Forgot your password?
typodupeerror
Security

Cracker Gains Access to 2.2 Million Credit Cards 540

Posted by timothy
from the check-yer-wallet dept.
Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."
This discussion has been archived. No new comments can be posted.

Cracker Gains Access to 2.2 Million Credit Cards

Comments Filter:
  • I doubt the fact that none have been used will be true for very long. I'd better check my statement tomorrow.
  • by laymil (14940) <laymil@obsolescence.net> on Monday February 17, 2003 @11:06PM (#5323383) Homepage
    pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....
    • by Chester K (145560) on Tuesday February 18, 2003 @12:36AM (#5323749) Homepage
      pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....

      Pfff... I could even make them by hand, before they started cracking down on correlating expiration date to card number. Ended up having a nice interesting talk with the FBI about that a couple years later, unfortunately.
      • Re:CC# generators. (Score:4, Interesting)

        by prockcore (543967) on Tuesday February 18, 2003 @03:00AM (#5324216)
        Pfff... I could even make them by hand, before they started cracking down on correlating expiration date to card number.

        Up until about 4 years ago, you could use the CCtest# (4111-1111-1111-1111) to use the credit card phones in LAX and a few other major airports.
    • Die, credit cards (Score:4, Insightful)

      by 0x0d0a (568518) on Tuesday February 18, 2003 @09:41AM (#5325667) Journal
      pfft, back in my day, we could generate as many valid credit card numbers as we wanted. of course, those usually got used fraudulently....

      I think the moral of the story is that CCs are *really* bad from an authentication point of view. For chrissake, the *number* is enough to let you bypass the thing.

      A replacement (probably public key/smartcard) system would be a *much* better idea -- you'd have to physically steal a card to abuse it. No more grabbing a database or a recipt and having free rein.

      There are only two drawbacks to this: first, there's a *huge* installed base of CC users and support, and second, anyone instituting it (VISA, whatever) is going to have to overcome temptation to try charging percentages of transactions (the reason we don't have e-cash now is because of overly greedy financial services companies who couldn't manage this).
      • Re:Die, credit cards (Score:3, Interesting)

        by Directrix1 (157787)
        I've always wondered why they didn't make CCs like this:
        A credit card sized 10-key (with decimal point, enter, and clear) with small one line LCD (or equivalent device) at top, with a thumbprint authentication utility on the side, and a printed circuit on the back for generating flux to simulate a magnetic strip for use in standard CC readers and maybe for automated amount entry(a circuit tuned to the GPS frequencies of the area where the card is allowed to be used could be embedded to charge small capacitors for power, and also possibly for use in theft detection). Embedded in the card is:

        1) Account Private Key (encrypted by a reversible crypto with the key being the output of a perceptron neural net trained to recognize all authorized users thumbprints [or other biometric authentication could and should be used as it becomes viable] with a constant result set [this is much simpler than you would think])

        2) Account Public Key (signed by institution [aka VISA or Verisign whichever gets to this idea first])

        The card has 4 states:
        Off, Amount query, thumbprint authorization, and encrypted transaction display and encrypted transaction activation of magnetic strip.

        Essentially the card waits for an authorized thumbprint to activate the card going to the amount input, after the user enters the amount (or maybe the amount can automatically be transferred to the card using the strip or smart card interface or something), the transaction is signed by the private key, and then the signed transaction is made available on the LCD and the pseudo magnetic strip (which is cleared after swiping it or hitting the clear button). You get the point, its just like a remote cert mechanism for transactions. Just an idea.
      • Re:Die, credit cards (Score:3, Interesting)

        by GregGardner (66423)
        Well yes, it is possible to use a credit card number that isn't yours to purchase items. The risk, though, is built into the cost of using the credit cards. And any decent credit card company will not make you pay for false charges. This is much of the reason it costs so much to use a credit card. This cost is usually eaten by the merchant, though, and the consumer rarely sees it.

        There are new ways in place to make it a little more difficult for theives to make fradulaent purchases. Most places now make you give them the expiration date of the card and that is checked to be valid in real-time. Also, they can do real-time checks of the name of the card holder as well as the zip code. It's really up to the merchant as to how much risk they want to take. In fact, the merchant will usually get better rates if they implement these anti-fraud measures force the customer to give them their zip code or whatever.

        The credit card system is vastly better than the check system as far as fraud goes. There exists a system called ACH (Automated Clearing House, I think) in which you only need the person's name, bank routing number, and bank account number, all of which are always printed right on the front of a personal check. And unlike a credit card that you only hand over temporarily to a merchant, you send checks to people all the time. There are a number of things you can buy online or mailorder using ACH (lots of bill-pay places, etc). Makes you think twice the next time you want to pay some stranger with a personal check.
  • What? (Score:5, Funny)

    by batboy78 (255178) on Monday February 17, 2003 @11:07PM (#5323387) Homepage
    Damn white boys need to stay away from them computers!!

