Lost Credit Data Improperly Kept, Company Admits 272
Zak3056 writes "Last week, Mastercard announced that up to 40,000,000 credit card numbers may have been compromised by one of their processing companies. Today, the New York Times (registration, along with first born child, required) is reporting that the company in question, CardSystems Solutions, should not have been retaining that data to begin with. John M. Perry, CEO of the processor in question, claims the data was merely being kept for 'research purposes.' The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."
Slight difference? (Score:5, Interesting)
Re:Slight difference? (Score:5, Insightful)
Re:Slight difference? (Score:5, Interesting)
CISP and PCI compliance [visa.com]
If data in a vendor's system is compromised, Visa and Mastercard will charge fines upward of a hundred thousand dollars per violation, and by the time a third violation occurs, your place of business may be denied use of credit card services permanently.
That's a good thing for everyone, but when crap like this happens it pisses me off. Credit Card companies are (correctly) requiring the strictest standards for storing cardholder data by vendors, but at the same time they themselves are losing 40 million cardnumbers, losing unencrypted backup tapes in shipping, etc. What pisses me off is that if I screw up and lose a credit card number into the wild, I get fined 100K. If they lose 40 million cards, what are they gonna do, fine themselves?
Re:Slight difference? (Score:2)
Exactly. And that, in my opinion, is why identity theft and similar crimes are still such a huge issue. The banks are not liable for the loss. The consumer or the merchant gets stuck with the loss (the consumer does have some legal protections).
If someone gets a fake card in your name, or steals your card, the merchant usually ends u
Re:Slight difference? (Score:2)
Re:Slight difference? (Score:2)
Really? We handle a *lot* of credit card transactions every day, and I've never heard of this. All I got was a 20 page brochuse with *tiny* type when I first got a merchant account years ago. Security? Ha! Do you know what is supposed to happen with signed credit card receipts? No? Me neither! Ask any retailer... nobody knows! Data stored on computers
Re:Slight difference? (Score:3, Informative)
Read and enjoy. Deadline is the 30th of this month.
shut 'em down. Re:Slight difference? (Score:2)
keep no numbers, folks, pass 'em or bilge 'em.
Re:Slight difference? (Score:2)
Aren't there crimianal charges that should apply in the USA? There are laws in in other countries to penalise this sort of behaviour.
Re:Slight difference? (Score:2)
Certainly wouldn't be allowed over here (it's illegal to pass on such data without explicit permission, and even then the DPR can turn around an fine you if you had no legitimate use for the data in the first place).
Re:Slight difference? (Score:3, Interesting)
Re:Slight difference? (Score:3, Insightful)
This is still an apporximation, but a much nicer one than the 40 million that were "potentially" compromised originally.
Yes, it's still completely intolerable for this to have happened, as the processor shouldn't store that data any longer than it takes to process the charge.
At least Mastercard is stepping up and taking control of this situation, I haven't seen a story about the other companies taking a
Re:Slight difference? (Score:3, Informative)
MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been "exported from the system."
In other words, 68,000 numbers were in a file exported from the system, but the system still contained 40 million credit card numbers from different credit card companies (Mastercard, Visa, American Express, etc).
They have No clue as to how many were stolen (Score:3, Insightful)
No Reg Link (Score:5, Informative)
Btw, NoReg for this article [nytimes.com].
Ad Free Link (Score:5, Informative)
Re:Ad Free Link (Score:2)
(For me it was a gif).
Credit Card Doublespeak (Score:5, Informative)
Correction... (Score:2)
Remember, although only 68,000 cards had the necessary secondary information on that site to exploit, that secondary information may otherwise be available. It just won't be provable that it's this company's fault.
Personally, I'd like to see a new law introduced, in which the loss o
Re:Credit Card Doublespeak (Score:2)
They didn't include a handy link to the banks' website to login did they....
(I don't even trust it when my bank phones me. I ask for their department/name and phone the bank back on their registered number. Occasionally the bank clerk has got pissy with me about that, but most of them are quite happy to go through the extra security check).
in that case... (Score:2, Funny)
well, that makes it ok then. NOT!
Or... (Score:2)
...how quickly they can get nailed with a class action lawsuit?
this is not an error (Score:5, Funny)
I think credit card numbers... (Score:2, Interesting)
...are horrendously obsolete and insecure.
We should be allowed to tell the store guy "I'll give you credit online." We should be able, within a reasonable period, to go home and specify the store to give credit to, along with the credit needed.
