Up To 1.5 Million Visa, MasterCard Credit Card Numbers Stolen

An anonymous reader writes "Global Payments, the U.S.-based credit card processor company that experienced a security breach affecting Visa and MasterCard, confirmed that the breached portion of its processing system was confined to North America. The company also finally revealed how many credit card numbers were stolen: around 1,500,000."

Recourse?

[mws1066]

And what recourse do card holders have? How do we know if our number was stolen, passed around, and now someone is just holding onto it indefinitely and might leap to use it after this whole thing blows over? A bit frightening.

Re:Recourse?

[robinsonne]

None whatsoever, but maybe I should go on a spending spree and max out my card so that the crook(s) have to pay my bill before they can do anything with my card!

Re:Recourse?

[Bigby]

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

And VISA already dropped Global Payments. Let the market and common law handle this...

Re:Recourse?

[pak9rabid]

And what recourse do card holders have?

You could, oh I don't know, cancel your cards and replace them? But I guess complaining about it on /. is more fun.

Re:Recourse?

[jmauro]

They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

Re:Recourse?

My bank called me...but then again it wasn't until after charges were made to my account. The jack@$$3$ wiped me out...now I have to go to my bank, and fill out an Affidavit of Fraud to get my money back. I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages (as well as assist with the cancellation of cards, since everyone should cancel a stolen card)...too bad that will never happen. I didn't choose for GP to be the processing system used with my card, so I don't feel like this is my fault.

I would cancel my card right away and ask for a new one. It will be a minor inconvenience for you, but could prevent trouble in the future.

Re:Recourse?

[MetalliQaZ]

I assume that by "the crooks" you mean Mastercard and Visa, right? :)

Re:Recourse?

I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages

Your recourse is through your bank and/or card issuer, not the processor, and that fact is greatly beneficial to you. A massive breach could easily put a company out of business, especially if that company were already in trouble. In that situation, if they were liable for your losses, you would have to wait years for bankruptcy court to sort it out, and you would likely only get back a portion of your losses. The bank that issued your card is legally required to have the cash on hand to be able to pay you back, so it works out much better for you that it is their obligation. Yes, you may have to fill out a few forms, and your money will not come back instantaneously, but I don't think there's a constitutional amendment requiring that you never be mildly inconvenienced, so suck it up and take it. Shit happens.

Re:Recourse?

cuz spending an hour a day for the next week talking to some guy in kerblekistan is fun? damn right posting on /. is more fun.

Re:Recourse?

[modernzombie]

My bank called me a couple months ago (not related to this incident) and said that they were cancelling my card and issuing me a new one because they had reason to believe it could have been compromised even though no fraudulent charges had been made. This seems like the appropriate thing to do. The card issuers should be contacting their customers to have the cards replaced.

Re:Recourse?

[Qzukk]

You could, oh I don't know, cancel your cards and replace them? But I guess complaining about it on /. is more fun.

That's not "recourse" that's "damage control".

Re:Recourse?

[mws1066]

Well, yes, at least these are CREDIT cards, not bank cards. This is exactly why I don't have a bank card and only use a credit card - at least it provides a buffer to my money. If I see charges on a bill that are suspect, I don't HAVE to write the credit card company a check. But if a criminal got a hold of someone's bank card... Maybe I'm wrong - does anyone use a bank card and feel safe?

Re:Recourse?

[SniperJoe]

Actually, that's not true at all. If you fail to report fraudulent transactions within 60 days of statement mailing, the bank and/or credit card company is not responsible for any investigation or repayment under the Fair Credit Billing Act.

http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm

Re:Recourse?

[alen]

banks and others run anti-fraud software. one time i used one of my rarely used cards to open a microsoft support case. it was declined. a card with $0 balance. and my bank called me. i called them back later and they wanted to make sure it was me

Re:Recourse?

[CubicleZombie]

And what recourse do card holders have?

Cash still works. For now, anyways.

Re:Recourse?

[tripleevenfall]

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Aside from this, it seems likely they will notify the people who were affected and issue them new cards if they can identify who they were. It may not be possible to tell which numbers were stolen, only which were exposed.

Re:Recourse?

[tripleevenfall]

We give trucker cap. Look good for ladies.

Re:Recourse?

You could also rob a bank... breaking the law to ourselves is fun!

Re:Recourse?

And VISA already dropped Global Payments. Let the market and common law handle this...

Nope. Just dropped from secure providers, as someone else said.

End result? VISA charges Global a higher fee per transaction, which will likely be passed onto the merchants who then pass it on to customers.

That is, if the merchant's are smart and just ditch Global (... not a bad idea in actuality, even ignoring all this). That said, it could be worse. Heartland's a bunch of idiots.

Re:Recourse?

[X0563511]

Yes. My bank is not exactly one known for good behavior, but that said all it takes is a phone call for them to wipe the offending transactions, give me my money back, and start an investigation. Note I get my money back first. I've never once had them come back and go "hmm, no actually we want out cash back" - and I've had to do this some 10 times over the years.

Re:Recourse?

[mws1066]

That's reassuring to hear. I still do like having a buffer, though...

Re:Recourse?

this is less helpful when you travel all the time. oh hey look I'm away from home and now my card doesn't work. how convenient. I still have another week of business to do here. thanks visa.

Re:Recourse?

[Baloroth]

I do with my bank card. But then, it is a local bank that by default blocks out-of-state (or international) charges and actually uses proper two-factor authentication for online banking, so I have a reasonable degree of confidence in their security systems generally speaking.

Granted, I'm still fairly careful where and when I use it (and plan to switch to a credit card soon, if only for the rewards and credit-building aspect).

Re:Recourse?

[OnlineAlias]

I was contacted this weekend by my CC company about this. My card was one of them. They asked to cancel my card numbers and next day aired new ones.

Re:Recourse?

Additionally, cancelling your credit card account will cause a hit to your credit score, which may cause problems opening a new account, or result in a higher interest rate. The person who suggested cancelling "your cards" may have been referring to the cards themselves, and not necessarily the credit account, but I think my point still needed to be made.

Re:Recourse?

[RobertLTux]

"this is less helpful when you travel all the time. oh hey look I'm away from home and now my card doesn't work. how convenient. I still have another week of business to do here. thanks visa."

then they should not trigger unless they see "you" travel outside of your normal range (ie you mostly travel on the east coast of the US and they see "you" charge something in say China.).

Re:Recourse?

[neokushan]

Give me your CC number and I'll let you know if it's one of the compromised ones.

>_>

Re:Recourse?

Yes, you are lucky on that count. We had one where the first we knew of any problem was when a sale was declined at a store. That is very embarrassing! Fortunately, we had another card - we actually don't run a balance on them and only use them for convenience. We called that bank and they said something to the effect of, "oh, yeah, our account database 'got out' so we cancelled all the cards and are going to send new ones". We asked when they had planned on notifying us that they cancelled our card and they acted surprised that we would even want to know. Dilholes. Then another time, we saw 3 charges of $900 from Japan. We called to dispute them and found that, again, their account database 'got out' and it this sort of thing was happening to a bunch of people. (These were both about 6 years ago). What a pain this kind of thing is. And they sure won't tell you anything about it - you have to call them to find out what lies they are telling today.

Re:Recourse?

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

That's not a recourse. If my Visa debit card is used to commit fraud, those charges come directly out of my bank account. They bank's liability stops at restoring those funds at some unspecified point in the future. The bank will not repair any secondary issues caused by the fraud. Bounced rent/mortgage payments can create a world of hassle. Bouncing a credit card payment can kick you up to a 29% APR. Who's going to take responsibility for those damages? That's right, you are.

Re:Recourse?

[shoehornjob]

does anyone use a bank card and feel safe?

If you use a bank issued visa/mastercard and the transactions are swiped (credit) instead of via a pin you have the same protections as a regular credit card. Transactions via a pin have limited rights and you may not be reimbursed for the full amount of the fraud. That's why the banks have promotions and special hardware (RFID) at the POS. They want to entice you to use your pin so they can get off cheap. If they spent less time being greedy I'm sure they could impliment a more secure system but I suppose that would not be in their best interest.

Re:Recourse?

[s0nicfreak]

Since when is maxing out your own credit card illegal?

Re:Recourse?

[Jmc23]

Which is why you're supposed to tell your travel schedule to your credit card companies. Lazy or a troll?

Re:Recourse?

[Jmc23]

Canadians.

Re:Recourse?

[s0nicfreak]

Notice where he said they called him first? If this happened while you were away from home, you could simply say "wait a week until I get back home" or "can you fedex the new card to [where ever you are]?"

Re:Recourse?

[KhabaLox]

It's not. But if you turn around and file a fraud claim on those charges, that would be illegal.