  • Crackers (Score:3, Funny)

    by harks (534599) on Monday February 17, 2003 @11:07PM (#5323388)
    I dont like the use of racial slurs like that on /.
  • by absurdhero (614828) on Monday February 17, 2003 @11:07PM (#5323391) Homepage
    So THATs why $5 was paid to Slashdot without me remembering!
  • I think not. (Score:3, Insightful)

    by Latrommi (615673) on Monday February 17, 2003 @11:07PM (#5323392)
    Fortunately, none of them seem to have been used fraudulently.

    And how exactly do they know that all 2.2 million credit card #'s haven't been used fraudulently? I'm sure that there are at least a small percent of any given set of 2.2 million credit card #'s that are used fraudulently.
    • one way to know. (Score:3, Insightful)

      by Erris (531066)
      You could just cut them all off. Are there any places left that don't call in credit card purchases? Of course, that would leave 2.2 million credit card users high and dry and they would have to issue 2.2 million new cards. It would cost hundreds of thousands of dollars and do incalculable PR damage. So what to do?
      • Re:one way to know. (Score:4, Informative)

        by battjt (9342) on Tuesday February 18, 2003 @07:28AM (#5324871) Homepage
        I think my wife's card was part of this. She got a call from the bank last week telling her that her card was dead.

        My father runs a men's wear store. Last month sometime, he was told that any transaction that he didn't call in would result in a $50 fee.

        Joe
  • Kewl (Score:3, Funny)

    by Anonymous Coward on Monday February 17, 2003 @11:07PM (#5323394)
    damn kevin mitnick!
  • Clearly (Score:4, Funny)

    by Doctor Sbaitso (605467) on Monday February 17, 2003 @11:08PM (#5323395) Journal
    This is a great security threat for our nation! Just think of all the plastic explosives terrorists could create with 2.2 million credit cards!
    • Re:Clearly (Score:4, Funny)

      by TopShelf (92521) on Monday February 17, 2003 @11:15PM (#5323435) Homepage Journal
      Either that, or they plan on cornering the duck tape & plastic sheeting market...
    • Re:Clearly (Score:4, Interesting)

      by uptownguy (215934) <UptownGuyEmail@gmail.com> on Tuesday February 18, 2003 @12:38AM (#5323756)
      Just think of all the plastic explosives terrorists could create with 2.2 million credit cards!

      I know I'm going to be modded as a troll for this, but...

      So we know that some terrorists were devoted enough to the cause of causing chaos that they actually enrolled themselves in flight school to learn how to do what they did. Is it that much of a stretch to think that they aren't aware that it is possible to steal credit cards numbers off the Internet? And do you think that by devoting the same amount of time to googling and reading some paint-by-numbers script kiddie how-to-steal-credit-cards blog someone dedicated to doing "very bad things" couldn't find a way to pull something like this off?

      I'm not sure why everyone chose to mod the parent post as Funny. I find the prospect of Very Angry People stealing millions of credit cards quite frightening, myself...
  • Yet.... (Score:5, Interesting)

    by Neck_of_the_Woods (305788) on Monday February 17, 2003 @11:08PM (#5323396) Journal

    2.2 million...it will be interesting to see what happends when who ever did this starts to sell them in bulk. Who is going to be responsible? The Credit Card companies or the site that got hosed?

    Should prove interesting as these numbers start getting used. 2.2 is a little large of a block to just re-issue.

    • Re:Yet.... (Score:3, Insightful)

      by Huusker (99397)
      Who is going to be responsible? The Credit Card companies or the site that got hosed?

      It will be the merchant who gets hosed. Those 5 million cards will be used to stiff merchants across the world. And when it comes to credit card fraud the merchant always gets the short stick.

      To add insult to injury, if a merchant gets a chargeback rate of more than 1%, Visa/MC has the right to start charging the merchant up to $10000/mo for 'research fees', that is if they don't drop the merchant entirely (and thereby put them out of business -- a not uncommon event for smaller businesses).

    • Re:Yet.... (Score:5, Interesting)

      by IvyMike (178408) on Tuesday February 18, 2003 @01:39AM (#5323942)

      2.2 million...it will be interesting to see what happends when who ever did this starts to sell them in bulk. Who is going to be responsible? The Credit Card companies or the site that got hosed?

      My credit card has been re-issued twice due to it being stolen en masse from a web site. The first time it was stolen from CD Universe [cnn.com] and the second time it was, ahem, another company [com.com]. In both cases, it was just an incredible pain in the ass to me.

      In the first incident, I was in Best Buy, and my card was denied because it was marked as stolen, which is a good thing, except when the people are all looking at you like you're the thief. The second incident, I had ordered gifts from a bunch of sites when I was told my card was being rejected, and I had to call each site and get them to use a different card. Not the easiest thing in the world to do for some sites.

      In any case, in both incident, hundreds of thousands of numbers were stolen, and both victims just told the issuing companies, and most issuing companies cancelled the numbers. I suspect even though this is 10x as many cards, they'll still do the same thing. The potential liablity is too great to do otherwise.

      On the other hand, this might be enough to get the companies thinking about coming up with a better, less theft-prone system.