Example: I want the latest pair of Nikes. I'd try my size on, and tell the store clerk I want to pay with credit. He'd give me a voucher with a unique code that can be used to give him credit (a bit like wiring money).
Within 7 days (a month if it was a car or
Re:I think credit card numbers... (Score:2)
Basically, it's a service from the bank, giving you the opportunity to create disposable one time, amount limited, credit card numbers, with a shorter than normal expiry time. More or less does exactly what you want, but in a totally different way... :)
Backside: Only works for online purchases, unfortunately. OTOH, this is /. so there isn't really any re
Re:I think credit card numbers... (Score:3, Interesting)
Doesn't really help with impulse buying.
Personally, I think all credit card transactions should be PIN based rather then simply signature.
Then lets get wild...
Let's increase the digits a bit in length? Now, card numbers are issued every six months? Or if you want to opt for an online-only card #. You can get a new one every month or two months.
I really hate keeping the same card number for years. It almost gurantees that some asshat will store my data and get
Re:I think credit card numbers... (Score:2)
You would have to auth it at home, BUT you'd be able (to a reasonable extent, barring weight limits, and purchases people obviously can't afford) to exceed the credit limit, albeit with a small fee as usual. Since the vendor gets no credit card number (only a voucher showing that the specific purchase was paid for, if it is paid for), they won't know how close to the limit the purchaser is.
As long as the purchaser wire
Re:this is not an error (Score:3, Interesting)
First of all, the hacked system in question belonged to a payment processor, not a merchant. Second, merchants already do keep them. Walmart's central data warehouse has a consumer's entire transaction, including credit card number, within 15 minutes of the POS transaction. I went to Home Depot to make a return without a receipt and with a swipe of my cc the cashier had the transaction on screen in
Re:this is not an error (Score:2)
They may only actually keep a hash of your credit card number & expiration date. When they swipe your card the second time they just search for a matching hash, which means
Re:this is not an error (Score:3, Interesting)
Security is fine and all, but I really like convenience, and I really like that when someone screws up, my bank fixes it. They can go hand in hand.
Dunkin Donuts (Score:2)
Funny thing is we would probably shop there. All nicotine and caffeine diet and all.
Lawsuit (Score:5, Interesting)
Re:Lawsuit (Score:5, Funny)
Hey, for betting; do you take credit cards?
Not just one (Score:5, Interesting)
Newly revised figures... (Score:4, Funny)
This isn't working out.. (Score:5, Insightful)
/end rant
Aero
Re:This isn't working out.. (Score:5, Insightful)
Something that's communicated when the authorization is taking place, checked against a nice secure server, and then is forgotten and not retained.
The essential point you're missing here is that, currently, your 16-digit card number _is_ this something. The core of the problem (this time at least) is that the processing company wasn't following those rules. What keeps them from holding on to your passphrase for 'analysis'?
Re:This isn't working out.. (Score:2)
You mean like this [chipandpin.co.uk]?
Most retailers in the UK now have terminals where you punch in your PIN at point of sale. Has that made it across the pond yet?
Only problems I can see - I can see it resulting in an increase in ATM muggings,
Re:This isn't working out.. (Score:2)
4 digit pin.. any twit can watch you type 4 digits and memorize it. Why not 10? 20? A wasted opportunity to increase security IMO.
The terminals that the retailers use have *no* attempt at security (hand covers etc.) so the above becomes not only possible but likely.
Also, You're typing in public the same PIN that gives you ATM access to your entire bank account - and may of the standalone ATMs do *not* verify using the smartcard, meaning that duplication is more likely not less.
Plus the change in
Re:This isn't working out.. (Score:2)
Re:This isn't working out.. (Score:5, Insightful)
No, to block things you'd need to do more than tell them not to retain information. You'd need to make sure that even if they did, it was useless. This might point towards requiring people to generate one-time passwords, which would probably be a fair expensive.
Re:This isn't working out.. (Score:2)
Re:This isn't working out.. (Score:4, Insightful)
The best solution is to shift the responsibility for fraud to those that are responsible for allowing it - the merchants who process card transactions. This is how it is already done, and the fact that plenty of merchants still do business with credit cards proves that the system works, despite the fact that CC companies don't "give a shit."
As a consumer, I'd be perfectly fine with everyone knowing my credit card number because I'm not responsible for fraudulent purchases by law. This is a system that works.
What you should really be upset about it is the system that allows identity theft to run rampant. Though the two are related, there is a fundamental difference between someone else using a credit card you've established in your name and someone else using a credit card that they've established in your name.
