Up To 1.5 Million Visa, MasterCard Credit Card Numbers Stolen

An anonymous reader writes "Global Payments, the U.S.-based credit card processor company that experienced a security breach affecting Visa and MasterCard, confirmed that the breached portion of its processing system was confined to North America. The company also finally revealed how many credit card numbers were stolen: around 1,500,000."

Recourse?

[mws1066]

And what recourse do card holders have? How do we know if our number was stolen, passed around, and now someone is just holding onto it indefinitely and might leap to use it after this whole thing blows over? A bit frightening.

Re:Recourse?

[robinsonne]

None whatsoever, but maybe I should go on a spending spree and max out my card so that the crook(s) have to pay my bill before they can do anything with my card!

Re:Recourse?

[Bigby]

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

And VISA already dropped Global Payments. Let the market and common law handle this...

Re:Recourse?

[jmauro]

They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

Re:Recourse?

[MetalliQaZ]

I assume that by "the crooks" you mean Mastercard and Visa, right? :)

Re:Recourse?

I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages

Your recourse is through your bank and/or card issuer, not the processor, and that fact is greatly beneficial to you. A massive breach could easily put a company out of business, especially if that company were already in trouble. In that situation, if they were liable for your losses, you would have to wait years for bankruptcy court to sort it out, and you would likely only get back a portion of your losses. The bank that issued your card is legally required to have the cash on hand to be able to pay you back, so it works out much better for you that it is their obligation. Yes, you may have to fill out a few forms, and your money will not come back instantaneously, but I don't think there's a constitutional amendment requiring that you never be mildly inconvenienced, so suck it up and take it. Shit happens.

Re:Recourse?

[modernzombie]

My bank called me a couple months ago (not related to this incident) and said that they were cancelling my card and issuing me a new one because they had reason to believe it could have been compromised even though no fraudulent charges had been made. This seems like the appropriate thing to do. The card issuers should be contacting their customers to have the cards replaced.

Re:Recourse?

[Qzukk]

You could, oh I don't know, cancel your cards and replace them? But I guess complaining about it on /. is more fun.

That's not "recourse" that's "damage control".

Re:Recourse?

[SniperJoe]

Actually, that's not true at all. If you fail to report fraudulent transactions within 60 days of statement mailing, the bank and/or credit card company is not responsible for any investigation or repayment under the Fair Credit Billing Act.

http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm

Re:Recourse?

[tripleevenfall]

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Aside from this, it seems likely they will notify the people who were affected and issue them new cards if they can identify who they were. It may not be possible to tell which numbers were stolen, only which were exposed.

Re:Recourse?

[tripleevenfall]

We give trucker cap. Look good for ladies.

Re:Recourse?

[KhabaLox]

GP should be fine. It looks like the average loss is anywhere from $1 to $10 per account, so they're looking at an upper bound of $15-$20m, or about 5% of their unrestricted cash assets.

From an article linked to in TFA:

Global Payments, the processor blamed for a Visa and Mastercard data breach last week, is likely to be able to manage its financial hit related to beefing up security. ...
If that figure sticks, Global Payments can weather the data breach, analysts said. For instance, Wells Fargo Timothy Willi said in a research note that Global Payments, which has $300 million to $400 million in unrestricted cash, can pay for the damage.

Willi’s take, which lines up with other analysts, is based on the data breach suffered by Heartland in 2008. Heartland is another payment processor and the accounts compromised ran as high as 130 million in a breach that lasted for months. Heartland’s tab to data has been $147 million.

Given Global Payments’ compromised accounts is about 10 million the tab should be lower. RBS WorldPay also had 1.5 million accounts compromised with $9 million of fraud losses.

Re:Recourse?

[whoever57]

Which is why you're supposed to tell your travel schedule to your credit card companies. Lazy or a troll?

Recent experience: My wife went to the UK (we live in the USA) recently. I phoned the credit card company in advance and told them she would be in the UK. Cards on the account have been used in the UK on a fairly regular basis. Her card was suspended within a couple of days of her arrival. So, what's the point of calling the credit card company?

Re:Recourse?

[tripleevenfall]

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Why should I be doing this? I make dozens, perhaps hundreds of transactions each month. My looking over my statement is easily subject to human error.

Why should you look after your own finances? I wouldn't think higher critical reasoning would be required to convince you to do so.

Re:Recourse?

[Solandri]

Don't do that. The banks and credit card companies have gamed it so that they don't pay for fraud - the merchants do. They've made it the merchant's responsibility to make sure the card is not being used fraudulently, while simultaneously pushing through a law which prohibits declining a card because the user refuses to show ID (because that would, y'know, discourage credit card use*). If you contest a charge and the merchant cannot prove that you actually made the charge (usually a copy of your signature on the charge slip), the processor will reverse the payment. The merchant is out the money and the merchandise. The card processor suffers the minor inconvenience of having to pay someone to field your phone call and having to run a second transaction to reverse the initial purchase. That is why some places will ask for your zip code or home phone number, or won't deliver to anywhere but your home address when you buy with a card. Those are the only tools merchants have to prevent fraud.

* They also pushed through a law prohibiting merchants from charging extra for credit card transactions to cover the additional risk of fraud. Some merchants get around it by offering a cash discount.

Re:Recourse?