    • Re:Yet.... (Score:3, Interesting)

      by Ryan Amos (16972)
      Interesting little fact.. 2.2 million cards is .33% of outstanding cards in the US. Yes, you read that right.. one third of one percent. In the grand scheme of things, that's really not THAT many cards. I would assume that the credit card industry is a multi-trillion dollar a year business. They can afford it.
  • by Anonymous Coward on Monday February 17, 2003 @11:08PM (#5323400)
    I guess tomorrow all the online pr0n stores will be sold out of everything!
  • Thus Far (Score:5, Funny)

    by rela (531062) on Monday February 17, 2003 @11:08PM (#5323402) Journal
    You mean 'none of them seem to have been used fradulently YET'
    • Both card companies have zero-liability policies, which protect cardholders from being held responsible for unauthorized or fraudulent charges.

      With that in mind, both Mastercard and Visa are going to do everything in their power to make sure there are no fraudulent charges made. At this point, I doubt if there'll be any fraudulent charges made. It would have been more likely that a ton of charges would have been made immediately after the numbers were stolen.

      --naked [slashdot.org]

      • Re:Thus Far (Score:3, Insightful)

        by rela (531062)
        With that in mind, both Mastercard and Visa are going to do everything in their power to make sure there are no fraudulent charges made. At this point, I doubt if there'll be any fraudulent charges made. It would have been more likely that a ton of charges would have been made immediately after the numbers were stolen.

        Oh, yes. It doesn't look good for them, and it looks REALLY bad for the issuing banks, if nothing is done about it. But I still think that at least some people are going to be filing disputes on bad charges because of this.

  • by nomadic (141991) <nomadicworld@NOSpam.gmail.com> on Monday February 17, 2003 @11:09PM (#5323404) Homepage
    Fortunately, none of them seem to have been used fraudulently

    Uh, yeah, because it's so easy to verify that two MILLION credit card numbers haven't been used fraudulently.

    I mean, come on, just through coincidence I'm sure some of the physical cards themselves have been stolen recently and used fraudulently.
    • by T-Ranger (10520) <jeffw@NOspaM.chebucto.ns.ca> on Monday February 17, 2003 @11:32PM (#5323510) Homepage
      CC companies are constantly scanning there databases for "weird" purchases. Like buying gas in NYC at the same time as buying a DVD player in SF. Companies will respond from terminating the card, or trying to phone the (rightfull) owner..
      Im sure they have prety good mertrics on what normal background fraud is. I doubt the statement means that each and every account has been hand checked, but just that that block of accounts dosent have a abnormal rate of fraud.

      As others have pointed out it dosent realy matter for card holders, but its like any theft from a big company. (shoplifting, insurance fraud, etc) Eventualy it trickles down to the consumer...

    • Well, I'm betting that they checked to see if those 2.2 million cards had a stastically differing fraud rate, or statistically irregular purchasing patterns (an unusual percentage had bought some porn or something) Not a perfect system, but it'll give you an idea if somebody is trying to get $50 out of every card.
  • Whew! (Score:4, Funny)

    by conner_bw (120497) on Monday February 17, 2003 @11:09PM (#5323406) Homepage Journal
    Luckily, i still use cash! Paper that's been handled by drug dealers, prostitutes and bill clinton. Try to hack THAT! What are you doing with that lighter?
  • Is there a name? (Score:2, Insightful)

    by Thaidog (235587)
    That article was not written with many details... What credit group... who's the hacker?
    • by billstr78 (535271) on Monday February 17, 2003 @11:11PM (#5323418) Homepage
      I heard on TV that they have contacted the issuing banks. I am going to call tomorrow and find out if mine was hijacked, then if I can get these charges to CompUSA removed
      • I am going to call tomorrow and find out if mine was hijacked

        Being a good citizen, I'll do it for you

        Everyone email their credit card details to me, seedy.ron@bobsden.com, and I'll check them against my list of stolen numbers
  • How do they know? (Score:5, Insightful)

    by WIAKywbfatw (307557) on Monday February 17, 2003 @11:12PM (#5323419) Journal
    With 2.2 million credit card numbers to check, how do they know that the cards haven't been compromised?

    Sure, their owners might not have reported any fraudulent use yet (and the card issuers themselves may not have spotted any) but all it takes is for this hacker/cracker to have made one copy of the records which he then disseminated to one or more friends for a problem to occur.

    At the very least, the owners of the system that was broken into should be contacting their customers to let them know that there is a small but real risk that their cards numbers might be out there and that they should double check their statements for any unusual items.

    But, given that most companies would see something as proactive as this as marketing suicide (rather than use it to enforce the fact that they do everything to protect the security of their customers), I doubt that they will be so bold.
    • Re:How do they know? (Score:5, Interesting)

      by thatguywhoiam (524290) on Monday February 17, 2003 @11:28PM (#5323490)
      With 2.2 million credit card numbers to check, how do they know that the cards haven't been compromised?

      Of course, they don't know. They won't know for a while. But the answer is Nothing Stolen, and the answer will always be Nothing Stolen.

      Credit card companies are like insurance companies, it's all about playing the odds, and statistics, and consumer behavioural models. Personally I've stopped trusting them a long time ago. While the public meme is that credit card theft is on the rise due to Internet transactions, I really wonder sometimes. As seen with other examples, the Internet is actually becoming an invaluable tool for revealing nefarious activity (patterns of activity that is) that would have been otherwise obfuscated by natural physical barriers. The media are hardly reliably objective in this sense.

