VISA, MasterCard Warn of 'Massive' Breach At Credit Card Processor

← Back to Stories (view on slashdot.org)

VISA, MasterCard Warn of 'Massive' Breach At Credit Card Processor

Posted by Soulskill on Friday March 30, 2012 @03:10AM from the your-security:-priceless dept.

concealment writes with news that VISA and MasterCard have been warning banks of an incident at a U.S. card processor that may have compromised as many as 10 million credit card numbers. From the article: "Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area." According to the Wall Street Journal, the breached company is Global Payments Inc.

15 of 164 comments (clear)

Min score:

Reason:

Sort:

No Source? by MrJones · 2012-03-30 03:11 · Score: 4, Insightful

The article has no credible source. Is this Spam?

--
Get my e-mail after a captcha test in: http://tinymailt
1. Re:No Source? by Anonymous Coward · 2012-03-30 03:17 · Score: 5, Informative
  
  Krebs is all over it:
  http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/
2. Re:No Source? by EliSowash · 2012-03-30 03:17 · Score: 5, Informative
  
  No, it's real. I saw it on Krebs earlier. http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/
3. Re:No Source? by buchner.johannes · 2012-03-30 03:18 · Score: 4, Informative
  
  One of these perhaps
  https://www.networkworld.com/news/2012/033012-visa-mastercard-breach-257824.html
  http://www.cnbc.com/id/46904168
  https://www.google.com/news?ned=us&q=VISA%2C%20MasterCard%20Breach&btnG=Search+News
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
4. Re:No Source? by CuriousGeorge113 · 2012-03-30 03:38 · Score: 4, Interesting
  
  It seems like all of the links pertaining to this story point back to the Krebs blog as the source for the information. Yet, Krebs provides no 3rd party verification to the story other than a 'source'
  Shit like this is how rumors get started. Can anyone verify with a statement from Visa/MC, a bank, etc? I'm not saying it isn't true, but even the WSJ article is referencing the Krebs blog.
  
  --
  No man is an island, But if you take a bunch of dead guys and tie them together, they make a pretty good raft.
5. Re:No Source? by ohnocitizen · 2012-03-30 03:42 · Score: 5, Insightful
  
  This actually impacted me. I live in NY, and was contacted my my credit card company. They informed me I was getting a new card, that visa and mastercard said there was a breach - but were not required to report who had compromised my credit card number. "At least they tell us there is a breach". This right here is why "the market" is insufficient protection for consumer rights. We need a law requiring credit card companies to disclose businesses that compromise data.
6. Re:No Source? by berashith · 2012-03-30 04:09 · Score: 5, Insightful
  
  100% agree. I just went through this a few weeks ago. VISA told my card issuer that there had been a breach. They actually sent me a new card, but didnt tell me until fraudulent use occured. This was before my new card arrived, which actually shortened the amount of time that I had no credit card. I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.
7. Re:No Source? by Taty'sEyes · 2012-03-30 04:13 · Score: 4, Funny
  
  You haven't parked in NYC have you?
  
  --
  We show geeks how to get their dream girl at EyesOfOdessa.com
8. Re:No Source? by wickerprints · 2012-03-30 04:15 · Score: 5, Insightful
  
  Because all borrowers end up indirectly paying for the cost of fraud. As is the case with many forms of financial risk, a lender typically insures against identity theft and credit card fraud. The cost of that insurance is factored into their interest rate and fee calculations and is passed on to the borrower.
  Granted, insurance doesn't completely absolve the insured of all responsibility, in as much as a driver with car insurance would not think to be totally careless about driving. Lending institutions still have an interest in preventing fraud despite being insured. The point is that when fraud increases, or if there's a catastrophic breach (as in this case, opposed to isolated small-scale instances of ID theft), the associated financial costs eventually reach the borrowers.
9. Re:No Source? by slew · 2012-03-30 05:30 · Score: 4, Interesting
  