Re:Recourse?

[KhabaLox]

Really? It takes you an 7 hours to call and cancel your card? You're doing something wrong. Even is the CSR on the other end is overseas and has an accent, it's never taken me more than 10-15 minutes to do that.

Re:Recourse?

I think I would tell the bank "No thanks...keep the card" and move my money to a more secure bank.

Re:Recourse?

[KhabaLox]

GP should be fine. It looks like the average loss is anywhere from $1 to $10 per account, so they're looking at an upper bound of $15-$20m, or about 5% of their unrestricted cash assets.

From an article linked to in TFA:

Global Payments, the processor blamed for a Visa and Mastercard data breach last week, is likely to be able to manage its financial hit related to beefing up security. ...
If that figure sticks, Global Payments can weather the data breach, analysts said. For instance, Wells Fargo Timothy Willi said in a research note that Global Payments, which has $300 million to $400 million in unrestricted cash, can pay for the damage.

Willi’s take, which lines up with other analysts, is based on the data breach suffered by Heartland in 2008. Heartland is another payment processor and the accounts compromised ran as high as 130 million in a breach that lasted for months. Heartland’s tab to data has been $147 million.

Given Global Payments’ compromised accounts is about 10 million the tab should be lower. RBS WorldPay also had 1.5 million accounts compromised with $9 million of fraud losses.

Re:Recourse?

[s0nicfreak]

But that isn't what he said. He said the crooks would have to pay his bill before they could use his card.

Re:Recourse?

[whoever57]

Which is why you're supposed to tell your travel schedule to your credit card companies. Lazy or a troll?

Recent experience: My wife went to the UK (we live in the USA) recently. I phoned the credit card company in advance and told them she would be in the UK. Cards on the account have been used in the UK on a fairly regular basis. Her card was suspended within a couple of days of her arrival. So, what's the point of calling the credit card company?

Re:Recourse?

[Rakishi]

Debit != Credit.

Learn the difference and learn to read before commenting next time.

Debit cards are stupid for just the reasons you listed, all of which credit cards are basically immune to.

Re:Recourse?

[SniperJoe]

Oh, you're absolutely right. The burden to consumers is not high at all, nor should it be. Contrast that with the burden for debit card transactions or electronic transfers, which only covers two business days. As you said, if you're doing what you SHOULD be doing, you're going to be protected under the law. I just don't want people to have a false sense of security that if they use a credit card, they're protected from fraudulent transactions in perpetuity, because that simply isn't the case.

From what I have heard and read, the banks have already begun notifying people and issuing new cards. I have a friend who was affected and he said that the bank called him on Friday to let him know that he'd have a new card on Monday. The only thing that is concerning at this point is that they have been wavering on the number of accounts exposed, going from 10 million to 54,000 and now to 1.5 million. That doesn't exactly inspire confidence, as they seem to be at the "we don't know what we don't know" stage.

Re:Recourse?

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

Depends on the jurisdiction. Most laws in North America say that your maximum liability for fraudulent transactions is $50.

Even then, most banks will waive that.

Re:Recourse?

[Albanach]

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Why should I be doing this? I make dozens, perhaps hundreds of transactions each month. My looking over my statement is easily subject to human error.

It should be much harder for this information to be stolen. We should have more one-time use numbers for online transactions. Credit card firms could prohibit merchants storing complete credit card numbers, instead providing an individual merchant with an authorization code restricted to that merchant and that individual card number. Then if their database was compromised, the thief acquires only a number that's not by itself valid and useful only to that retailer.

US card issuers could adopt and require chip and pin like the rest of the world.

U.S. card issuers could start demanding retailers check signatures.

There are technological solutions available. Requiring me to account for each line of the statement is woefully inefficient and simply passes the buck from where it should be resting.

Re:Recourse?

[KingMotley]

I didn't choose for GP to be the processing system used with my card

Sure you did, you just didn't check. You could have went to another merchant, but you decided not to, or that checking who they were going to use to process your credit card wasn't worth the trouble. I'm quite guilty of this myself. But you (we) did have the opportunity to find out and use something else, but we didn't because we couldn't be bothered. The risk was low enough that it wasn't worth the trouble. Until this happens often enough that people actually do think it's worth the bother, it will continue. It being companies that are supposed to safe guard your information don't. Simply because it's cheaper and more cost effective not to. Of course merchants will use whomever is cheapest, until there is a reason (people refuse to shop with them) to actually justify using 3rd parties who actually secure your information.

Re:Recourse?

[tripleevenfall]

I had a Citi mastercard which had some fraudulent charges posted to it... two different charges for Italian dresses, about $300 each. (what the heck?)

I called and reported it. I had to sign an affidavit of fraud and fax it back to them. They canceled my old card and overnighted me a new one, and the charge came off the account about a week later. It was really pretty easy.

Re:Recourse?

[SniperJoe]

Visa and Mastercard are migrating to "Chip and PIN" cards within the next year.

http://www.pcmag.com/article2/0,2817,2399772,00.asp

But even then, that's not a perfect solution, nor will it ever be. It will always be an arms race between the credit card companies and the thieves.

Re:Recourse?

[tripleevenfall]

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Why should I be doing this? I make dozens, perhaps hundreds of transactions each month. My looking over my statement is easily subject to human error.

Why should you look after your own finances? I wouldn't think higher critical reasoning would be required to convince you to do so.

Re:Recourse?

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

Bwahahaha! You've never had to experience the nightmare of having fraudulent transactions on your c/card, have you? The issuers make you jump through a ridiculous number of hoops, legal papers, police statements, that unless you have large sums against you, you simply give up trying to to remove them.

It's a complete myth you can reverse transaction on credit cards, perpetuated by Visa and Co to keep the public in happy blindness. At least until they experience the problems for themselves.

Re:Recourse?

[sexconker]

It's not. But if you turn around and file a fraud claim on those charges, that would be illegal.

And that's not what he said he was going to do.
He said he was going to max it out to perform a DoS on potential attackers. If they want to charge shit with his card, they'll first have to make a payment so the account is below the credit limit.

Re:Recourse?

[Solandri]

Don't do that. The banks and credit card companies have gamed it so that they don't pay for fraud - the merchants do. They've made it the merchant's responsibility to make sure the card is not being used fraudulently, while simultaneously pushing through a law which prohibits declining a card because the user refuses to show ID (because that would, y'know, discourage credit card use*). If you contest a charge and the merchant cannot prove that you actually made the charge (usually a copy of your signature on the charge slip), the processor will reverse the payment. The merchant is out the money and the merchandise. The card processor suffers the minor inconvenience of having to pay someone to field your phone call and having to run a second transaction to reverse the initial purchase. That is why some places will ask for your zip code or home phone number, or won't deliver to anywhere but your home address when you buy with a card. Those are the only tools merchants have to prevent fraud.

* They also pushed through a law prohibiting merchants from charging extra for credit card transactions to cover the additional risk of fraud. Some merchants get around it by offering a cash discount.

Re:Recourse?

[rmandevi]

That would have to be a pretty cagey crook. The breach occurred January-February. Global reported the breach to Visa, MasterCard, and Federal authorities once they detected it last month (source: http://phx.corporate-ir.net/phoenix.zhtml?c=125339&p=irol-newsArticle&ID=1678656&highlight=). The news only came out Friday to give the Feds enough time to investigate without tipping anyone off. Truth in posting: I work for one of Global's competitors.

Re:Recourse?

[sexconker]

Well, yes, at least these are CREDIT cards, not bank cards. This is exactly why I don't have a bank card and only use a credit card - at least it provides a buffer to my money. If I see charges on a bill that are suspect, I don't HAVE to write the credit card company a check. But if a criminal got a hold of someone's bank card...

Maybe I'm wrong - does anyone use a bank card and feel safe?

I left Bank of America because of this (and other, previous horse shit).
Some scam "company" initiated an ACH transaction against my checking account (not even a debit purchase, it was straight ACH).

They farm account numbers from dumpsters, internets, and call center slaves who are easy to bribe. Then they initiate fraudulent transactions for "supplemental medical insurance". You can go to their various shell websites and quickly see that the insurance is of course non-existent. The only service they offer is theft.

So I called Bank of America and said "This is bullshit." and they wanted to do the whole 7-10 day, affidavit, wait to get my money back, horseshit.
I got my money back faster (from the company) by threatening to sue and reporting them to the NY State Attorney's office.

Bank of America said they could not (would not) block future transactions from that company. Sure, they could block debits from that company for the same amount (down to the cent), so if they try to take $49.95 they can't get it, but if they try $49.96 or $4999.95 they get it instantly. BoA wouldn't even let me file a complaint against them. Since I had gotten my money back, they refused to let me file a claim where I did not seek a refund. Of course, why would the bank want to make my money secure or investigate fraud? They profit off transactions, interest, fees, fraudulent charges, etc.