      • by GoofyBoy (44399)
        How can you not trust a credit card company?

        Check your statement, dispute if you get anything that doesn't match your records/recipets.

        Its like saying I don't trust my grocery store. There really isn't that much trust thats needed.
  • So.... (Score:3, Interesting)

    by Anonymous Coward on Monday February 17, 2003 @11:12PM (#5323423)
    Let's say this cracker e-mails off these credit card numbers to everyone in the world (those lists of e-mail addresses are only $20, ya' know), can you imagine the offices of Visa and Mastercard?

    Actually, things probably wouldn't be that bad.

    Who in there right mind would use credit card numbers fraudulently on such a high-profile case? Surely jail time or fines would ensue, and that alone would keep most Americans from jumping to use the numbers.

    Then again, there is the chance that many Americans would use those numbers. How about a program that automatically used those numbers to make fraudulent purchases? It would take weeks or months just to sort out bills. Would Visa and Mastercard even be able to handle that amount of traffic? No, something like this could destroy these two companies; it would be almost impossible for them to handle.
    • Re:So.... (Score:5, Interesting)

      by bfree (113420) on Tuesday February 18, 2003 @12:50AM (#5323787)

      Well, I can imagine that if EVERYONE in the world got a list of a few million credit card numbers, you would suddenly see an awful lot of fraudulent purchases! I for one would be tempted, not to do something to get me in trouble (well they can try), but more likely a visit to my local net cafe to send some presents. Let's see:

      1. A full compendium of all O'Reilly Free software books, Debian DVD sets and an X-Box with the LinuxBios Mod installed for Bill Gates, Steve Ballmer, Scott McNeilly, Michael Dell and anyone else on those lines who took my fancy and whose address I could find. I might even send one to every elected official in my country while I'm at it!
      2. Amazon's entire porn collection (they have one I presume) for every censor on the planet.
      3. A cross sending of every spammers products I could come up with to all the other spammers.
      God only knows what else could take my fancy, and god only knows how many orders would actually be filled. Heaven forbid anyone found a well known persons card in there, say Jack Valenti, I think he would find himself making some massive (or massive numbers of) donations to Mplayer, Freenet and any projects people could find which he campagins against.

      Do you REALLY think that people would hear on the radio about the 2.2 million credit card numbers 100 million people just recieved and think, "oooooooh they're gonna catch me if I touch them!"

      The far more probable outcome is that an email of about 4 Mb (2,200,000 CC# * 20 bytes @ 90% compression) sent to 100 million people (or whatever the latest net use figures are) would be stopped at most ISPs very, very, very quickly as it would be lauching a large spam based DDOS against them (unless I underestimate the backbone out there). Sure it would get through to a lot of people, but unless it gets through to 10+% of hotmail or something similar, most users will have the fear you describe put into them.

      A far more interesting prospect would be if instead of plain e-mailing the list around, a virus was used to propagate the data covertly by infecting web and/or email servers. If you get a web-server, you get it to gather the list and take part in attacking more hosts and passing it onto them, you also get it to add a link to every page at the trigger time so all visitors to that site gain access to the list. If you get an e-mail server, you just need to get the data there once and explode it out to all local mailboxes at the same trigger time (aswell as using the host to propagate). Then it comes down to a question of trying to balance the timings to maximise the number of boxes unchecked by the time of revelation.

      Of course is there anything to stop the crackers from just dumping the data into all the P2P networks and letting it spread from there?

      Finally I have to point out that I have no interest in obtaining these numbers (or any others, except my own :-) and I am certainly not advocating credit card fraud. Just saying that if an opportunity like you described (every email box got the list) came my way, I would be very tempted to try and enjoy myself with some humourous (to me) exploits from a safe place and that there would probably be tens or hundreds of thousands of other following suit. Damages would rack up pretty quickly.

  • by kruetz (642175) on Monday February 17, 2003 @11:13PM (#5323426) Journal
    Remember, Credit Cards companies use neural networks to analyse transactions and decide whether or not they may be faulty, and the success-rate of these babies is higher than you may suspect (okay, I don't have a web-link, I read it in a pop-sci book on maths, biology and AI). So you may be short a few dollars, which isn't good (don't get me wrong), but unless you normally spend $hitload$ of money, they won't be able to buy a Ferrari or anything (mind you, if they only took a few cents from each credit card account, they COULD buy a Ferrari ...)
    • by phutureboy (70690) on Tuesday February 18, 2003 @12:26AM (#5323719) Homepage
      Yep.

      My dad lost his card visiting relatives about 100 miles away in Virginia and didn't even realize it. When he got home he got a call from the credit card company, who said their software flagged a $600 purchase made at Home Depot in Virginia which didn't fit his profile, and asked whether he had made it. Sure enough, he checked his wallet and his card was gone. He realized he had left it sitting on top of an ATM or something. He did not have to pay for the Home Depot purchase.

      I was impressed with how well all that worked.
    • mind you, if they only took a few cents from each credit card account, they COULD buy a Ferrari ...