[sexconker]

Well, yes, at least these are CREDIT cards, not bank cards. This is exactly why I don't have a bank card and only use a credit card - at least it provides a buffer to my money. If I see charges on a bill that are suspect, I don't HAVE to write the credit card company a check. But if a criminal got a hold of someone's bank card...

Maybe I'm wrong - does anyone use a bank card and feel safe?

I left Bank of America because of this (and other, previous horse shit).
Some scam "company" initiated an ACH transaction against my checking account (not even a debit purchase, it was straight ACH).

They farm account numbers from dumpsters, internets, and call center slaves who are easy to bribe. Then they initiate fraudulent transactions for "supplemental medical insurance". You can go to their various shell websites and quickly see that the insurance is of course non-existent. The only service they offer is theft.

So I called Bank of America and said "This is bullshit." and they wanted to do the whole 7-10 day, affidavit, wait to get my money back, horseshit.
I got my money back faster (from the company) by threatening to sue and reporting them to the NY State Attorney's office.

Bank of America said they could not (would not) block future transactions from that company. Sure, they could block debits from that company for the same amount (down to the cent), so if they try to take $49.95 they can't get it, but if they try $49.96 or $4999.95 they get it instantly. BoA wouldn't even let me file a complaint against them. Since I had gotten my money back, they refused to let me file a claim where I did not seek a refund. Of course, why would the bank want to make my money secure or investigate fraud? They profit off transactions, interest, fees, fraudulent charges, etc.

My only option, according to BoA, was to open a new checking account to get a new number that hopefully they wouldn't be able to steal.
So I did. Except the new checking account wasn't at BoA.

Re:Recourse?

[penix1]

The problem with that analysis is it doesn't take into account the hit to reputation. These companies only exist because of trust that the data is correct and secure. Loss of that trust means people will jump ship faster than rats leaving a sinking ship. I suspect the only reason Heartland survived was it is an industry that is "too big to fail" meaning there are very few processors out there for people to jump ship to that hasn't suffered the same problems or worse.

Re:Recourse?

Posted anon on purpose.

I work for a credit card company and we give out both Visa and Mastercard. When there is a fraud, WE pay the money. If you need a new card WE pay for that new card.

If you contest a charge and there is anything reasonable (so no cash withdrawal with your PIN code) we will FIRST give you the money back, then start the investigation and if there is no actual fraud (or more likely a fraud attempt of the cardholder) he will see it on a later bill.

This means in many cases that the merchant has the money, the customer has nothing to pay and we end up with the bill.

Now if the USofA would start using a modern system like the rest of the world, instead of still using the magnetic strip confirmed by a signature on the card, use the PIN code system with a chip. This seriously will increase security.

As far as we are concerned, if you go to the US, it will cost US money, because of the backwater system that is used.

Almost all of the world has changed to a more secure system, yet the US is somehow unable to get up to speed.

Will it ecxlude all situations or all fraude? No, but it will seriously reduce it. How? If you do not have the code, you can only try to buy stuff on the Internet. The moment the card is noted as stolen, even that won't work, because the card is blocked from that moment on.

Where is the list ?

[Lennie]

I want to check if mine is on the list ;-)

New Security Model

[MetalliQaZ]

That government guy from the cyberwar scare story last week had it right... We need a new security model. Just assume that your credit card numbers, your social security number, etc., are already compromised. Those things were never designed to be secure, and companies that we trust with this data simply can't keep them safe. We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

Re:New Security Model

[nine-times]

Well it's not so much "we need a new security model" as "we need a security model". As you said, these things were never designed to be secure in the first place.

Lots of businesses and government organizations use your SSN as an authentication method-- i.e. knowing your SSN is considered proof that you are who you say you are. However, your SSN is also just your ID number, and you're constantly being asked to provide it to people. In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

IMO we should be using some kind of private-key encryption to verify identity. I don't like the idea of being forced to identify yourself, but if they're requiring some kind of verification/authentication, it should at least be secure. Of course, this would also require us to develop and deploy an additional layer of infrastructure for providing/reading/revoking these private keys, and it would also raise questions of whether/when/how we want to allow anonymity in such a system. There are lots of issues to work out, but we should be working on it.

Easy fix

[alaffin]

The thing is there are so many better ways to do things right now. For starters, you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards. Chip and pin isn't perfect, but it's better than a magnetic stripe and a signature. For card not present transactions allow Visa card holders to create a one time credit card number (with a maximum limit) via the internet or over the phone. Want to buy something on line? Generate your own credit card number to the exact value of what you're buying. That CC # number expires at the end of the day - meaning that even if you gave it a ridiculous limit and then sent it to a shady site they'd have 24 hours to use it.

Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.

Re:Nothing was stolen

[dkleinsc]

Let me make your argument a different way, now tell me what the difference was:
(A) Smith borrowed the keys to Johnson's car, went to a locksmith and made a copy, gave Johnson his keys back as promised, and then sold the key to a guy who stole everything in the car.
(B) Jones sat down in front of a photograph by Johnson hanging in the gallery and took a photograph of it that looked essentially identical, and developed that photo of a photo in large prints for his wall and his friends.

There's plainly a legal and moral difference between what Smith did and what Jones did, even though both Smith and Jones took nothing directly from Johnson.