My only option, according to BoA, was to open a new checking account to get a new number that hopefully they wouldn't be able to steal.
So I did. Except the new checking account wasn't at BoA.

Re:Recourse?

[DroolTwist]

And what recourse do card holders have?

Cash still works. For now, anyways.

I'm sorry... cash? Does not compute. What is 'cash'?

Re:Recourse?

[MYakus]

Most often the cards get canceled and their owners get issued new cards. Any charges on the card that were fraudulent have to be fixed, but at least there's an expiration date on the cards KNOWN to be compromised.

Re:Recourse?

If you are worried, request a new card with new numbers. Cite this breach to possibly avoid a charge, or pay the charge and worry no more (about this) :)

Re:Recourse?

[penix1]

The problem with that analysis is it doesn't take into account the hit to reputation. These companies only exist because of trust that the data is correct and secure. Loss of that trust means people will jump ship faster than rats leaving a sinking ship. I suspect the only reason Heartland survived was it is an industry that is "too big to fail" meaning there are very few processors out there for people to jump ship to that hasn't suffered the same problems or worse.

Re:Recourse?

[Albanach]

Am I not looking after my finances when I entrust them to (and pay handsomely for) banks to look after them?

Either through interest payments or transaction fees, we are paying a small fortune to multi-billion dollar corporations who want us to use their products so they can make even more money. Why should they be permitted to supply a product but not required to make sure it's reasonably secure?

Many of us are making almost every transaction by card these days - effectively paying banks something like 2.5% of our take-home salary to provide the service that they do. And as we use it more, manual auditing of small transaction values becomes increasingly difficult, if not impossible.

Even if it takes 20 minutes a month to check each transaction, that's 4 hours a year for 200 million plus in the US alone, or getting close to one billion hours of lost time each year. That's crazy.

Re:Recourse?

[Rakishi]

Wow, did a Visa executive make sweet love to your mother or something?

As others have already pointed out, it is just that easy. Visa and Co don't care at all since they don't eat the cost.

Last time I got hit with fraud, a single sale mind you, my card was suspended and I was called before the transaction was even finalized. New card was in my hands within two days and I even had thirty days to switch over any recurrent charges (as the old number stayed valid for those).

Re:Recourse?

I have a similar experience.

I manage my domains with a German company, Joker.com. Every time I attempt to renew my domains my bank declines the charge without telling me or registrar why. I have to call in and speak with someone to allow the purchases to go through.

One time, at the bank's insistence, I attempted to be proactive and call in before the charges were made. They still rejected the charges, I had to call them again then attempt the charge again.

Even though they told me to notify them first, and I did, they still rejected it. That's quite the system they have.

Re:Recourse?

Isn't PCI Compliance supposed to save us all?!

Re:Recourse?

[KhabaLox]

Oh. Well that idea is so stupid (for obvious reasons) I don't feel bad for not understanding it on the first pass. I guess he was trying to be funny?

Re:Recourse?

[KhabaLox]

Fair point. Without knowing anything about the industry though, I'd say that if Heartland can survive losing 130 million accounts, GP should be OK losing 1% of that.

Re:Recourse?

[PessimysticRaven]

It's because hyperbole is fun!

Re:Recourse?

You might want to re-visit the law and policies of your financial institutions because *this* is NOT what I have read and understand to be the case.

Re:Recourse?

[chocolatetrumpet]

All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Looking over? Doesn't anyone else use electronic bookkeeping and reconcile their bank statements? Money is so hard to come by. It is really worth your while to keep accurate records. And if you're nerdy enough to read this website...

I spend a few minutes each day typing receipts and cash transactions into the computer. Just this very act has increased my savings. My theory is that it helps bring your transactions into consciousness. You can also get all sorts of cool charts and graphs, which helps me decide if I'm really getting good value for my money.

This free and open source accounting application has served me well for years.

I am all for theoretical knowledge, but I really do believe basic bookkeeping should be a standard high school class... I didn't start keeping books for myself until I was into my 20's, and it has been a highly empowering activity.

Re:Recourse?

Yep, I got confused too because it was just a retarded idea and my brain processed the logical version of the joke instead.

Re:Recourse?

You're kidding right? Your bank cannot know the legitimacy of every single one of your transactions. I'm going to assume you are trolling because no one can be this dense, but it is obvious that you should be looking over your own purchases for that reason alone.

Re:Recourse?

[lgw]

Pushed through a law? Really? By "law" you mean the contract the merchant signs in order to accept credit cards, right?

Re:Recourse?

[lgw]

That's epic-scale lazy right there. The bank is not your friend. Never trust it. You don't just need to check against merchant-side errors, you need to check against errors made by your bank. I've had to switch banks before just because of the frequency of errors.

Sure, sure, everyone should prefer banks that get this stuff right, but how can you know if you don't verify? Talk about oblivious.

Re:Recourse?

No. Of course not. It was an AI test.

You have failed.

Re:Recourse?

simultaneously pushing through a law which prohibits declining a card because the user refuses to show ID

Bullshit. That's just a rule the companies have. There's no law.

Re:Recourse?

[JDG1980]

this is less helpful when you travel all the time. oh hey look I'm away from home and now my card doesn't work. how convenient. I still have another week of business to do here. thanks visa.

Anecdotal experience: I have a Visa credit card through BB&T. I live in Georgia. A couple months ago, I got a call from the rep (forget whether it was BB&T or Visa) asking if I had made a transaction for a large amount of money (over $600, forget the exact amount) at a Walmart in Virginia. WTF? So someone had made a fraudulent card (still don't know how they got the data) and I had to have it replaced with a different CC#.

Later on I took a vacation to Florida, and these legitimate transactions went through fine. I had thought based on the previous experience that they might call me to verify the usage was legitimate (as they had with the phony Virginia charge) but they didn't. Maybe because it's a neighboring state, or maybe Orlando gets green-flagged because it is such a big tourist destination? I'm sure they have some very complicated heuristics on this stuff. In any case, I can't really complain about the results.

Re:Recourse?

[lgw]

Everyone should keep a detailed budget, at least for a while. It really is educaitonal. But if you do that for a few years it becomes an empty ritual - you can manage by exception. What's sad is so very few people these days ever reach that point - it's no wonder that getting into "the 1%" seems impossible for so many. There are fundamental technical skills here that every adult should master (if only high school taught anything practically useful).

Re:Recourse?

[TheLink]

Would you be able to get the police involved, since it's theft and the Bank is actively aiding thieves? Not saying that you should (or shouldn't).

So when some guy on the street steals your money he's committed a crime, but if some company steals money from thousands of people they're just a good customer of the Bank?

Re:Recourse?

Posted anon on purpose.

I work for a credit card company and we give out both Visa and Mastercard. When there is a fraud, WE pay the money. If you need a new card WE pay for that new card.

If you contest a charge and there is anything reasonable (so no cash withdrawal with your PIN code) we will FIRST give you the money back, then start the investigation and if there is no actual fraud (or more likely a fraud attempt of the cardholder) he will see it on a later bill.

This means in many cases that the merchant has the money, the customer has nothing to pay and we end up with the bill.

Now if the USofA would start using a modern system like the rest of the world, instead of still using the magnetic strip confirmed by a signature on the card, use the PIN code system with a chip. This seriously will increase security.

As far as we are concerned, if you go to the US, it will cost US money, because of the backwater system that is used.

Almost all of the world has changed to a more secure system, yet the US is somehow unable to get up to speed.

Will it ecxlude all situations or all fraude? No, but it will seriously reduce it. How? If you do not have the code, you can only try to buy stuff on the Internet. The moment the card is noted as stolen, even that won't work, because the card is blocked from that moment on.

Re:Recourse?

[damien_kane]

+1 this

I had my bank card frauded a few times, and my bank put me on the top of the list for the "new" chip-enhanced debit-cards.
My Debit card was chipped before my credit card, and I cancel any sale at a retailer that still wants to swipe my card and simply walk away.

Re:Recourse?

[TheLink]

It's a bit like credit except you're actually spending your own money.

Rich people on the other hand use "leverage".

Re:Recourse?

[houghi]

In Belgium this is 13 months. Not sure if this is a Belgium or European law. Yep, 13 months, not weeks or days.
Stoopid socialist countries with their rights for consumers.

Re:Recourse?

[OldGunner]

Contact your card issuer, report your card as lost stolen. They will issue you a new card with a new number. Quite simply, really.

Re:Recourse?

PCI Compliance is supposed to save the businesses from lawsuits. It's just the absolute minimum necessary by law.

Re:Recourse?