      There are ongoing frauds where small amounts in fraudulent "service fees" or subscriptions to porn sites are being charged on hundreds of thousands of cards every month. The charges are small enough that most card holders don't bother to track them down and get hit up month after month for years.

      There is a web page about one of these frauds here [faughnan.com] In this particular fraud the card numbers were taken from a shady bank that did CC transactions for porn sites. The con men would make charges under a variety of entities posing as subscription based porn sites so the card holder would not only be paying for his original porn purchase but other fraudulent ones besides - pretty smart because it wouldn't set of any alarms at the card company (the guy is already making legitimate purchases of that particular product) and the numbers are small enough that the guy wouldn't bother doing anything about it if he even notices. Since it's porn, and some of it he really *did* sign up for, he might be too embarassed to do anything about it even if he realises some of the charges are fraudulent. This particular fraud ended up making between $40 and $50 million dollars off of about 900,000 card holders.
  • Mitnick... (Score:5, Funny)

    by jbwiv (266761) on Monday February 17, 2003 @11:15PM (#5323432)
    New leaf my ass. Welcome back, Kevin ;-)
  • by grahamsz (150076) on Monday February 17, 2003 @11:18PM (#5323450) Homepage Journal
    I like those odds - not a single fradulent use in 2.2 million cards.

    Hell i've had 3 fradulent transactions and only own 3 credit cards and two debit cards.

    One thing i've noticed is that my card company seem good at stopping me from spending when they think i'm fradulent. Just put 7 currencies on your card in as many days and alarm bells seem to ring somewhere.... but catching real theives is a little too tricky
  • Which processor? (Score:5, Interesting)

    by murphj (321112) on Monday February 17, 2003 @11:20PM (#5323461) Homepage
    Nice informative article. No mention of which credit card processor this was. It'd be nice to know if it's one that one of my clients uses. Anyone know the identity of the victim?
    • Crappy journalism (Score:3, Insightful)

      by MacAndrew (463832)
      Having read it :) I suspect this CNN article isn't much more than a paraphrase-the-press-release sort of thing. ("A hacker has gained access to as many as 2.2 million Visa and MasterCard accounts, the two companies announced Monday.") Someone else here cites an article saying FIVE million numbers were stolen! I think more probing work is needed.

      Also, I love "Both card companies have zero-liability policies, which protect cardholders from being held responsible for unauthorized or fraudulent charges" -- as if they're so generous. For one thing, I think that "policy" is required by federal law, and if not it would be legally insane (and unenforceable) to hold subscribers liable for 3rd party mistakes. An interesting Q might be how long you could wait or fail to notice an ongoing fraudulent use of the card, assuming it didn't get maxed out within minutes.

      Anyway, look for more probing articles. I'd like to know what *other* sensitive information might have been accessible? Wouldn't a list of social security numbers be nice? How'd you like to have to go get that number changed? I assume (hope, pray) SSN's weren't stored in the same sloppy way as these CC #'s, but it's perfectly possible at some other institution.
    • by QuantumG (50515)
      Because remember, it's not the credit card processor's fault that your credit card got stolen, it's the evil hacker who bypassed the security. If we told you which credit card processor it was you might take your business elsewhere, therefore ensuring that security of your credit card is taken seriously -- and we don't want that, do we? I mean, that would be like punishing the credit card processor for the evil hacker's crime!
    • by Anonymous Coward
      The MSN article [msnbc.com] says "it involved a third party processor" and "they could not disclose the name of that processor."

      A third party processor could be, for example, Authorize.net, Verisign, Card Service Intl, or any of the other Payment Gateways, I believe.

      I know it sucks that we can't find out which third party processor it is, so we can all stop using them, but I'll take the unpopular position that it's a good idea to not have that information disclosed to the public.

      The bad publicity from a mess like this could put a struggling company out of business when everyone stops using them. Do they deserve to go out of business? Sure, but that's not the point.

      If a company discovers someone has hacked into one of their servers with access to a database full of credit card numbers, and they know that notifying Visa, MasterCard, and the FBI is going to put them out of business with bad publicity, how many companies are going to report it?

      They could rationalize that while there is evidence the server was cracked, there is no proof that someone actually downloaded credit card numbers from the server. Maybe it was a worm that just infected the server and tried to find more vulnerable servers, and did nothing more. Or maybe they were just setting up an ftp server for their mp3 collection.

      Is it worth publicly releasing this information that right now only 3 people in the company know about, and all but guarantee they will go out of business? Or should they just rebuild the server, fix the problem, and hope that no credit card numbers were stolen, and if they were, that they don't get traced back to you if they are used fraudulently?

      Personally, I was in that situation two years ago, and we opted to just rebuild the server and hope that the 10,000 credit card numbers sitting on the cracked server were never found. Was it the right thing to do? No. Was it illegal? Hard to say. But the negative impact to the company could have been devastating, so we decided to report nothing. We never heard about any of the credit cards being used fraudulently, which wasn't surprising, and we went out of business a year later anyway, which also wasn't surprising.

