender from penalizing a fraud victim in the manner that you describe. A penalty in the form of a higher interest rate may only be applied if the borrower fails to pay an outstanding balance in a timely manner. A late fee may also be assessed. This is legal because a borrower's failure to repay the incurred debt is a reflection of their poor creditworthiness relative to other borrowers who pay their balance on time. However, a victim of fraud may not have had anything to do with the theft of the information that precipitated that fraud, which is the case with this data breach.

      In relation to my previous post, then, the cost of insuring against losses due to fraud is passed on IN AGGREGATE to the entire pool of borrowers in the form of higher interest rates and/or fees, just like the way in which they factor in other costs of doing business (such as worker salaries, marketing, customer service, and legal representation). Competition between lenders exerts pressure to keep the interest rate low, but if the overall rate of fraud increases across ALL lenders, then the overall financial risk of lending money in this manner has also increased, and therefore the interest rate must also increase to reflect this risk trend.

      To be absolutely clear, I am not talking about a scenario in which an individual borrower reports fraudulent activity on their account, and the lender then decides to punish that borrower by increasing their interest rate. What I am talking about is the big picture, in which the cost of credit card fraud and ID theft is spread out over the entire pool of borrowers because the risk of fraud is one component of the risk of lending money, and the risk of lending is part of why interest exists. Granted, this is a gross simplification of the way things actually work (as I do not discuss the role of merchants in this process, for example), but the basic point remains valid: the cost of fraud is eventually paid by the borrower. Even the merchants purchase insurance for their business, and factor these costs in the pricing of the goods and services they sell to consumers. All of it eventually falls on the shoulders of the consumer, who pays for it in the form of higher prices or higher interest.

    20. Re:No Source? by berashith · · Score: 2

      you are correct, it may have been a processor and not the front end business. Even just that on its own would be good information to know, but that would undermine faith in the system, so VISA has a vested interest in not revealing that kind of info. I have worked in several PCI businesses, which have kept customer information on site, and which VISA performs regualtory checks on. The certification process is a bit of a smokescreen, and knowing that, I would really have liked to know if it was that type of business that screwed up.

      I see no help in not letting me have information as to what happened, except for preventing people from starting to see how much they shouldnt blindly trust these companies ( so no help to me or consumers) .

      In my specific case, no vendor helped. There was apparently a watch on a very large amount of CC numbers for anything suspicious. When I purchased 10 copies of McAfee for 100 bucks a pop, someone at the CC company took notice. As I said, there was already a new card on the way to me and likely many thousands of others. If nothing happened by the time I got the new card, then I call and activate and the stolen numbers can be forgotten. If something did happen ( which it did) then they were just more suspicious. I understand that they couldnt call every customer on that watch list, and this was the fastest way of dealing with the theft with as little interuption as possible. I still think that my request for more information should have a better answer than " They wont tell us that , so we have nothing to give you". It is all a shell game propping up fake security.

    21. Re:No Source? by wickerprints · · Score: 2

      I would also like to clarify that an individual cardholder may be subject to a change in their contract terms or revocation of cardholder privileges if repeated instances of fraud are reported, because this is an indicator that a cardholder may be doing something that is increasing their exposure to fraud. One fraud report, even if it is for a series of large amounts, isn't going to set off any alarms. But if, say, you had three reports in a six-month period, that would definitely look suspicious to the lender. They would be entirely within their rights to wonder what you could possibly be doing that would cause your credit card information to be stolen on three separate occasions in such a short period of time. Unless you have a really good explanation, they may well decide not to lend you money at all.

      On a personal note, I was a victim of credit card fraud some years ago. The physical card was not stolen--I was always in possession of it--but it could have been cloned or skimmed by an unscrupulous employee of one of the merchants I visited. I deliberately keep my credit limit low, so the thief could only charge a few hundred dollars before the card hit its limit. But they did it really fast, because in under 24 hours, my card was declined, which was my warning that something was wrong. I immediately contacted my bank and after filling out the paperwork, it was resolved and I was assigned a new card. While it didn't cost me any money, it was an upsetting and disruptive experience, one that left me feeling violated. I asked my bank if I could do anything to help them investigate, but they basically looked at the amount, shrugged their shoulders, and said it wasn't really worth it because the cost of their investigation would easily be many times more than the dollar amount of fraud.

      If you want to prevent yourself from being a victim of credit card fraud, one thing you should do is to keep your limits low. It's better to have multiple smaller accounts (not too many, though, as opening too many accounts will decrease your credit score) than one large account. If you need to make large purchases from time to time, then have one account with a very low limit like $500 to be used for everyday purchases, and one account with a large limit that you only use for important things. Also, watch where you use your cards online, keep track of your balances, and try to sign up with a lender that will send you text alerts when you use your card. Avoid using a card in situations where it's out of your sight--restaurant staff are very common sources of fraud; pay in cash if possible. And don't lose your wallet or purse. Do your part to prevent rising costs of borrowing by being a responsible borrower and taking advantage of the security measures that your creditor offers.