[hesaigo999ca]

As of today, I would recommend everybody to ask their CC company tfor a new card (with a new number) that way even if they got it, they no longer will be able to use it, I do this about every month or 2 depending how many transactions I get...just a precaution, almost costs nothing for them to replace the cards.

Re:Recourse?

[gstoddart]

They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

Wait, VISA will still let insecure providers to process transactions?

That makes no sense whatsoever. (I'm not disputing what you're saying, I just find it amazing they'd let someone who doesn't have good data security anywhere near transactions.)

That's kind of letting a known burglar work for an alarm company. It kind of defeats the purpose in the first place.

Re:Recourse?

The card processor suffers the minor inconvenience of having to pay someone to field your phone call and having to run a second transaction to reverse the initial purchase.

The card processor makes money on the reversal too. If the merchant does it manually, the processor makes as much, or more, in services fees as the original sale. If the processor does it via a chargeback, they charge a fee for that as well. It was $25 per transaction when I worked in the industry. There is no inconvenience to the processor, only profit.

Re:Recourse?

I've never even had to talk to anyone, just use the computer prompts.

Re:Recourse?

Kinda ridiculous sometimes. NYC metro ticket dispensers ask for a "ZIP" code (5 digits). This can be baffling to somebody using a non-US credit card registered to a postcode with, say, 2 letters and 4 numerical digits. Whatever, you can just enter the 4 numerical digits and make up the other - it will go through just fine.

Re:Recourse?

[Mitreya]

law prohibiting merchants from charging extra for credit card transactions to cover the additional risk of fraud. Some merchants get around it by offering a cash discount.

I believe such cash discount are simply due to the Visa/Mastercard charging merchant (rather than buyer) a fee. Most of these cash discounts happen to be aroun 3%, which is exactly what merchants typically pay.

Re:Recourse?

[Quirkz]

I travel sporadically and have never bothered to tell them when or where I'm going. The two times they've declined the card have been $100 purchases at a local department store we shop at regularly. Whatever heuristics they've got going, it's a little off kilter, but calling them wouldn't have made any difference.

Re:Recourse?

[wickedskaman]

It's not even necessarily mandated by law either. Depends on what country or state/province you're in.

Re:Recourse?

[Raenex]

Wait, VISA will still let insecure providers to process transactions?

Global Payments is a huge provider, and Visa couldn't just stop processing payments from them without impacting a huge number of merchants.

(I'm not disputing what you're saying, I just find it amazing they'd let someone who doesn't have good data security anywhere near transactions.)

Even companies who have good security can suffer a breach. I haven't seen any details on what happened, whether it was gross negligence, an inside job, or what. To even be processing with Visa, you have to pass security audits for basic procedures. They'll get whatever went wrong fixed and re-apply for approval.

The real problem here is the reliance on "secret" data (your credit card number) that is published on every transaction. With so many people and organizations involved, it's inevitable that these leaks will happen.

It's 2012. There are much better solutions using smart cards and public/private keys.

Re:Recourse?

[hairyfeet]

Uhhh...use a small bank that won't fuck you over maybe? Every time any of this kinda crap happens i get a new card issued to me by my bank "just in case' and been told flat footed 'if anybody messes with your account don't worry, just let us know and we'll take care of it, no problem" and actually got to test it last year when ordering some parts and PCs and a company double dipped. i just walked in to my local branch, walked up to the teller i always go to and said 'hey Karen, can you believe i bought something online and they double charged me" and she said 'Ohhh, don't you just HATE that? That happened to my husband a couple of weeks back...now lets see...is it this one right here? okay let me punch this in and...tada! Give the system about 5 minutes to update and it'll be like it never happened" and i thanked her and after BSing a minute walked out and sure enough, like it never happened.

Hell i don't even worry about using my debit card out anymore, its covered to the penny by my bank and one phone call or trip to the local branch and its all taken care of, no muss and no fuss. that's the nice thing about using a small bank, they get to know you and treat you like a person and not a wallet with feet. when i go in to the one on the east side (where my mom banks) I get asked about her and how the oldest is doing in college, i go to the west side (the one my dad uses) I get asked about how dad is doing and get to hear ALL the latest gossip (we call that branch the "hen's nest" for all the gossiping going on) and its nice. no hassles, friendly folks, no worries.

I wonder if this is why i just got new cards even though mine had a year left to go? When these things happen they usually tell the banks first and i'm really happy with how proactive mine has been, if there is even the slightest hint someone may have gotten a number we get new cards. They even called and left me a message to go check my mail for new cards and if they weren't there to come on by and they'd issue a temp card and sure enough they had new cards waiting for me and the next day new PINs. no muss, no fuss, no hassle, i wouldn't change banks for anything.

Re:Recourse?

Welcome to what we did in Canada 2 years ago. Maybe now when I travel to the US, on those rare occasions the gas pumps and hand terminals won't freak out because the card is chipped.

Re:Recourse?

[Kalriath]

That usually means the bank has placed a transaction block on that merchant - mine does the same with Entropay. It actually means it requires manual intervention to perform the transaction. In my case, I need a bank person on the phone to force the payment through.

Re:Recourse?

[Kalriath]

Check, um, how? There's no thing on the page which says "We use blah blah for transactions", the merchant is under no obligation to tell you and under no obligation to tell the truth if they do, and in some cases don't even know, and in a select few cases are contractually forbidden from telling you (mostly adult entertainment merchants, as the provider does not want to be associated with that activity). In some cases you may not even have a choice of alternative merchant (i.e. large monopoly parking garage owners).

Re:Recourse?

I don't think you realize how absolutely STUPID your posts are sounding. Basically you are asking for a computer to know AND decide your spending habits better than yourself. Or s/computer/person the prior statement.

BTW, we have the above right now. Fraud detection is extremely powerful on Credit Cards. And the human option... they are call "personal accountants".

However, your posts come off as if neither of these are good enough right now. You are asking for a nanny state but from your bank or personal accountant. You want someone ELSE to determine how you should spend YOUR money??!!?

Re:Recourse?

[Albanach]

I don't think you realize how absolutely STUPID your posts are sounding. Basically you are asking for a computer to know AND decide your spending habits better than yourself. Or s/computer/person the prior statement.

As was said above - the rest of the world moved to Chip and PIN years ago, yet the US is getting their in a year or so. Yet somehow I'm the one that's stupid? I'm frankly amazed that someone hanging out on /. would think technology can't help make fraud detection easier for the end user.

I can think of dozens of ways computers could analyze my transactions and make spotting fraud much easier. The only reason it doesn't happen is because no-one is forcing the banks to do so.

Your statement could come with transactions sorted by risk - if you spend $100-200 each week at the same grocery store, that's a low risk transaction. You spend $5ish each weekday at work, that's low risk. You spend money at a new store you've never visited before, that's high risk, so make it stand out.

At gas stations, you fill up once a week and never buy more than 12 gallons. Suddenly you fill up with 15 gallons 3 times in a week - it's high risk, so flag it up.

Banks want us to use our cards for everything. They make more money that way. In return I don't see why they shouldn't be playing their part. Like I mentioned above, there's no technological need for a business to be storing users credit card details, yet it happens because the card issuers haven't presented an alternative. As a result consumers pick up the cost when data breaches occur.

Everything I've suggested is either common sense or low cost and is either in use elsewhere or could be introduced using the information available to banks today. Why exactly is that stupid?

Re:Recourse?

You spend money at a new store you've never visited before, that's high risk, so make it stand out.

They already do this. But you know the downside of over auditing? One, the diminishing returns is pretty damn steep in this area. You and I have to pay for those extra CPU cycles and for what in return? Two, people become complacent and start ignoring the alerts when there are too many. You build a system that babies you, you end up with babies. Not to mention you are basically asking for a large corporation to digest and trend your habits on a personal level!

Guess what the negative of a Chip & PIN is? Although it is harder to have your credit stolen, it is not impossible, but its also harder to say that it wasn't YOU who made that purchase. It's your word (and credit score) against a computer that says a Chip & PIN were provided.

The current system believe it or not is actually in favor of credit card holders (atleast those who check their statements & pay full on time). Do you know WHY those solutions exist in the rest of the world? It's cause the companies do not trust their customers. Cause fraud rate is completely different when it comes to US John Doe and non-US John Doe.

If you need all this protection, hire a personal accountant and take it out of your bank account instead of all of ours. If you want the cheaper route, go get an app like Mint or the Chase Mobile App. Take Chase's mobile app for example; you can have that thing alert you on a ton of different types of transactions. Guess what? It alerts me TOO much already that I just stopped using it. Mint is fine thou.

What you don't understand is that your ideas actually take the balance of power out of consumer and merchant hands and put it into Credit Agencies and Credit Card companies.