      So my point is, if companies that get cracked can report it without having to go public, Visa and MasterCard would probably be able to stop a lot more fraud before it happens. I would guess the vast majority of known server compromises go unreported now because companies are afraid to come forward and tarnish their name.

  • PIN numbers? (Score:5, Interesting)

    by one9nine (526521) on Monday February 17, 2003 @11:21PM (#5323463) Journal
    Can anybody explain to me why credit cards don't have PIN numbers like my ATM card does? Wouldn't this stop a tremendous amount of fraud? All someone needs is someone's card number and expiration date and they can do whatever they want.

    I do notice that sometimes, very rarely though, that sites will ask for that extra three digit code on the back of the card, to verify that you do in fact have the card in your hand. This the same concept as a PIN and I don't see why more web sites aren't doing it. It's not like they have to completely revamp their way of accepting credit cards, it should be a very simple fix.

    Makes me want to go back to barder. Do you think ThinkGeek would accept two dead chickens and a half wheel of gouda for one of those mini tanks with the camera?

    • by tha_mink (518151) on Monday February 17, 2003 @11:25PM (#5323478)
      You get the idea.
    • Re:PIN numbers? (Score:4, Interesting)

      by Zaffle (13798) on Monday February 17, 2003 @11:29PM (#5323495) Homepage Journal
      In New Zealand, you can get a PIN number for your card, but this number is only used at EFTPOS (Electronic Funds Transfer at Point Of Sale) systems (where you swipe your card at the store). If you use the ol' fashion card imprint thingy, or if you use it online, the PIN don't mean diddly.
      As for the CSV (the num at the back of the card), a number of clearing houses use it. Its not *suppose* to be stored by the clearing house/site, but who's to say.

      PIN #'s do stop fraud occuring over the counter, but not mail-ordering, web-site. Actually, it doesn't even stop over the counter, since all you need to do is wipe you card with a magnet and demand they do your card the old way, stating it works in every other store. (Most stores will relent if you pressure them).
    • Re:PIN numbers? (Score:5, Insightful)

      by Kamel Jockey (409856) on Monday February 17, 2003 @11:33PM (#5323516) Homepage

      Can anybody explain to me why credit cards don't have PIN numbers like my ATM card does? Wouldn't this stop a tremendous amount of fraud?

      No, because the PINs would probably be stored in the same unsecure manner that the other credit card information was. This is why PINs in general and/or 3 digit auth codes will be ineffective. What's needed here is better site security, not better credit card security.

      All someone needs is someone's card number and expiration date and they can do whatever they want.

      Kinda... You can actually specify any date in the future and the transaction will validate (if you use a system like Cybercash or Authorize.Net). If however, you have a human on the other side who checks the entered credit card information against what they get from the credit card company, then that human can manually disallow the transaciton.

      Unfortunately, the only real way to secure information is to store it in an encrypted form such that the key needed to decrypt the information is physically separated from the machine which contains the data. However, many websites currently use the "key under the doormat" approach to security, which in theory is no better than storing the data unencrypted and hoping that no one hacks into the system and sees it.

      • Re:PIN numbers? (Score:4, Insightful)

        by kiolbasa (122675) on Tuesday February 18, 2003 @12:00AM (#5323625) Homepage

        I don't think there's any reason to store the 3 digit number in a database. It's only used during transaction approval. I can see why merchants store accounts numbers, to keep records of transactions and such (though it's just lazy and insecure the way they manage that data sometimes). There really is no need to add a field in their dastabases for the extra 3 digits, since the account number already serves its purpose, and is guaranteed to be unique.

        Of course, then the problem is not every merchant verifies the 3 digit code, so a theif doesn't even need it for some transactions. It is in the merchants' best interests to use the code, however, since the merchants foot the bill in fraud claims.

        It's still not the greatest system, but it has some potential to curb fraud. Needs refining, but it's better than nothing.

  • by Anonymous Coward on Monday February 17, 2003 @11:22PM (#5323471)
    this report says 5 million cards

    http://www.forbes.com/markets/newswire/2003/02/1 7/ rtr881826.html
  • OUch (Score:5, Insightful)

    by IanBevan (213109) on Monday February 17, 2003 @11:25PM (#5323474) Homepage

    Citizens Bank, a financial institution serving the Northeast, shut down the accounts of 8,800 customers whose card numbers had been accessed after being notified by MasterCard on Friday, bank spokeswoman Pamela Crawley said. All of those accounts were safe, she said.

    I'll bet those people are just *thrilled* to have their accounts locked out. How many people are going to find their card mysteriously declined when doing their weekly grocery shop then ? I'm betting the bank hasn't made 8,800 phone calls to explain their position.

    Hell of a way for VISA/MC to limit their liability - just cancel their cards ??
    • Re:OUch (Score:5, Informative)

      by eDogg (647694) on Monday February 17, 2003 @11:49PM (#5323584)
      Unfortunately, I hold one of those 2.2 million cards. I was thoroughly frustrated when my card was declined Friday, Saturday then again on Sunday. What was even odder is that I could take my bank-issued card to the ATM and withdraw $100 and get a balance statement that showed positive numbers. Finally got the "scoop" from my bank today. They gave me a different story though, said MC alone had 7 million cards compromised. Ended up having to call the "fraud" department at MC, verify my vital information and have my cards re-issued. They also took the time to verify all transactions in the last 4 days to make sure none were fraudulent. On a side note, they did try calling me, but my number had been changed.
  • by bizitch (546406) on Monday February 17, 2003 @11:34PM (#5323519) Homepage
    Citbank has a kewl way to beat most of the fraud.