The current system is much weaker against this type of activity because the burden of responsibility for fraud is still heavily on the consumer rather than the parties that allow identity theft to be profitable (mainly banks, but to a lesser extent any industry that relies on credit reporting). The solution to this problem is not so clear.
but there is a technical solution (Score:2)
This credit card account theft would not have occurred if we used smart cards capable of public key cryptography instead of numbers/passwords/passphrases/etc to authenticate our financial tr
public key crypto (Score:2)
Key Card (Score:2)
Re:This isn't working out.. (Score:2)
NYT ?? What gives (Score:5, Informative)
http://www.internetnews.com/security/article.php/
Nope, no registration needed (PSA?) (Score:2)
NPR (Score:2)
link [npr.org] (realaudio, wmp)
convinience vs. security (Score:2, Insightful)
It's the price you have to pay for the convenience credit cards offer.
Re:convinience vs. security (Score:2)
Find a different balance point (Score:3, Insightful)
There are ways to do secure payments, usually involving cryptography. Generally, it works like a "digital check" where you create an authorization for a payment, digitally sign and date it, and then hand it over. They never have access to your credit card number, because the real secret is your private key, which never leaves your PDA/smart card/phone/etc. Your bank ensures that the "check" is only cashed once,
Re:Find a different balance point (Score:2)
The current system boils down to: it's the merchant's problem if there's fraud. Your liability is quite limited. Before identity theft was common this was a fine system.
What's the deal here? (Score:2)
Re:What's the deal here? (Score:3, Informative)
We're hearing about it more because California passed a new law requiring disclosure of privacy breaches. California citizens get notified and that opens the story to the news media.
By the way, this is the same California that the conservatives love to bash for being "anti-business".
You're welcome.
It's like the commercials (Score:5, Funny)
Homemade Computer - $700
2 Liters of Mountain Dew - $2
Stealing 40 Million people's credit card information with your 1337 h@x0r s|i77z - Priceless.
There's somethings that money can't buy, but for everything else, there's MasterCard.
Re:It's like the commercials (Score:2)
Not that a true haxor ever *ever* reboots.
Re:It's like the commercials (Score:2)
|337 h4x0r 5k1||z
you could even setup and use your own l337 character set [mozdev.org].
Not Surprising (Score:5, Interesting)
The security of the data is nothing more than a second thought to many of these companies. If they feel they can keep around a huge data mine of everyone's data they can get their hands on, in violation of the proper procedures, it should come as no surprise that they wouldn't be that vigilant in securing it properly.
Support legislation making this a crime. (Score:5, Interesting)
Re:Support legislation making this a crime. (Score:3, Informative)
Thats why this never happens in the UK.
Re:Support legislation making this a crime. (Score:2)
In this case I would be *very* surprised if this company isn't on the receiving end of a stack of negligence lawsuits from the companies that had to cover the loss from transactions affecting the compromised accounts. If they were wrongfully retaining the data in the first place (and the rules against retention would be in place specifically to prevent the type of damage that has arisen), the success
So, there's a new name for a file? (Score:4, Informative)
Translation: ``We've come up with some fiction which will let us maintain plausible deniability next time we lose data we shouldn't have had in the first place.''
As for the sensitive data, he added, "We no longer store it on files."
Translation: ``We're going to come up with some nifty new word to replace the word `file', so we can truthfully say that we no longer have your data in our files.''
More seriously, it makes good sense to me that they were retaining data for research purposes. They'd be irresponsible not to, just as surely as they were irresponsible not to have an air gap between that data and the internet.
Re:So, there's a new name for a file? (Score:2)
The hell? Remediated isn't even a word! Are you going to believe the CEO of a company when he makes up words?
Re:So, there's a new name for a file? (Score:2)
"The hell? Remediated isn't even a word!"
Yeah, but 'remedied' isn't on the buzzword bingo card.
Why isn't there one company that isn't this stupid (Score:3, Insightful)
Re:Why isn't there one company that isn't this stu (Score:2)
The issue is that malicious hackers don't go after the processors which are well protected, and a story like "Responsible Company Follows Security Guidelines; Doesn't Get Hacked" probably won't make it to the front page of the NYT.
(or
Time for a new system (Score:4, Insightful)
We need a new system based on PGP or something. A system where we have single-use transaction numbers, and you have give a PGP signature for each usage of a transaction number. Right now it's way to easy for hackers to steal credit card information, or for unethical merchants to make unauthorized charges. We need to put the consumer back in charge of their own finances.