Re:Recourse?

Yes, it's EITHER common sense or low cost. Good way to phrase it.

I don't want my bank to assume all my transactions are OK just because I input my PIN. That is so dangerous it's not even funny. I don't know if you work in IT, but if you do then you should know that security systems are not infallible. They can have issues, they can be broken. Anyway, how are you supposed to know your bank is doing everything right if you never look at the records? So you don't mind if they take off $10 off every transaction and manage to hide it, because hey, they're supposed to manage your accounts right?

I won't call you stupid, but the content of your posts in this thread is.

Re:Recourse?

Who cares? You are legally liable for max $50 which is always waved in situations like this, and get this, they issue you a card with a NEW NUMBER!. It's not your SSN! get over it already!

Re:Recourse?

[izomiac]

I had my (Visa logo) check card compromised on Feb 12th, and this seems like the most logical mechanism behind it. For me, what it entailed was a call to my cell phone from my bank at 10:00 am concerning a 7:00 am charge of $7 in another state. The charge was never authorized and I was sent a new card within the week. My own review of my account and credit history revealed no further anomalies.

That was perhaps my second or third call from them in the past eight years, so they're frighteningly accurate at knowing what is and what is not a typical charge for me. All that said, I expected headaches since fraudulent use of a check card involves "my" money rather than theirs, but the process was rather painless for me.

Re:Recourse?

[jaymemaurice]

I went home to Canada from Dubai for a week in the summer. While I was there, I spent a day in Toronto and used my credit card a couple of times. 2 months later, after returning to Dubai, I started getting transactions on my card for Taxis, Fast food and LOTS and LOTS of gas. In two days, they managed to rack up ~5k, mostly in gas. I called TD and they took care of it. I was asked to sign an afidavit but they determined it was not nessesary. All the transactions are reverted and my credit score does not appear to be affected per equifax. I still see that credit card's bill in the online billing and they have reverted it down to ~$2500. The biggest inconvienience was getting the new physical card and they accidently later DEBITED my new credit card for the fraudulent amount instead of CREDITING it (oops human error). Over all, the convienience of the card has still VASTLY outweighed the inconvienience.

Re:Recourse?

[jaymemaurice]

Another time, I booked a hotel online... when I arrived at the hotel they claimed not to be able to find my booking... I guess they opened a new booking and charged a 1 week stay on the old booking as a no show. I managed to eventually get the hotel to revert their charges (that was such a pain in the ass) but then there was a substantial margin created by the buy and sell difference in the currancies... I was in contact with TD the entire time and they ate the difference... the biggest inconvienience here is that there is no toll free/collect way to call TD from the UAE.

Re:Recourse?

[jaymemaurice]

It could also be that you recently used your card at a merchant where other people have reported fraud... so then when your card was used in a location you do not frequent, alarm bells ring. Also if you use your card in two locations faster then you can physically travel, that might set off alarms.

Re:Recourse?

Recent experience: My wife went to the UK (we live in the USA) recently. I phoned the credit card company in advance and told them she would be in the UK. Cards on the account have been used in the UK on a fairly regular basis. Her card was suspended within a couple of days of her arrival. So, what's the point of calling the credit card company?

I've had similar experiences. Called to inform them I would be in Mexico for a week: first time I try to use it, get's suspended.

But then on my recent trip to Germany, I opted to not inform them I would be traveling. Worked just fine.

My guess is informing them (or not) has little impact on their security algorithms. If you are using it in an area you often don't and that area is known by them to have a lot of fraud, they flag it.

Re:Recourse?

[PsyberS]

I travel sporadically and have never bothered to tell them when or where I'm going. The two times they've declined the card have been $100 purchases at a local department store we shop at regularly. Whatever heuristics they've got going, it's a little off kilter, but calling them wouldn't have made any difference.

Sounds like my experience as well. Never inform them of my travel and never had issues. $500 hotel, $100 meals, $50 on gifts at some random shop thousands of miles from home all go through without a problem.

Yet my $50 Wii game purchase at my local Target (where I shop weekly) suddenly triggers it? Or my DVD purchase at my local BestBuy? Nice algorithms.

Re:Recourse?

I usually carry 2-3 credit cards at any time because when I travel in the USA (always the same area, VT, NH, MA) I can use a card once, mybe twice before it gets locked. I've had to pay insain roaming fees to spend 20 minutes on hold, in order to tell my bank that I am actually in the US, and have actually used my card. They tell me to notify them if I travel outside my regular habits. I'd think travelling through those 3 states on average once a month would make them part of my regular habits... plus even if I call in advance, it doesn't fail, my card will get locked.

Re:Recourse?

[sexconker]

Would you be able to get the police involved, since it's theft and the Bank is actively aiding thieves? Not saying that you should (or shouldn't).

So when some guy on the street steals your money he's committed a crime, but if some company steals money from thousands of people they're just a good customer of the Bank?

Police don't give a shit lol.

ANother grain of sand

[geekoid]

on top of my theory that digital cash will prove to difficult to protect and ultimately fail; which is a shame, I like digital cash.

Re:ANother grain of sand

[Bigby]

It isn't a problem of digital cash. Physical cash can be stolen too. It is centralized digital cash. Doesn't bitcoin solve that issue? (not rhetorical; I don't know the details of bitcoin)

Re:ANother grain of sand

Hold on. Credit cards don't use any cryptography. I don't know why credit cards haven't been supplanted by a better digital cash system yet, but that's certainly possible.

Re:ANother grain of sand

[vlm]

Doesn't bitcoin solve that issue? (not rhetorical; I don't know the details of bitcoin)

BTC only "decentralizes" properly if less than 50% of the transactions etc come from one person.. or group... so just dumping BTC on top of visa and mc will merely result in a oligopoly majority screwing with the block stream.

That is a problem with rolling out BTC, if you have a completely centrally controlled monopoly or oligopoly based financial system like the US, its hard to roll out gradually. The first mover will automatically control 99.9999% of the block stream making it no longer decentralized, or at least not decentralized until everyone ELSE moves to BTC.

Re:ANother grain of sand

[demachina]

Not entirely. You dont have the problem of identity/number theft but, theft of bitcoin wallets is relatively easy if you hack someones machine who has a bitcoin wallet.

The exchanges are also a weak point. At least one and probably more have been hacked, on top of which at present you can't have much confidence in the people that are running them in the first place since they are just geeks with servers who set up exchanges and some are better than others.

If you put large amounts in bitcoints you do have to make significant effort to protect them,

Re:ANother grain of sand

[elsurexiste]

It's not a a failure, and you said why: a lot of people like using credit cards!. Those companies already accept the fact that, every now and then, cards get stolen. They continue to operate under this scheme because it's so lucrative.

Re:ANother grain of sand

[vlm]

This is the old "use it as a store of value" argument vs the old "use it for free money transfers" argument.

It doesn't seem to be the ideal "store of value" system where wallets usually have something worth taking.
It already makes a hell of a fantastic zero commission international transfer system where wallets on both sides are always zero unless a transfer is in progress.

The latter use case seems much more likely to be the killer app than the former.

Re:ANother grain of sand

[rickb928]

Bitcoin is not the example of a solution to anything that I would choose. Between security breaches at various brokers, exploitation of the algorithms, and speculation, Bitcoin seems a lot like pre-existing currencies. No fix.

Re:ANother grain of sand

[sexconker]

Doesn't bitcoin solve that issue? (not rhetorical; I don't know the details of bitcoin)

BTC only "decentralizes" properly if less than 50% of the transactions etc come from one person.. or group... so just dumping BTC on top of visa and mc will merely result in a oligopoly majority screwing with the block stream.

That is a problem with rolling out BTC, if you have a completely centrally controlled monopoly or oligopoly based financial system like the US, its hard to roll out gradually. The first mover will automatically control 99.9999% of the block stream making it no longer decentralized, or at least not decentralized until everyone ELSE moves to BTC.

No, it has nothing to do with 50%. It's simply that if you control more of the network, you are more likely to get away with tampering with transactions unnoticed.

You would need 100% control to guarantee no one would see you rigging shit. Even then, the entire transaction history is viewable to all, and all mined results are verifiable. In order to falsify a transaction you'd have to falsify a mining result and steal some wallet files. Since it's just mountains of hashwork, you're better off just mining.

Re:ANother grain of sand

[vlm]

Hmm I think we agree the majority controls. I'm going further and saying truth or falsehood is in the eye of the 51%. You're saying a false transaction believed by 51% is still false, I'm saying it defines truth, at least in-band. If you also had GPG signed web of trust receipts to compare with the in-band history... well thats cheating, kinda, because its out of band.