  ...I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.
  I don't know if you can believe the story, but if the breach occured with a credit card processor and not the retailer. The Credit card processor is the retailer's vendor (e.g., the company that the retailer contracts with to process credit card batches). This vendor relationship is not unlike the company that the retailer buys paperclips from, or the company that processes their payroll. Credit card processing is a highly competitive industry. Some retailers will often switch processors every few years when competing companies offer promotions with lower merchant fees (the fees/percentage that they charge the retailer for processing a credit card transaction).
  Even if you had been told what retailer the fraudulent charges were made at, since there are so many credit card processing companies, it's quite likely that the retailer didn't use the same processing company. Additionally, because of credit card merchant contracts, retailers are supposed to follow certain "merchant" rules (e..g, no minimum*** or maximum purchase amounts, no steering to different forms of payment, not allowed to require ID, etc, etc). So even if the retailer wanted to be more careful when trying to accept this apparently frauduant card transaction, they probably aren't allowed by contract to be as paranoid as you apparently want them to be...
  So feel free to throw the baby out with the bath water, but it's might be just as likely that the retailer you want to disown actually helped the credit card company identify the fraudulent transaction before it appeared on your credit card statement. If that were the case, perhaps you should be thinking about thanking them, before you disown them?
  *** As of part of the Dodd-Frank wall street reform act of 2010, retailers are now allowed by law to imposed a minimum transaction amount up to $10 (this law supercedes the language in the contracts in place with the credit card companies)
10. Re:No Source? by wickerprints · 2012-03-30 05:57 · Score: 4, Insightful
  
  Your response indicates you have entirely failed to grasp the meaning of my previous post.
  Government regulation of the credit card industry prevents a lender from penalizing a fraud victim in the manner that you describe. A penalty in the form of a higher interest rate may only be applied if the borrower fails to pay an outstanding balance in a timely manner. A late fee may also be assessed. This is legal because a borrower's failure to repay the incurred debt is a reflection of their poor creditworthiness relative to other borrowers who pay their balance on time. However, a victim of fraud may not have had anything to do with the theft of the information that precipitated that fraud, which is the case with this data breach.
  In relation to my previous post, then, the cost of insuring against losses due to fraud is passed on IN AGGREGATE to the entire pool of borrowers in the form of higher interest rates and/or fees, just like the way in which they factor in other costs of doing business (such as worker salaries, marketing, customer service, and legal representation). Competition between lenders exerts pressure to keep the interest rate low, but if the overall rate of fraud increases across ALL lenders, then the overall financial risk of lending money in this manner has also increased, and therefore the interest rate must also increase to reflect this risk trend.
  To be absolutely clear, I am not talking about a scenario in which an individual borrower reports fraudulent activity on their account, and the lender then decides to punish that borrower by increasing their interest rate. What I am talking about is the big picture, in which the cost of credit card fraud and ID theft is spread out over the entire pool of borrowers because the risk of fraud is one component of the risk of lending money, and the risk of lending is part of why interest exists. Granted, this is a gross simplification of the way things actually work (as I do not discuss the role of merchants in this process, for example), but the basic point remains valid: the cost of fraud is eventually paid by the borrower. Even the merchants purchase insurance for their business, and factor these costs in the pricing of the goods and services they sell to consumers. All of it eventually falls on the shoulders of the consumer, who pays for it in the form of higher prices or higher interest.
Really, no fucking article? by Anonymous Coward · 2012-03-30 03:15 · Score: 5, Informative

And slashdot gets increasingly pathetic. Well, if anyone cares to RTFA:
http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html
Not a whole lot of info from any source, Krebs seems to be the best though:
http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/#more-14393
Let's hope by JamesP · 2012-03-30 03:19 · Score: 4, Funny

It had nothing to do with idiots like these: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants

--
how long until /. fixes commenting on Chrome?
Thankfully! by fuzzyfuzzyfungus · 2012-03-30 03:19 · Score: 5, Funny

Luckily, nobody would be stupid enough to build a money transfer system where the user ID and the authentication secret are identical, so this breach should be no big deal.

Oh wait.

Fuck.
1. Re:Thankfully! by Anonymous Coward · 2012-03-30 03:50 · Score: 5, Informative
  
  What do you expect when the parties that can best improve security (banks, VISA, Mastercard) have made sure that merchants (who can do very little about security) carry most of the liability from security failures?
  Banks, VISA, and Mastercard make tons of money from transaction fees, so they want to make transactions as easy as possible. They don't have to pay much for security breaches, so they are willing to sacrifice security for more transactions and more fees.
  If a buyer goes into a store with a stolen card, there is practically nothing a merchant can do to detect the fraud and stop the buyer from walking out the door with merchandise. Who pays for the fraud? The merchant.
  Until banks are on the hook for this fraud, nothing will change.