'Massive' credit card data breach involves all major brands

LazyLion

LazyLion

King of de Jungle
Joined
Mar 17, 2005
Messages
107,473
Reaction score
10,018
Location
District 9
http://money.cnn.com/2012/03/30/technology/credit-card-data-breach/index.htm?hpt=hp_t3

NEW YORK (CNNMoney) -- A data breach at a payments processing firm has potentially compromised credit and debit card information from all of the major card brands, representatives from MasterCard and Visa said on Friday.

News of the breach was first reported by the respected security blog Krebs on Security. That article said the breach was "massive," and could involve more than 10 million card numbers.

The Wall Street Journal followed up with an article saying that processor Global Payments is the vendor that was breached. Global Payments (GPN) shares fell 9% before trade was halted in the morning. As of 3 p.m. ET, the stock had not resumed trading.

A representative of Global Payments did not respond to a request for comment. The extent of the breach, and what kind of information was compromised, has not been confirmed.

"I've spoken with folks in the card business who are seeing signs of this breach mushroom," Gartner security analyst Avivah Litan wrote Friday in a blog post.

Her sources say the hackers have begun using some of the card data they stole, Litan added.

MasterCard (MA, Fortune 500) said it has alerted payment card issuers "regarding certain MasterCard accounts that are potentially at risk."

The company also said the breach is the subject of an ongoing forensic review by an independent data security organization.

Visa (V, Fortune 500) released a statement saying it too has provided card issuers with notifications about accounts that could be affected. The issuers "can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards," it said.

Both MasterCard and Visa emphasized that their own networks had not been penetrated.

Discover (DFS, Fortune 500) said simply: "We are aware of the situation, are monitoring accounts for suspicious activity and will reissue plastics as appropriate."

None of the three companies would comment on the scale or nature of the breach, but the Journal's report says the information that was taken could potentially be used to counterfeit new cards. The breach reportedly took place between January 21 and February 25 of this year.

CNN has reached out to the other major credit card brands, including American Express (AXP, Fortune 500), for comment.

In data breach situations, credit card companies generally offer affected customers fraud monitoring services at no cost -- and customers aren't on the hook for any fraudulent charges. The card issuers themselves are responsible for those costs.

Questions about industry standards: Several security researchers said the breach is a prime example of why the current Payment Card Industry Data Security Standard (PCI-DSS) is inadequate.

"Expect to see yet another round of almost religious fervor in the debate over the real value of PCI-DSS," Geoff Webb, director of product marketing at data-protection company Credant Technologies, said in an email.

Cybercriminals "are constantly looking for opportunities to identify and attack sites where there is a weakness in security -- just like a predator looks out for the weakest member of the herd," he added.

Litan, the Gartner analyst, is skeptical about whether the credit card industry will invest the money and time required to switch to a more secure system, like "smart cards" embedded with chips, which are used in some foreign countries.

"It's cheaper for them to deal with these breaches than to make all those chip cards," Litan told CNNMoney. "We've had all of these breaches, but there have not been any significant attempts to change the situation. The information is easy to steal, and cards are easy to use, so it's like free money for criminals." To top of page
Click to expand...

10 Million credit card numbers??? :eek:
 
thats massive, why do the credit card companies get away with this...
I want my money
 
zizebra said:
thats massive, why do the credit card companies get away with this...
I want my money
Click to expand...

Hackers stole cc information from a 3rd party and you somehow accuse the credit card companies of something?

Stealing your money? :wtf:
 
Litan, the Gartner analyst, is skeptical about whether the credit card industry will invest the money and time required to switch to a more secure system, like "smart cards" embedded with chips, which are used in some foreign countries.
Click to expand...
Chip cards don't provide additional security. I would have thought a supposed security analyst would be up to date on these things.
 
HavocXphere said:
How do you figure that?

http://en.wikipedia.org/wiki/Chip_and_PIN

The only real problem is this dual mag stripe/pin approach they picked, but the chip tech is an improvement nonetheless once the stripes are phased out.
Click to expand...

The pin is stored on the card, and there are readers that can replace the pin with another, so its really not more secure.

The goal of the chip and pin is to move the risk onto the consumer. If your card is used in a fraudulent transaction and the pin is used, its your loss. The bank will not take that on since they say that its your responsibility to keep your pin secure.
The problem is that they don't keep records of the pin so they will never know if it was your card or a cloned card with the pin replaced.
 