Re:ANother grain of sand

[gox]

exploitation of the algorithms

This never happened.

Bitcoin seems a lot like pre-existing currencies. No fix.

Well, it is supposed to fix the problems with and overcome limitations of centralized control, nothing else. And it does it to a certain degree.

Theft is a problem when there is a point where value is stored. Bitcoin can solve this by requiring multiple signatures for a transaction (there is experimental support for this already). So, you can store these keys in different locations. Keys never have to be in the same place ever to confirm a transaction, so this is very different from dividing a single key. It would take some time for common sense to form around this concept though.

Even if this eliminates most of theft (it can't eliminate all of it) speculation remains a problem. You could add scams, worker exploitation, corporatism, environmental disregard or whatever you don't like about the economy here. Bitcoin won't fix them, sorry.

However, at least to me, it sounds like claiming that eliminating slavery won't fix hunger. Well, who could disagree with that?

Re:ANother grain of sand

Credit cards arent digital cash. They are payment pull system. That is any amount of money can be pulled from your account by anyone that has your credit card number. Most digital cash systems are payment push systems. That is only you can initate transfer from your account to a merchant's.

(posting AC as I have never bothered with a /. account and aint starting now)

Re:ANother grain of sand

yes because analog cash is so much more successful

Re:ANother grain of sand

[sexconker]

Hmm I think we agree the majority controls. I'm going further and saying truth or falsehood is in the eye of the 51%. You're saying a false transaction believed by 51% is still false, I'm saying it defines truth, at least in-band. If you also had GPG signed web of trust receipts to compare with the in-band history... well thats cheating, kinda, because its out of band.

Majority of hashing power != majority of users. Not by a long shot.

Beyond that...

A bad block is verifiable. Either the hash is correct or it isn't.
If certain hosts are pushing out bad block, other clients will see them and reject them. There is no mechanism in place to black list nodes, though if it becomes a problem it's trivial to do. All blacklisting does is reduce the noise on the network and the overhead of verifying blocks and rejecting bad ones.

You can only forge a transaction only if you have the victim wallet's private key. If you're going to crack that you might as well mine and earn coins legitimately.

And the final option is to copy someone's unencrypted wallet and then transfer money to a wallet only you have. You'd have to get at someone's wallet file to do this. It has no impact on the network, only the individual user who got his shit stolen. It's just like stealing cash from someone on the street.

Where is the list ?

[Lennie]

I want to check if mine is on the list ;-)

Re:Where is the list ?

*glances in wallet*
I'm safe.

Re:Where is the list ?

Then you're in luck, as I've developed a site that will tell you.

Simply enter your name and card number... it will tell you straight away. Nevermind the sketchy url, I swear it's legit.

Re:Where is the list ?

[vlm]

Then you're in luck, as I've developed a site that will tell you.

Simply enter your name and card number... it will tell you straight away. Nevermind the sketchy url, I swear it's legit.

AC is the guy who invented www.google.com?

Don't laugh, people do this "all the time", or at least they used to. Journalist types used to strongly encourage it to see if someone had released your number in a goog accessible location... which has happened in the past.
This is why some people freaked out about search histories being released / stolen / whatever, at least aside from the people nervous about their queries for "tranny midget sheep scat pr0n" and of course "how to make chloroform"

Re:Where is the list ?

[HaaPoo]

I have the list, give you number to me to verify.

Re:Where is the list ?

[kakaburra]

"Please post your card number, we will check if your card is in the database.... for free!!.." .. :P

Re:Where is the list ?

[KingMotley]

I too would like a copy of this supposed "list". I want to see if it's complete or not, by checking if your number is in there.

New Security Model

[MetalliQaZ]

That government guy from the cyberwar scare story last week had it right... We need a new security model. Just assume that your credit card numbers, your social security number, etc., are already compromised. Those things were never designed to be secure, and companies that we trust with this data simply can't keep them safe. We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

Re:New Security Model

[Thanshin]

We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

And now that we're talking politics...

Re:New Security Model

Smartcards could massively reduce the risk for a lot of these problems. The main issue I can see for us consumers is that if we were using them then you might have less legal protection in the event of fraud because since they are more secure then you may be held more liable (even though they're not perfectly secure). Similar problem to the "Verified by Visa" and such (search it).

Re:New Security Model

Of course we *COULD* do it, but why would we?

The current system is a great benefit to banks, who aren't liable for the majority of credit card fraud. They could secure it, but it would probably mean fewer credit card transactions, which means fewer transaction fees. So why would they want to cut into their own profit?

Right now, merchants are liable for fraud. Of course, merchants can't do squat to stop fraud. Hell, RSA Security was hacked last year. If they can be hacked, anyone can be hacked.

The whole system needs to be overhauled, but without government intervention or a consumer revolt, nothing is going to change.

Re:New Security Model

[nine-times]

Well it's not so much "we need a new security model" as "we need a security model". As you said, these things were never designed to be secure in the first place.

Lots of businesses and government organizations use your SSN as an authentication method-- i.e. knowing your SSN is considered proof that you are who you say you are. However, your SSN is also just your ID number, and you're constantly being asked to provide it to people. In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

IMO we should be using some kind of private-key encryption to verify identity. I don't like the idea of being forced to identify yourself, but if they're requiring some kind of verification/authentication, it should at least be secure. Of course, this would also require us to develop and deploy an additional layer of infrastructure for providing/reading/revoking these private keys, and it would also raise questions of whether/when/how we want to allow anonymity in such a system. There are lots of issues to work out, but we should be working on it.

Re:New Security Model

[jez9999]

Indeed, 'cards' as a throwback from the 90s and it's a shame they're still widespread. I've been thinking for a while now that instead of issuing you with a 'card', the banks should switch to issuing you with something akin to an RSA SecurID tag. You attach it to your keyring and it has a number that changes every 30 seconds or something, which you must supply to login to online banking or make online transactions. For physical transactions, RFID could be used combined with a PIN. Lose the thing and you phone up and cancel it immediately. This should stop a lot of the fraud that happens, and in theory there's no way to defeat it unless that bank's system themselves are compromised.

Re:New Security Model

[Jmc23]

Welcome to Mexico.

Re:New Security Model

[compro01]

I've been thinking for a while now that instead of issuing you with a 'card', the banks should switch to issuing you with something akin to an RSA SecurID tag.

That wouldn't be much better than current systems if the processor has shitty security. They can just lift the seed files off the processor's servers and go on their merry way.

Re:New Security Model

[KhabaLox]

In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

+1 Insightful

It's kind of obvious, but then I guess most insightful comments are in hindsight.

Re:New Security Model

[KhabaLox]

Welcome to Mexico.

Does this mean you have RFID key fobs or compromised banks? I want to assume the latter, but I also don't want to be racist.

Re:New Security Model

[Jmc23]

RFID isn't safe, not even close. I do have a little keyfob that generates a new number every minute that has to be input to do any transactions online.

Re:New Security Model

[TheLink]

But if the systems were designed to be secure would "normal" people be better off in practice?

Don't get me wrong, I'd be happy if things really became more secure. But as long as Banks, regulators etc keep calling "identity theft", "identity theft" and not bank fraud, what do you think will actually happen?

Paranoid slashdotters might be able to keep good control over some fancy "foolproof" transaction system. But do you think most people would? They can't even secure their computers and phones.

So cynical me thinks at worst all the fancy tech would do is give the Banks a reason to pass more of the losses to their customers. At best it just makes the people supplying the tech rich, while not improving things much.

Right now, if stuff happens, a customer can go to the issuer/court and say "I didn't make that transaction" and the issuer/jury/judge would be more inclined to believe him. With fancy "foolproof" tech, when stuff happens and a hacker gets or guesses passwords or manages to pwn the system via other means, the customer might find it harder to convince the court that he didn't make their transaction - because the "expert witness" says it's "100% secure".

The goals and motives behind people creating SSH and SSL/TLS were better, so you did get something better than telnet. And even then has https really been that effective in stopping that many people from getting phished/pwned?

Yes there are hackers going around stealing money, but when Banks are helping their friends and customers _directly_ steal money and get away with it I don't really think hackers are the biggest problem we should worry about. See:
http://it.slashdot.org/comments.pl?sid=2761105&threshold=0&commentsort=0&mode=thread&cid=39549881
http://www.csoonline.com/article/603461/ach-fraud-why-criminals-love-this-con
And also
http://www.fcc.gov/guides/cramming-unauthorized-misleading-or-deceptive-charges-placed-your-telephone-bill
http://en.wikipedia.org/wiki/Cramming_(fraud)

So many easy ways of directly stealing your money. Think the Corporations will make things more secure? I bet they'd only lock down your transactions while still allowing their friends and customers to steal your money easily.