    From their website, you can generate a random valid card number (tied to your real card of course) which is good for one and only one transaction.

    Works pretty well for me so far...

    But of course if your system has been hax0r3d with a trojan keylogger or something of the sort, the fraudmeister could login in as you and generate all the "one time" cards they wanted.

    But still - a pretty good solution so far - IMHO
  • How would you (Score:3, Insightful)

    by left_coast (651254) on Monday February 17, 2003 @11:37PM (#5323531)
    I'm curious, besides selling the card numbers to some "underground", how would you REALLY use a credit card # for personal use without getting caught?
  • by koreth (409849) on Tuesday February 18, 2003 @12:06AM (#5323648)
    I used to work on the billing system for a company that took credit card payments, and I have to say the security in the system is just laughable. I have no sympathy whatsoever for the banks losing billions a year to fraud; there are so many simple ways to plug the system's gaping holes that I think it borders on criminal negligence they haven't done so yet. A few examples off the top of my head -- with the caveat that this was all true a few years ago and may be less so today. All of what I'll describe here is pretty rampant already, so I don't think I'm revealing any state secrets.
    • Address/ZIP code verification (AVS) is fine and dandy. But for the major US credit cards (Visa, MC) it only works with US addresses! So if you have a Visa card with a Canadian or British billing address, address verification is a no-op. It didn't take our fraudulent customers long to figure that one out.
    • And even if you want to use a US ZIP code, all you need to know is the card prefix for a small regional bank (the first 4 digits of a Visa card are a bank ID) that only serves a few ZIP codes, and you can get a pretty good hit rate with random card generation.
    • Depending on the issuing bank, you can often use any expiration date you want as long as it's in the future. We used to have an option to automatically bump the expiration date forward by a year when the expiration date on a monthly-billed account went by, and most of the time it worked without any errors even in cases where we knew the bank had issued a new card with a two-year expiration time.

    Here are a few things I'd like to see in the credit card infrastructure.

    • More strict address verification. Standardize the format of street addresses such that the actual address can be verified on mail-order or online sales, rather than just the ZIP code. Some banks do already support street address verification, but it's not universal and it's pretty unreliable since there are so many different ways to format addresses and they don't always match what's in the bank database. (#10 101 1st St., 101-10 First St., 101 1st Street Suite 10, etc.)
    • Require a photo on every credit card, a la Citibank. That plus better AVS makes physical credit card theft a lot less worthwhile.
    • Smart account closures. Right now when an event like the one in the article happens, 2.2 million people have to scramble to clean up the mess of recurring payments suddenly failing through no fault of their own. The letter from the bank is followed a couple days later by a nastygram from the cable company or whatever. The infrastructure should be able to shut down a card for new transactions while allowing familiar ones to go through, where "familiar" means a vendor that's charged to the card more than N times over a period of at least M months where the amount of the new charge is within X percent of the previous charges. This one might not appear to benefit the banks at first glance, but it does: when there's a big theft of card numbers, it will cut down on the number of irate customer phone calls they have to field from people whose utilities just got shut off.
    • Single-use card numbers. I should be able to call a phone robot or hit a web site, enter my card number, and get back a virtual card number that's good for either a limited amount of time (American Express offers that) or, better still, that's only good for the first vendor who uses it. That way I'd give a different card number for each monthly payment (cable bill, Netflix subscription, etc.) and if the number was stolen, I'd only have to give a new number to that one vendor and the bank's exposure to fraudulent transactions would be negligible.
    • PINs. Again, this is more helpful for physical card theft than online theft since the PINs would be in the online databases right alongside the card numbers, but it's an obvious thing that'd make it next to useless to grab someone's wallet intending to use their cards.

    Some of these things would be a major overhaul. Some of them wouldn't. But any of them has to be doable for a lot less money than the credit industry claims it loses to fraud every year. I cannot comprehend why they don't do some of these things.

    • banks losing billions a year to fraud...

      Banks don't lose out - they merely do a chargeback to the merchant, and unless they can prove the transaction was authorised they are the ones that lose the money. Since most fraud is mail-order or uses signatures clearly nothing like the one on the card 99% of the time they lose out.

      Gareth

  • by newsdee (629448) on Tuesday February 18, 2003 @12:07AM (#5323651) Homepage Journal
    After that story with the RIAA claims about number of seized CD burners, I'm seriously wondering whether this "dangerous cracker" is not in fact some script kiddie who stumbled upon a computer that stored 275,000 CC#s, and the data is mirrored in 7 other computers... ;-)

  • Hello?? (Score:3, Informative)

    by miketang16 (585602) on Tuesday February 18, 2003 @12:08AM (#5323659) Journal
    It's CRACKER not HACKER if anyone would read the headline. God, even on slashdot...I wonder how hackers get the bad name...
  • So who is it? (Score:5, Interesting)

    by LinuxParanoid (64467) on Tuesday February 18, 2003 @12:09AM (#5323661) Homepage Journal
    This implies to me that a credit card payment gateway was compromised. Who was it?