    22. Re:No Source? by gcatullus · · Score: 2

      And that is the reason PCI compliance is security theater. merchants can be as secure as possible, yet they are on the hook for the information once it passes out of their hands. The entities that could secure the process, Visa/Mastercard and the issuing banks, won't because they have nothing to lose because the merchants are responsible. Other than the TJ Max breach the large breaches have been third party ISOs who handle the credit card processing.

    23. Re:No Source? by Anonymous Coward · · Score: 2, Informative

      So feel free to throw the baby out with the bath water, but it's might be just as likely that the retailer you want to disown actually helped the credit card company identify the fraudulent transaction before it appeared on your credit card statement.

      As an online merchant, I can tell you from experience that this is highly unlikely. When fraud was committed through my site, I used to proactively contact card issuers to let them know that their customer's card details had been stolen and were being used to commit fraud. Just about every one of them was dumbfounded by a merchant calling them to report fraud. There had even been a couple of cardholders that called to inquire about the transaction on their card, and every one I asked said that their card issuer had not contacted them about the fraud. It eventually became apparent that reporting the fraud to the issuers was a completely pointless waste of time.

  2. Article: by Anonymous Coward · · Score: 2, Insightful

    http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/

  3. Really, no fucking article? by Anonymous Coward · · Score: 5, Informative

    And slashdot gets increasingly pathetic. Well, if anyone cares to RTFA:
    http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html

    Not a whole lot of info from any source, Krebs seems to be the best though:
    http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/#more-14393

  4. Shameless? by TheMadTopher · · Score: 2

    People got ideas from watching Shameless?

  5. Sketchy source is sketchy by milbournosphere · · Score: 3, Informative
    Here's an article from the WSJ: http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html

    That said, a window of 21 Jan to 25 Feb...that's quite a big window...

  6. Let's hope by JamesP · · Score: 4, Funny

    It had nothing to do with idiots like these: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants

    --
    how long until /. fixes commenting on Chrome?
    1. Re:Let's hope by jeffmeden · · Score: 3, Funny

      It had nothing to do with idiots like these: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants

      Good read... From the story:

      PCI SSC have responded and are investigating him and the company. Our software has now moved on[...]

      Phew!

      [...]to PayPal so we know it's safe,

      ah FUCK

  7. Thankfully! by fuzzyfuzzyfungus · · Score: 5, Funny

    Luckily, nobody would be stupid enough to build a money transfer system where the user ID and the authentication secret are identical, so this breach should be no big deal.

    Oh wait.

    Fuck.

    1. Re:Thankfully! by Anonymous Coward · · Score: 5, Informative

      What do you expect when the parties that can best improve security (banks, VISA, Mastercard) have made sure that merchants (who can do very little about security) carry most of the liability from security failures?

      Banks, VISA, and Mastercard make tons of money from transaction fees, so they want to make transactions as easy as possible. They don't have to pay much for security breaches, so they are willing to sacrifice security for more transactions and more fees.

      If a buyer goes into a store with a stolen card, there is practically nothing a merchant can do to detect the fraud and stop the buyer from walking out the door with merchandise. Who pays for the fraud? The merchant.

      Until banks are on the hook for this fraud, nothing will change.

    2. Re:Thankfully! by jeffmeden · · Score: 2

      What do you expect when the parties that can best improve security (banks, VISA, Mastercard) have made sure that merchants (who can do very little about security) carry most of the liability from security failures?

      Banks, VISA, and Mastercard make tons of money from transaction fees, so they want to make transactions as easy as possible. They don't have to pay much for security breaches, so they are willing to sacrifice security for more transactions and more fees.

      If a buyer goes into a store with a stolen card, there is practically nothing a merchant can do to detect the fraud and stop the buyer from walking out the door with merchandise. Who pays for the fraud? The merchant.

      Until banks are on the hook for this fraud, nothing will change.

      Never mind that the merchant can utter the words "can I see your ID?" and then, in one brilliant move, authenticate AND authorize the user of said card... But how many do that?

      On the other hand, pretty much any card can be used in debit/PIN mode but it affects how the transaction is processed and how much it will cost the merchant (why, exactly?) so thanks to the banks, there is a "Stigma" against using debit mode (and when its used against credit cards it often appears as a cash advance) and the merchants will try to steer you away from it on small purchases and steer you toward it on large purchases. Until all that is sorted out, no one wins.

    3. Re:Thankfully! by Anonymous Coward · · Score: 3, Informative

      Never mind that the merchant can utter the words "can I see your ID?" and then, in one brilliant move, authenticate AND authorize the user of said card...

      Actually, Visa prohibits merchants from asking to see your ID. Lots of stores do it anyway, but it's a breach of their Terms of Service.

    4. Re:Thankfully! by fuzzyfuzzyfungus · · Score: 2

      It's also a bit irrelevant in online transactions, unmanned POS terminals, etc. so anybody relying on ID checking to stop anything more sophisticated than utter morons buying a pack of cigs at 7-11 after a mugging is fooling themselves.