Re:New Security Model

[nine-times]

Well the problem isn't just bank fraud or identity theft, but that we live in an increasingly anonymous society without a clear method of identity verification. This has wide-ranging implications for national security and law enforcement.

So cynical me thinks at worst all the fancy tech would do is give the Banks a reason to pass more of the losses to their customers.

Arguably they already do. When someone uses your credit card to steal money from the bank, the bank voids the charges and you don't get charged. However, that money still comes from somewhere, and there are only 2 places for it to come from: their customers and their shareholders. Someone is paying somehow. Even if they could legally just void out the debt, it would be charging the entire population by way of inflation.

The security methods of telling the bank your SSN, mother's maiden name, or prior address are flawed because those are real pieces of information that can't be changed. Also, it's information that you may need to provide to others, which means that it's not really "secret". A private/public key could be changed, and the new correct public key could be substituted easily.

Now I'm not saying that there can't be drawbacks or that it can't be poorly implemented, but I don't see why with all the ubiquitous technology, everyone can't be issued some kind of smart card or token that holds a private key.

Re:New Security Model

[jaymemaurice]

Right now, if stuff happens, a customer can go to the issuer/court and say "I didn't make that transaction" and the issuer/jury/judge would be more inclined to believe him. With fancy "foolproof" tech, when stuff happens and a hacker gets or guesses passwords or manages to pwn the system via other means, the customer might find it harder to convince the court that he didn't make their transaction - because the "expert witness" says it's "100% secure".

This still remains to be seen. Such FUD stops progress. It is known that cryptography does not make anything 100% secure... it simply makes it some x^y more obscure then most known technology allows. The average person can find many more expert witnesses to attest that no encryption is 100% and no system is fool proof. Take for example chip and pin... any idiot knowns a camera/modified touch pad/thermal imager/key logger/screen logger/scanner for electromagnetic interference can render the methods for a single PIN useless. Smart cards/ibuttons/etc are vunerable to vunerablities found using electron microscopes. Fraud will always be there, it usually takes the path of least resistance for biggest payout... I think we have given up trying to stop fraud and moved to instead limit fraud and throw fraudsters in jail.

Confined to North America

[stevegee58]

Oh thank goodness it was limited to only North America! I'm so relieved.

Can't steal a number

[Thanshin]

You can't steal a number! It's not stealing if you still have your copy of the number! It's copyright infringement at the most.

Also, if put them one after the other, they stole a single number!

73

There you are, you can keep that number in exchange. I never liked 73 anyway.

You're welcome.

Re:Can't steal a number

[TheGratefulNet]

73 is ok. and if the situation is right, 88 can be acceptable, as well ;)

Re:Can't steal a number

This is even filthier than Carlin's 71.

Cancelled on saturday

[aztrailerpunk]

The bank had cancelled my card on Saturday morning stating that my number was reported to have been hacked. I had nothing taken but it was nice to know that they were on top of it just in case. The only hindrance to me was that I to run to the bank and get a temp card.

Eh, oh well.

[JustAnotherIdiot]

My card expires in a few months anyway, guess I'll just step up getting a new one.

Easy fix

[alaffin]

The thing is there are so many better ways to do things right now. For starters, you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards. Chip and pin isn't perfect, but it's better than a magnetic stripe and a signature. For card not present transactions allow Visa card holders to create a one time credit card number (with a maximum limit) via the internet or over the phone. Want to buy something on line? Generate your own credit card number to the exact value of what you're buying. That CC # number expires at the end of the day - meaning that even if you gave it a ridiculous limit and then sent it to a shady site they'd have 24 hours to use it.

Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.

Re:Easy fix

[Chatterton]

The problem is that for the bank the money lost is 'minimal'. In the 50 billion $ a year of CC fraud, most of that amount is lost by the merchants and not the bank. The chargeback is from the merchant to the card owner, but the merchand didn't get the sold product back. Now, if a law say that the fraud should be at the charge of the banks, you can be sure that the fixes will be implemented in the following hour !!!

Re:Easy fix

You can't "force" the retailers to do anything because they are the customers.

We the card holding poens are the product - we have no say.

Re:Easy fix

[rickb928]

"you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards."

Um, the players in this aren't interested yet. The cost of replacing cards ia high enough for them to avoid it until 'forced', and not by 'you'. the government maybe, or a bank that gets burned too much to bear. In Britain, little old ladies are being shoulder-surfed at ATMs and wiped out, and since it's chip and pin, the banks hold onto their policies and refuse to make them good - see, chip and pin is most useful as a risk-shifiting device. The bank is off the hook because it is 'so secure' that you must have given your pin to someone. Your fault. Card not present transactions are a different story...

"For card not present transactions allow Visa card holders to create a one time credit card number"

This already is possible. Ask your bank, and if they don't, maybe you need a new bank. These go by several different names.

Re:Easy fix

Both my bank card and credit card offer one time card numbers, or recurring card numbers which can have expiration or cost limits. Don't all do that? Can't imagine doing online business without it.

Re:Easy fix

[tgd]

Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.

It has -- quite literally -- nothing to do with the cost of the fixes. Most of the world has already gone chip+PIN. The reason you don't see it in the US is very simple: it slows down the transaction. That's why Visa and MC have been pushing for contactless payments. Tap your card and off you go. Simple as that. Its also why most stores no longer require signatures under $25 -- the networks have mandated that. You can actually lose your merchant account or pay penalties if you are caught asking people to sign for low-cost transactions.

The banks make money from people using the cards. They know exactly how much they lose from fraud, and how much they lose from slowing down transactions. As long as the latter is more than the former, nothing will change. You saw the change elsewhere because the spending patterns aren't the same as in the US, and fraud rates were higher.

Re:Easy fix

[Wildclaw]

Want to buy something on line?

Enter your credit card number and get redirected to your bank's site where you have to verify the purchase using your own bank's security solution. This functionality already exists on an international level as I have had it happen while buying something from Japan, while living in Sweden.

Re:Easy fix

[compro01]

They know exactly how much they lose from fraud

>=0

They just shove it up the merchant's ass, who are then out the money, the merchandise, the transaction fee, and a chargeback fee.

Re:Easy fix

[CubicleZombie]

The merchant should be trying harder to verify the identity of the buyer.

Someone wrote my CC number to a card magstripe and went on a Walmart shopping spree. $6000 over 20 minutes. Back and forth between their car and the electronics section pushing shopping carts full of big screen TVs. Nobody at Walmart noticed or cared. Nobody checked that the number matched the one printed on the card. Nobody checked the signature (do they ever? I always sign a smiley face).

Of the involved parties:

1. The thief
2. Walmart
3. Capital One
4. Me

Given the thief walked away, who next should be liable? Why should the bank pay for it?

Re:Easy fix

[houghi]

I agree with the chip and PIN thing. It is used all over the world.
I have used the system with a new card number for each transaction online. However the problem with that is that there are only a limited amount of numbers available and they would run out FAST.

There are other systems that already exist for online transactions. At least one is using your own card reader or code generator that creates an extra code. Another is using it without an extra level where you have to enter another password for your transaction.

Basically one is a generated and the other is a self selected password. Basically the same as using your pin code during a terminal transaction with some added security.

The scammer does not handle the transaction and won't be able to get anything after the first scam, unless you go OK with a repeat payment.

Anti-virus programs are by large the biggest scammers in the world and they do it all above the table.

Re:Easy fix

And I ABSOLUTELY refuse to follow this shit security model. Like that Mastercard secure crap.

First and foremost, it is 100% prone to MITM and redirection attacks. If I go to some superdupperwebsite.com and I order stuff from there, why am I magically redirected to some weird site asking for my SSN, DOB and the like?? It is NOT my banks website, it just *looks like* my bank website and I have never dealt with this "verification" website in the first place!!

One of such sites doing this is NewEgg. I've never followed through with the "secure verification" step. My order has always arrived.

If they wanted this to be an actual secure model, it should be like this,

  1. Buy crap

  2. Get told to verify things on CC issuer's secure purchase site. Your order is placed on hold until verified.

  3. You go to your CC issuer's site (NO automatic redirection from #2). This can happen in next 5 minutes or a day later. The site is where you can check your CC balance, statements, etc. You click "I accept $400 purchase from newegg.com" and possibly other purchases pending verification.

  4. NewEgg gets notified that I accepted the purchase and it moves along.

But the current model they have is utter garbage and I'd sooner cancel the CC than use this "verification step".

Re:Easy fix

[Kalriath]

Why bother? It doesn't matter how much evidence you have, the issuing bank will still side with the cardholder. Verify the person all you want, it's cheaper to just eat the chargeback than to spend extra time and money verifying individuals and still have to eat the chargeback. The only safe way is to require all purchases to be online, and to require 3DS verification - then liability shift applies and it becomes the issuing bank's problem.