    Inquiring minds want to know...
    • The Visa/MC press release doesn't mention the Internet at all. It uses the words (chosen carefully) 'company that processes credit card transactions.'

      The number of cards is too large for any gateway IMHO. I will bet money that a private processor network got hacked, or the central database for said network, i.e., ECHO, EFS or something on that scale.

      These networks are used for dialup and leased line access for authorizations. This means your grandmother's card used at the grocery store could now be in the hand of a hax0r.

      Reuters is reporting 5 million cards [forbes.com].

  • by Huusker (99397) on Tuesday February 18, 2003 @12:50AM (#5323785) Homepage
    The hacker breached the security system of a company that processes credit card transactions on behalf of merchants, Visa and MasterCard said.

    Ok so which CC processor got hacked? I am assume that when Visa/MC says 'processor' it means specifically a credit card processing network that receives and authorizes charges from merchants, not a consolidator like PayPal, and not an e-commerce gateway like CyberSource or VeriSign.

    Was it Nova, Wells Fargo, Vital, BankAmerica, EFS, or ECHO? These are the only big non-regional credit-card processing networks in the US (AFAIK).

    <Begin speculation>

    Note that there was no mention of the Internet in the press release. This leads credence to the theory it was a private processor network (not TCP/IP or a web site) that got hacked somehow.

    It must be a big processor, otherwise Visa/MC would finger them (and therefore shift the blame). It obviously wasn't Amex or Novus as they both offer competing plastic. And I doubt it was a bank-level processor like US Bancorp (again because they are smaller and would have been fingered.)

    The people victimized are not just e-commerce shoppers but also customers at the grocery store, the shopping mall, etc. My worry is that it was a really big processor like Nova, which means that 2.2 million could be the tip of the iceberg.

    <End speculation>

  • by handy_vandal (606174) on Tuesday February 18, 2003 @01:00AM (#5323820) Homepage Journal
    This story would be more interesting if every last one of the stolen credit card numbers had been used fraudulently. Now that would be an exploit!
  • by edb (87448) on Tuesday February 18, 2003 @01:15AM (#5323876)
    The article mentioned that both VISA and MasterCard have a "zero-liability policy" so that consumers are not liable for fraudulent charges made with stolen account numbers. Well, yes and no. The federal credit law does limit the liability, but there are limitations on the limits (distance from home, etc.). Usually this is not a problem, and almost always any charge the consumer contests is credited back in full, and charged back to the merchant who made the charge.


    But what usually is ignored is that while the consumer might not have to pay, the merchant who sold the goodies does have to pay. The credit card issuer doesn't pay for fraudulent charges -- they get "charged back" to the merchant who made the charge, and the merchant pays, plus a "chargeback fee" of $15 - $50 per transaction. It's one thing for a software download to go unpaid, it's quite another for a merchant to ship actual physical goods and not get paid for them.


    Eventually the consumer does end up paying for fraudulent credit card charges, but just like insurance premiums, where any individual charges or payments might be small relative to the total public cost of the incident, you can be sure that in the aggregate the fees, interest, and other charges imposed by the credit card issuing banks will cover their losses and still make a profit, and the prices merchants have to charge for goods will, in the long run, certainly have to cover their losses and still make a profit.


    In other words, the cost of credit card fraud is shifted away from the consumer (who is innocent of any single fraudulent charge on their particular card, so of course should not be forced to pay it), and becomes instead just part of the cost of doing business for everyone on the other side of the transaction.

  • How? (Score:4, Interesting)

    by t0ny (590331) on Tuesday February 18, 2003 @01:53AM (#5323979)
    what they dont clarify is HOW the security was compromised. My first thought is that somebody walked past the security guards, sat at somebody's desk, copied the info to a spreadsheet or DB, and either put it on a floppy, emailed it, or IM'd it out.

    They dont actually say somebody hacked into their network from the internet.

  • by Stonent1 (594886) <stonent&stonent,pointclark,net> on Tuesday February 18, 2003 @03:53AM (#5324365) Journal
    Online Viagra purchase: $150
    Trisexual Midget porn : $55
    Buying it on someone elses credit card so that your wife never finds out: Priceless
    There's somet things that money can buy but you'd rather it not be your own. For everything else, there's Mastercard.
  • by YeeHaW_Jelte (451855) on Tuesday February 18, 2003 @05:35AM (#5324578) Homepage
    I wonder if anybody knows which company does the actual transactions, a.k.a. who was actually hacked? I know of one large credit card transaction processer, Firepay, but I'm not sure if they're the official one for VISA/MC.
  • Whew! (Score:4, Funny)

    by smagruder (207953) <stevem@webcommons.biz> on Tuesday February 18, 2003 @06:39AM (#5324723) Homepage

    Thank goodness my Visa Checkcard has a negative balance right now! :)

    Denied!

The reason why worry kills more people than work is that more people worry than work.

Working...