    5. Re:Thankfully! by forand · · Score: 3, Informative

      As someone else who replied to your message noted: VISA (and in face MasterCard) explicitly forbid this in their terms of service. More can be found here which also links directly to the TOS in question.

    6. Re:Thankfully! by Anonymous Coward · · Score: 2, Informative

      Merchants are not allowed to refuse credit card purchases because of ID. For example my wife can use my credit card, even though my name is on it. Visa wants to make sure that purchasing is as easy and frictionless as possible. The amount lost to fraud is miniscule compared to the profits made.

    7. Re:Thankfully! by Lev13than · · Score: 2

      Luckily, nobody would be stupid enough to build a money transfer system where the user ID and the authentication secret are identical, so this breach should be no big deal.

      Reason #568 for the US to move to EMV. If this had happened in Europe or Canada, the card data would have been encrypted before getting sent to Global Payments, so using the info to clone cards would not have been possible.

      --
      When you have nothing left to burn you must set yourself on fire
  8. Criminal by koan · · Score: 2

    They should have to tell us who the processor is, by law.

    It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.

    https://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/#more-14393

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Criminal by LizardKing · · Score: 3, Informative

      Yup, WSJ confirms it: http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html

  9. Re:Here's a source link by cvtan · · Score: 2

    Eeeww!

    --
    Sorry, but gray text on gray background is making my eyes bleed.
  10. Credit Card Fraud generates profits for banks by Dainsanefh · · Score: 3, Informative

    because each time when there is a chargeback, the bank will take back the money from the merchant + $25 per transaction as a penalty. They have no incentives to make the system more secure.

    --
    Twitter: @dainsanefh
    1. Re:Credit Card Fraud generates profits for banks by Anonymous Coward · · Score: 2, Informative

      $25 is overstating it (at least in my experience) but yeah, you don't get the % back you had to pay to take the transaction in the first place, and if you get too many you get dropped by the processor or penalized with a higher % charge.

      Keep in mind that the banks don't want merchants doing any kind of ID checks or anything that makes it harder to use the card (how could they have ads where the guy who pulls out his checkbook causes the whole line of people to crash into each other?)

    2. Re:Credit Card Fraud generates profits for banks by rgbrenner · · Score: 2

      $15-$50 is the typical range for a chargeback fee. I would say $25 is about average.

  11. Re:Hahah. by tripleevenfall · · Score: 3, Funny

    Suck it, Tri-State Area!

  12. Re:So where is all the vile, piss and hate? by BronsCon · · Score: 2

    no one seems to be hating visa/mastercard for letting 10 million cards be compromised.

    Uhm... Because it wasn't Visa and Mastercard who let it happen?

    A payment processor used by some parking garages let it happen; that this company happens to process Visa and Mastercard payments is inconsequential to that fact.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  13. Parking Garages? by trongey · · Score: 2

    They have milllions of accounts and all they can think to do is pay for parking? Sounds like the time my checking account got hijacked. I think what irritated me more than anything was that they went to the trouble of making a card then used it to buy a bunch of lame stuff at Kmart. I mean, if you're stealing people's money at least do something interesting with it.

    --
    You never really know how close to the edge you can go until you fall off.
    1. Re:Parking Garages? by Spykk · · Score: 2

      I suspect that the parking garage is where the card numbers were compromised. Someone likely dismantled the credit card reader when noone was around and added a simple device that tapped into the current MSRs signal line and logged everything to an sd card. They could even give it a bluetooth or wifi interface if they wanted to be fancy about it.

  14. Use Hypberbole Much? by FreeUser · · Score: 2

    What would you do if you knew whose system was compromised? Tie up the courts with lawsuits? Head over in a mob and smash their front windows? What are you going to do if their initial suspect turns out not to be at fault? File more suits? Form more mobs?

    What a silly assumption. I can't speak for the poster, but as one who agrees with him 100%, I'll tell you what I would do:

    STOP GIVING THE COMPROMISED VENDOR MY CREDIT CARD NUMBER

    If it's a parking garage I use, I'd start paying the bill in cash, with receipt. Ditto for any other vendor I need to use but is compromised. If it is someone I don't need to use, I'd dump them for a smarter or less corrupt competitor. Probably someone who vets their employees, or at least doesn't use a call center housed in the local penitentary.

    I don't think anyone (except you) is thinking law suits, smashed windows, or forming mobs. We're just thinking about how to avoid having it happen a second (or third, or fourth) time.

    But if the bank won't tell you who is stealing your credit card, you have no way of taking preventative measures, and getting a new credit card is a pain in the ass, particularly if you've set up most of your bills to clear through the card to amass reward points (which at 2-5% of your purchases can be very worthwhile), and have to go back through and do it all again, all the time wondering if one of them is the culprit.

    --
    The Future of Human Evolution: Autonomy