Currently , any 'merchant' can charge whatever they want once they have your credit card number. Sure, you can issue a chargeback or contest the charges, but why should *you* have to clean up after someone messes with your account? It's ridiculous.
Re:Time for a new system (Score:2)
Re:Time for a new system (Score:2)
So what, you have $50 max liability by law but Visa and the other cc guys guarantee no liability. You know how easy it is to dispute charges? Here's what happens when someone steals your credit card. You get a call, "hi this is so and so from chase visa fraud department. We detected fraud like behavior. Can yo
Bullshit Flag.. (Score:2, Insightful)
Is that so? I'm going to have to throw the bullshit flag on this one. Any numbers that add up to a nice round number like '200,000' are complete crap that someone pulled directly out of their arse.
I'm sorry, but I just don't buy it. I say they don't have a fucking clue how many numbers were exposed.
Aer
Tougher privacy laws. (Score:4, Insightful)
Re:Tougher privacy laws. (Score:2)
As its been said: The best-laid plans of mice and men often go awry.
Time to teach some math skills... (Score:3, Interesting)
The other interesting mathimatical issue that came up was the child molester in Oregon, he was reported to have molested 30,000 kids over 35 years, 12 of which he spent in jail, hmmmm
that would be over 4 seperate kids a day.
I can't even find a way to molest 4 seperate drunk girls in a night with out at least one of them telling someone. I am calling bullshit on this one.
No, but maybe tim eto double check the wordage (Score:2)
Re:Time to teach some math skills... (Score:2, Interesting)
40,000,000 cards
16 acct digits per card
4 date digits per card
3 security digits per card
======================
7.1526 gig of data
If you use any compression or if the data were stored in a more efficient manner than ascii, the size drops dramatically.
Even a full 7.1 gig can go down a DS3 in ~25 minutes. Even T1 takes less than 12 hours (read: start at 6pm finish at 6am).
Possibly more still -- not only 68,000 (Score:2)
So in reality, they are only saying that they know of 68k that were downloaded. I believe it should be treated as if the other 39 million were compromised. I mean if someone cracks a system on your network do you only consider passwords used on that machine to be compromised? No, you change them all!
We end up paying in the end... (Score:3, Insightful)
"Zero liability for customers means that fraudulent charges come out of a bank or store's coffers in the form of higher merchant transaction fees. 'The retailers will pay for it and the issuing banks will get rich off it,' Ms. Litan said. 'It's just another revenue stream.'"
Sorry, I call bullshit. Retailers pass the higher costs onto you and I.
"'We should not have been doing that,' Mr. Perry said. 'That, however, has been remediated.' As for the sensitive data, he added, 'We no longer store it on files.'"
Thats just fine Mr. Perry. Now may I have the credit card numbers, addresses, phone numbers, ss#'s, etc. of you, your family and the execs at Cardsystems Solutions? I *promise* to keep them safe and give them the same care you provided the other customers....
Why are they still in business? (Score:5, Insightful)
Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.
Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, "This particular processor was not following Visa's security requirements when we found out there was a potential data compromise."
Question:
Why is CardSystems Solutions still a processor for Visa and MasterCard?
Re:Why are they still in business? (Score:5, Funny)
Because the CEO's PA gives good head to visitors.
An interesting data analysis problem (Score:5, Interesting)
Obviously, someone (I assume its Mastercard, Visa, etc.) is storing sufficient volume of historical transactions (including metadata such as the 3rd-party transaction processor) to analyze patterns such as this. With some 60 billion card transactions per year worldwide, this would make for a very large dataset and a very interesting analysis problem.
For Science! (Score:4, Funny)
Well, that makes it all OK, then, doesn't it? So long as it was for Science.
Contractual damages? (Score:3, Insightful)
I think $50 / incident is probably reasonable. That's enough to get the attention of the mom and pop store that might be facing damages of ten thousand dollars for improperly storing the CC numbers of a few hundred customers, but it's no so overwhelming that they would be forced out of business.
A major processor that held 40M records (assuming that that was the number of improperly held records, and the lower number were just those that might have been exposed). They deserve a $2 billion contractual damage.
Mastercard would never collect that much in damages, of course, but it would be a corporate death sentence to any company -- and its executives -- deciding to do illicit "research." One prominent case could go a long way towards restoring confidence.
Moral Hazzard? (Score:5, Interesting)
Re:Moral Hazzard? (Score:3, Insightful)
Re:Moral Hazzard? (Score:3, Informative)
We need to be more specific. Some companies are credit card issuers -- they create the card numbers and own the bank accounts attached to those cards. Those companies end up collecting interchange and assessments (processing fees) on the sale, but then take the money back again.
