Slashdot Mirror

← Back to Stories (view on slashdot.org)

Up To 1.5 Million Visa, MasterCard Credit Card Numbers Stolen

Posted by samzenpus on from the big-score dept.

An anonymous reader writes "Global Payments, the U.S.-based credit card processor company that experienced a security breach affecting Visa and MasterCard, confirmed that the breached portion of its processing system was confined to North America. The company also finally revealed how many credit card numbers were stolen: around 1,500,000."

9 of 189 comments (clear)

  1. Recourse? by mws1066 · · Score: 5, Interesting

    And what recourse do card holders have? How do we know if our number was stolen, passed around, and now someone is just holding onto it indefinitely and might leap to use it after this whole thing blows over? A bit frightening.

    --
    Nothing is more dangerous than a programmer with a screwdriver.
    1. Re:Recourse? by robinsonne · · Score: 5, Funny

      None whatsoever, but maybe I should go on a spending spree and max out my card so that the crook(s) have to pay my bill before they can do anything with my card!

    2. Re:Recourse? by MetalliQaZ · · Score: 5, Funny

      I assume that by "the crooks" you mean Mastercard and Visa, right? :)

      --
      "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
    3. Re:Recourse? by Anonymous Coward · · Score: 5, Interesting

      I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages

      Your recourse is through your bank and/or card issuer, not the processor, and that fact is greatly beneficial to you. A massive breach could easily put a company out of business, especially if that company were already in trouble. In that situation, if they were liable for your losses, you would have to wait years for bankruptcy court to sort it out, and you would likely only get back a portion of your losses. The bank that issued your card is legally required to have the cash on hand to be able to pay you back, so it works out much better for you that it is their obligation. Yes, you may have to fill out a few forms, and your money will not come back instantaneously, but I don't think there's a constitutional amendment requiring that you never be mildly inconvenienced, so suck it up and take it. Shit happens.

    4. Re:Recourse? by modernzombie · · Score: 5, Insightful

      My bank called me a couple months ago (not related to this incident) and said that they were cancelling my card and issuing me a new one because they had reason to believe it could have been compromised even though no fraudulent charges had been made. This seems like the appropriate thing to do. The card issuers should be contacting their customers to have the cards replaced.

    5. Re:Recourse? by SniperJoe · · Score: 5, Informative

      Actually, that's not true at all. If you fail to report fraudulent transactions within 60 days of statement mailing, the bank and/or credit card company is not responsible for any investigation or repayment under the Fair Credit Billing Act.

      http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm

    6. Re:Recourse? by tripleevenfall · · Score: 5, Funny

      The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

      Why should I be doing this? I make dozens, perhaps hundreds of transactions each month. My looking over my statement is easily subject to human error.

      Why should you look after your own finances? I wouldn't think higher critical reasoning would be required to convince you to do so.

  2. New Security Model by MetalliQaZ · · Score: 5, Informative

    That government guy from the cyberwar scare story last week had it right... We need a new security model. Just assume that your credit card numbers, your social security number, etc., are already compromised. Those things were never designed to be secure, and companies that we trust with this data simply can't keep them safe. We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

    --
    "Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
    1. Re:New Security Model by nine-times · · Score: 5, Insightful

      Well it's not so much "we need a new security model" as "we need a security model". As you said, these things were never designed to be secure in the first place.

      Lots of businesses and government organizations use your SSN as an authentication method-- i.e. knowing your SSN is considered proof that you are who you say you are. However, your SSN is also just your ID number, and you're constantly being asked to provide it to people. In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

      IMO we should be using some kind of private-key encryption to verify identity. I don't like the idea of being forced to identify yourself, but if they're requiring some kind of verification/authentication, it should at least be secure. Of course, this would also require us to develop and deploy an additional layer of infrastructure for providing/reading/revoking these private keys, and it would also raise questions of whether/when/how we want to allow anonymity in such a system. There are lots of issues to work out, but we should be working on it.