Madman88 said:
The pin is stored on the card, and there are readers that can replace the pin with another, so its really not more secure.

The goal of the chip and pin is to move the risk onto the consumer. If your card is used in a fraudulent transaction and the pin is used, its your loss. The bank will not take that on since they say that its your responsibility to keep your pin secure.
The problem is that they don't keep records of the pin so they will never know if it was your card or a cloned card with the pin replaced.
Click to expand...

Well considering you don't need the pin for online purchases, the pin doesn't really add a lot of value. So i don't see how the pin moves the risk to consumer instead??
 
Chip and PIN is not in use in the United States. A store swipes your card, you sign it, that is that.
 
reactor_sa said:
Well considering you don't need the pin for online purchases, the pin doesn't really add a lot of value. So i don't see how the pin moves the risk to consumer instead??
Click to expand...
It does for purchases at retailers.

Madman88 said:
The pin is stored on the card, and there are readers that can replace the pin with another, so its really not more secure.

The goal of the chip and pin is to move the risk onto the consumer. If your card is used in a fraudulent transaction and the pin is used, its your loss. The bank will not take that on since they say that its your responsibility to keep your pin secure.
The problem is that they don't keep records of the pin so they will never know if it was your card or a cloned card with the pin replaced.
Click to expand...
Not only that, but the verification is done on the card, not by communicating with the bank. It's possible to bypass the verification.

HavocXphere said:
How do you figure that?

http://en.wikipedia.org/wiki/Chip_and_PIN

The only real problem is this dual mag stripe/pin approach they picked, but the chip tech is an improvement nonetheless once the stripes are phased out.
Click to expand...
The dual cards only mean that criminals can continue to use their current methods rather than moving onto known exploits of chip cards. The entire security mechanism of those is fundamentally broken. They mention a number of the known defects in the Wikipedia articles.
 
Madman88 said:
The pin is stored on the card, and there are readers that can replace the pin with another, so its really not more secure.
Click to expand...

That's not correct at all. Any chip and pin security issues are with the reader not the card (except for the dual system, of course). Your pin cannot be changed, but possibly read.
 
phaktza said:
That's not correct at all. Any chip and pin security issues are with the reader not the card (except for the dual system, of course). Your pin cannot be changed, but possibly read.
Click to expand...

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.
Click to expand...

http://threatpost.com/en_us/blogs/chip-and-pin-security-completely-broken-new-attack-021210
 
zizebra said:
thats massive, why do the credit card companies get away with this...
I want my money
Click to expand...

Madman88 said:
Hackers stole cc information from a 3rd party and you somehow accuse the credit card companies of something?

Stealing your money? :wtf:
Click to expand...

Perhaps he should cancel all Visa and Mastercard cards, and close those accounts too. That'll get him far :rolleyes:
 
Last edited:
Fudzy said:
I think I'm going to lower my credit card limit.
Click to expand...

Thing is Fudzy, a chip and pin card can't be cloned - it has to be physically stolen (which hopefully you'll notice and cancel immediately) to be used illegally. So, though not perfect, it's more secure than magnetic strips.
 
phaktza said:
Thing is Fudzy, a chip and pin card can't be cloned - it has to be physically stolen (which hopefully you'll notice and cancel immediately) to be used illegally. So, though not perfect, it's more secure than magnetic strips.
Click to expand...

Ah okay so they would only be able to access the funds IF they stole the card and knew my pin code? Not like the current scammers who read your card's magstrip with a hidden device, watch your pin and then make a new card to withdraw funds.
 
Fudzy said:
Ah okay so they would only be able to access the funds IF they stole the card and knew my pin code? Not like the current scammers who read your card's magstrip with a hidden device, watch your pin and then make a new card to withdraw funds.
Click to expand...

Well, apparently there are hacked readers that will allow them to use any PIN (the readers are mostly based on the older standard which allows for this), but they have to have your stolen card and not a clone.

So, chip and PIN is not as secure as once believed - though hopefully in time this will be resolved, but better than still having your card and not knowing a cloned card is being used.
 
Last edited:
The bottom line is that this side of the grave nothing is or ever can be 100% secure.
But there are degrees of security, vulnerability and risk. It's all about managing those to suit your requirements.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X