Some companies (like the one I work for, and like the one in the story) are credit card processors. We don't issue cards, we process payments against those cards and deposit funds in merchant
I hate these guys (Score:3, Informative)
When will these companies be held responsible? (Score:5, Interesting)
That's what I want to know: when will companies that mishandle data like this be held 100% responsible to the people whose data they mishandled for the losses, fraud, etc.? I'm of the opinion that only when mishandling data results in actual financial consequences to the mishandler will things change.
Re:When will these companies be held responsible? (Score:3, Informative)
MBNA Financial Services Helicopter Crash (Score:2)
http://www.pennlive.com/newsflash/pa/index.ssf?/b a se/national-46/1119097504217410.xml&storylist=paho mepage [pennlive.com]
Things that make you go HMMMMM.
Technology Solution already developed - SET (Score:2, Interesting)
The technology is based on digital signatures and electronic wallets. It's quite sophisticated. Perhaps it's time to dust it off and give it another whirl.
why was the data on a WindowsLaptop on the Inet? (Score:2)
http://news.com.com/Lost+credit+data+improperly+k e pt%2C+company+admits/2100-1029_3-5753557.html?tag= nefd.top [com.com]
"The security breach was first reported Friday, when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that could extract data from the system, potentially compromising 40 million accounts of various credit cards."
They put this information on a laptop running Windows, connected to the internet, and it got Spyware... wo
Re:why was the data on a WindowsLaptop on the Inet (Score:2)
Lob
Read here for how Visa/Mastercard control this crp (Score:4, Informative)
Essentially they are just that: best practices. I just did an audit prepping a company for Visa CISP certification and most things they require are pretty standard like password complexity, physical security, encryption used over public links, etc.. However the security all revolves around the credit card number so it's a little more focused than a normal security gig.
Also, Visa/Master require that vendors store as little info as possible in as few places as possible, and that they encrypt it in storage. Specifically no one is EVER supposed to store the CVV/CVC code or any portion of the magnetic stripe info. Also specific to this set of requirements, a subpoint of it being CC#-centric, is that even non-mission-critical systems have to have the same high level of security if they store CC info. So no one gives a shit if you are doing "research" or just processing sales, you HAVE to protect the numbers, ideally by encrypting that field in Oracle or something equivalent so when FedEx loses your backup tape it isn't a disaster.
One last caveat is that the program is still ramping up. It started about 4 years ago but most companies are struggling to implement the reqs still, and Visa is very understanding since if they are too stringent and cut off the offending vendor they lose revenue.
Looks like I was hit (Score:4, Interesting)
Dear Customer,
An incident involving unauthorized access into a third party processor system has occurred. A company which processes transactions for physical retail merchants and Internet merchants was the victim of a computer hacker between September 2004 and May 2005. They have identified your check and/or credit card as one of the cards possibly exposed. Information compromised includes account numbers and expiration dates, as well as cardholder names and addresses.
We understand that you will most likely be concerned when you read this. Rest assured that if you information has fallen into the wrong hands, you will not be liable for any unauthorized transactions using your Check Card or VISA Card*. However, it is very important that you monitor your account(s) closely and notify us immediately of any unauthorized transaction. If such a transaction does occur, you will need to complete a VISA dispute form, available through the maintenance area of our online banking system, in order to receive provisional credit for the amount of the transaction. We recommend, as a precaution, that you call Customer Support to block your card and we will re-issue a new one. Our Banking Specialists and Loan Representatives will make that decision with you on a case-by-case basis, as we do not want to hamper your use of the card.
We also understand that you will have other questions, such as the identity of the processor. When we receive notifications of this variety from VISA, VISA does not and will not reveal the name of the merchant or processor unless the incident has already been made public by the merchant.
Again, we do ask that you monitor your account carefully in the weeks ahead by making use of our telephone, wireless, and online banking systems. If you have any questions or concerns, please contact a Banking Specialist or Loan Representative for more information.
Thank you for banking with us.
*This limit on liability does not apply to PIN-based ATM or point-of-sale transactions.
Re:Full text of the article (Score:5, Funny)
Re:Full text of the article (Score:2)
So aggregate data for 40 million accounts is being used for research. I can buy that, but why in the hell did the personal data attached to the transactions need to be stored? This sounds like crap to me.
I hope they go bankrupt from this.
Re:They're in trouble (Score:2)
Re:and again. (Score:2)
This is a joke, right?