Also, you missed two steps step in the chain - Walmart's processor and merchant service provider (likely their bank).

Re:Easy fix

If someone gets hold of your password, which can be gotten hold of if you have some keylogger trojan on your PC, you are liable for the transactions. Neither the bank nor the merchant is liable. Verified by Visa shifts the burden to the credit card holder. It is also possible to obtain a new password by knowing the government identity number of the person who's card you're abusing.

Re:Easy fix

[CubicleZombie]

Just ask for an ID. How hard can that be? I write on my cards "REQUIRE PHOTO ID" and always thank the cashier when they do.

Re:Easy fix

[Kalriath]

The cashier is violating their merchant agreement accepting that card. They are required to hand the card back and demand you sign the back - failing to do so means they can be fined gigantic amounts and/or have their processing cut off. They're also violating their merchant agreement if they ask for ID, with the same penalties.

By writing "REQUIRE ID" and expecting them to honour it you're actually exposing them to some serious business risk.

Picked the right time

Of course they make sure to announce it on the same day as the Final Four championship. They want this story to get buried. Just like when Heartland processing made sure to announce their breach the same day as Pres. Obama's inauguration.

Many hats

[NetNinja]

This is what happens when you have companies who have people who wear many hats and don't commit a person to watching over security. I see it all day long, they want someone who has PCI experience but they also want you to manage the network and everything else that plugs into the wall.

Companies who deal with credit card information needs to dedicate a security person to ensure that all PCI guidelines are being enforced and followed.
There are specific tools and software that PCI compliant companies have to have in place. I bet you the compliance guy was working on the other 10 emergencys that had nothing to do with PCI at the time the breach occured.
Guess who gets fired now.

Re:Many hats

[who_stole_my_kidneys]

I have to disagree. If your in the business of Security, just focusing on implementing PCI compliance or SOX or SEC etc. recommendations leaves you clue less to how hackers actually penetrate networks. You need to know more about what it is your running and how to mitigate other exploitable features that are not included in some compliance mandates. And the best way to learn that, get your hands dirty.

Re:Many hats

I think the bigger problem is companies who don't understand that security is a continuous process and that passing the audit is not an end unto itself.

Yes, we (IT staff already seriously bogged down) want you to hire someone to do security. Yes, even when we're not being audited. No, they won't be idle sitting around doing nothing, security is a continuous process. No, it's probably not a good idea to make him double as the network engineer and triple as the VMware guy. Yes, he should know those things, but he shouldn't spend all of his time administering and troubleshooting them. His focus should be security, that is to say he should be staying abreast of the latest threats, and tuning the IDS, monitoring software, etc., and educating IT and the users on the need to follow the security model.

Yes, we won't be audited again for 6 months, but that's not the point. Technically, I would think, we would want to be secure. There's more at stake then just failing an audit. If we had someone who was really good at this security stuff, they could keep the 'ship' on the right course and we would sail through any audits. We wouldn't have the mad scramble to remediate a bunch of things each time.

Yes, a good security person might cost money, but not as much as the cost of being breached, and not even as much as the cost of the outside consultants we use to do the same thing. We would still need some hours for outside companies to do penetration testing, but we wouldn't need nearly as many hours of external consultants.

Sony?

[Flipstylee]

Nah, that's not all that bad!

Re:Dudes, SHARED, not STOLEN

[Spad]

Duplicated without consent.

How many?

[rickb928]

Krebs on Security stated the number was 10 million. GP and all initially admitted to 50,000.

I'm betting on Krebs. He's pretty reliable, or at least his sources are.

Re:Nothing was stolen

[dkleinsc]

Let me make your argument a different way, now tell me what the difference was:
(A) Smith borrowed the keys to Johnson's car, went to a locksmith and made a copy, gave Johnson his keys back as promised, and then sold the key to a guy who stole everything in the car.
(B) Jones sat down in front of a photograph by Johnson hanging in the gallery and took a photograph of it that looked essentially identical, and developed that photo of a photo in large prints for his wall and his friends.

There's plainly a legal and moral difference between what Smith did and what Jones did, even though both Smith and Jones took nothing directly from Johnson.

Re:Nothing was stolen

[KhabaLox]

I'm guessing most /.ers don't have a problem with the people copying the CC numbers. They just have a problem with them using those numbers to buy stuff.

Chargeback fees provide big profits to banks

[Dainsanefh]

As mentioned at the other article related, because each time when there is a chargeback, the bank will take back the money from the merchant + somewhere between $15-$65 per transaction as a penalty. They have no incentives to make the system more secure.

Unless the law changes that makes the bank and VISA/MC liable for any fraudulent trasnactions, online or offline.

Re:Nothing was stolen

[ACS+Solver]

Idiotic argument. The problem isn't the criminals having the card numbers per se. The problem is that these numbers can then be used to steal your money - as in actually steal because you won't have the money afterwards.

Just give up already.

[erik+umenhofer]

At what point do we just assume that all CC #s have been stolen and if you haven't had your card # stolen yet, it's just a matter of time.

Re:Just give up already.

[jaymemaurice]

Let the banks/merchants decide that... it will be when un-recoverable fraud becomes more expensive then the convienience of the credit card. Personally, I always assume already that my credit card has been compromised and check my statements. At the end of the day, a credit card is credit and therefore is not my money. That is why I do not believe in prepaid cards and keep a card with a high credit limit... they are more likely to fight for their money if I am not going to pay for fraud at the hands of a merchant/third party.

Debit and credit cards compromised

[jbov]

Debit != Credit. Learn the difference and learn to read before commenting next time

Heed your own advice before being rude. Global Payments processes debit, credit, and gift cards. Debit and credit cards were exposed by the breech. Fraudulent activity has been reported on both.

Re:Debit and credit cards compromised

Debit != Credit.
Learn the difference and learn to read before commenting next time

Debit cards are stupid for just the reasons you listed, all of which credit cards are basically immune to.

Heed your own advice before being rude. Global Payments processes debit, credit, and gift cards. Debit and credit cards were exposed by the breech. Fraudulent activity has been reported on both.

I'm assuming he does, and if he has a debit card, it is PIN only. It wont retroactively help anyone, but his advice is reasonable.

Re:Dudes, SHARED, not STOLEN

[biodata]

You are right, the numbers were not stolen, and noone had anything stolen from them, except anyone who ends up paying for any fraudulent transactions. I'm pretty sure we don't own 'our own' credit card numbers, the numbers belong to the banks is my guess, or to a number issuing authority which leases them to the banks. The numbers were not stolen from the banks, they were copied from a third party, who disclosed them, possibly by mishandling or bad security practices, to another third party. The banks chose to discontinue their use of those particular numbers, to mitigate against the risk of fraud, but I think the original owner still owns them. Their value does not change in the long run.

Re:Nothing was stolen

That's rather disingenuous. In the modern version of B, Jones's copy ends up online, either from him or his friends passing it around.

Now Johnson and the gallery have nothing: the /uniqueness/ of the original made the livelihood of both possible. It's the groceries and the mortgage payments. It's a hell of lot bigger loss than the insured car.

Re:Nothing was stolen

Let me make your argument a different way, now tell me what the difference was:
(A) Smith borrowed the keys to Johnson's car, went to a locksmith and made a copy, gave Johnson his keys back as promised, and then sold the key to a guy who stole everything in the car.
(B) Jones sat down in front of a photograph by Johnson hanging in the gallery and took a photograph of it that looked essentially identical, and developed that photo of a photo in large prints for his wall and his friends.

There's plainly a legal and moral difference between what Smith did and what Jones did, even though both Smith and Jones took nothing directly from Johnson.

Well one is an issue of copyright, and obviously differs from the other, an issue of larceny? An argument that does not make.

at the cost of our credit rating...

This has happened to me twice before, once with SONY and the other time was with the actual bank itself. Both times they have issued me a new card and my credit rating suffered a total of 80pts. That's a lot of hitpoints =/ But that's okay, because these banks don't care, they will just raise my APR to its legal limit, which is ridiculous considering that I have near-perfect (890) credit. Thanks banks and credit bureaus, you make me feel so good when I bend over and take it like a Swedish gimp.

Re:Nothing was stolen

[dkleinsc]

All I did was took OP's argument and took it into an offline context: The copied credit card numbers have been replaced by the copied car key, and the copied photograph could be any creative work. Hence why copying credit card numbers and copying an mp3 are not legally or morally equivalent.

Re:Nothing was stolen

But, it means that one digital number was subtracted from another digital number. See nothing was stolen. Just like when a pirate makes a copy of software and steals the developers income. Hooray for software piracy making everything more understandable.