Cracker Gains Access to 2.2 Million Credit Cards

Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."

Re:We should be moderately safe

[Anonymous Coward]

2,200,200 x .03 = $66,000

Re:oops, missed the credibility express

[T-Ranger]

CC companies are constantly scanning there databases for "weird" purchases. Like buying gas in NYC at the same time as buying a DVD player in SF. Companies will respond from terminating the card, or trying to phone the (rightfull) owner..
Im sure they have prety good mertrics on what normal background fraud is. I doubt the statement means that each and every account has been hand checked, but just that that block of accounts dosent have a abnormal rate of fraud.

As others have pointed out it dosent realy matter for card holders, but its like any theft from a big company. (shoplifting, insurance fraud, etc) Eventualy it trickles down to the consumer...

The best answer I've seen ....

[bizitch]

Citbank has a kewl way to beat most of the fraud.

From their website, you can generate a random valid card number (tied to your real card of course) which is good for one and only one transaction.

Works pretty well for me so far...

But of course if your system has been hax0r3d with a trojan keylogger or something of the sort, the fraudmeister could login in as you and generate all the "one time" cards they wanted.

But still - a pretty good solution so far - IMHO

Re:OUch

[eDogg]

Unfortunately, I hold one of those 2.2 million cards. I was thoroughly frustrated when my card was declined Friday, Saturday then again on Sunday. What was even odder is that I could take my bank-issued card to the ATM and withdraw $100 and get a balance statement that showed positive numbers. Finally got the "scoop" from my bank today. They gave me a different story though, said MC alone had 7 million cards compromised. Ended up having to call the "fraud" department at MC, verify my vital information and have my cards re-issued. They also took the time to verify all transactions in the last 4 days to make sure none were fraudulent. On a side note, they did try calling me, but my number had been changed.

Re:PIN numbers?

[Stonehand]

Um, he's talking about the database needed to VERIFY the PIN numbers. When the merchant runs the transaction, it needs to be checked against *something* to see if it's the right one.

Even if you used one-way hashing, it'd still be weak, because with a typical 4-digit pin there aren't that many combinations -- so the hashes wouldn't be secure. So, since the hashes and the numbers would likely be colocated, it wouldn't add that much unless you made people use really long PINs or seriously modified credit card hardware to allow other inputs besides digits.

Re:What?

[neema]

Article is called "Cracker Gains Access to 2.2 Million Credit Cards".

Cracker...

Get it?

Eh.

Re:It's probably a matter of time...

[Ponty]

From the article, it appears that Visa is saying that none of the flagged numbers have actually been used after the specified date and time.

Hello??

[miketang16]

It's CRACKER not HACKER if anyone would read the headline. God, even on slashdot...I wonder how hackers get the bad name...

Re:PIN numbers?

[Bishop]

Even if such a machine were created, an attacker could trojan the entry system and capture the PINs as they were used.

Re:PIN numbers?

[Anonymous Coward]

Think more creatively. Don't just hash the PIN - that's pretty useless since there are only 10^4 possible PINs and you can enumerate all of those (on paper even!). Hash the concatentation of the PIN and the CC number. There are lots of possible CC numbers (too many to generate) and if the PIN is generated using a completely independent process from the CC number (eg, chosen by a human), the likelyhood that someone has a correct CC number along with the correct PIN approaches the likelyhood that someone guessed the correct PIN for a particular CC number. In other words, if someone gets your CC number but not your PIN, they would have to make an average of (10^4)/2 guesses before getting the right PIN and that would surely be noticed.

Problem is that this requires some sort of protocol: bank has to keep a secure central repository of PINs for each CC number issued and you need a protocol to query "is this PIN correct for this CC?" Bank would respond "yes" or "no." Needs some sort of secure channel to ensure hashes aren't intercepted mid-stream (x509 would serve nicely for this). Hopefully merchant won't store the PIN or hash, but that's too much to hope for.

Possible, but ain't gonna happen.

Re:We should be moderately safe

[phutureboy]

Yep.

My dad lost his card visiting relatives about 100 miles away in Virginia and didn't even realize it. When he got home he got a call from the credit card company, who said their software flagged a $600 purchase made at Home Depot in Virginia which didn't fit his profile, and asked whether he had made it. Sure enough, he checked his wallet and his card was gone. He realized he had left it sitting on top of an ATM or something. He did not have to pay for the Home Depot purchase.

I was impressed with how well all that worked.

Re:Crackers

[SN74S181]

No, it's not being used for that meaning.

A Cracker is someone who is good at defeating copy protection in games. Back in the day crackers used to NOP over the passwords, the non-standard diskette reads, etc. and give us the game in a form that we could enjoy without encumberment.

That's what a cracker is.

There are, of course, people trying to change the classic meaning of the word. Kind of the same as the people trying to change the meaning of the term 'hacker.'

Re:How would you

[Spazmania]

You order an expensive piece of hardware to five different unoccupied houses on the other side of town. You pick up the hardware from the first one you drive by without police in front.

At least, that's how it was done back in the day.

Consumers are protected from fraud?

[edb]

The article mentioned that both VISA and MasterCard have a "zero-liability policy" so that consumers are not liable for fraudulent charges made with stolen account numbers. Well, yes and no. The federal credit law does limit the liability, but there are limitations on the limits (distance from home, etc.). Usually this is not a problem, and almost always any charge the consumer contests is credited back in full, and charged back to the merchant who made the charge.

But what usually is ignored is that while the consumer might not have to pay, the merchant who sold the goodies does have to pay. The credit card issuer doesn't pay for fraudulent charges -- they get "charged back" to the merchant who made the charge, and the merchant pays, plus a "chargeback fee" of $15 - $50 per transaction. It's one thing for a software download to go unpaid, it's quite another for a merchant to ship actual physical goods and not get paid for them.

Eventually the consumer does end up paying for fraudulent credit card charges, but just like insurance premiums, where any individual charges or payments might be small relative to the total public cost of the incident, you can be sure that in the aggregate the fees, interest, and other charges imposed by the credit card issuing banks will cover their losses and still make a profit, and the prices merchants have to charge for goods will, in the long run, certainly have to cover their losses and still make a profit.

In other words, the cost of credit card fraud is shifted away from the consumer (who is innocent of any single fraudulent charge on their particular card, so of course should not be forced to pay it), and becomes instead just part of the cost of doing business for everyone on the other side of the transaction.

Re:Credit Card Identification Code

[Anonymous Coward]

Address verificaion only works in the US as far as I know. The system isn't allowed in most of Europe and Australia because of "privacy concerns" and the house numbering can cause issues. The US system works fine because most house numbers are 4 or 5 digits long in areas that have unified addressing. In most cities in Europe the house numbers start at 1 on the street and go up till the road changes name and it starts over again.

The victim is not as much the consumer or the bank

[linuxguy]

... but the merchants that sell goods over the Internet. I used to run a mail order business. We got a lot of orders with people trying to use stolen credit cards. After a while we got really good at filtering these out. But the cost to learn the lessons was high. I can only sympathize with all the new businesses. If they think that matching the shipping/billing address and security code is enough, they are in for a rude awakening.

At the end of the day, the entire loss from these fraudulent transactions is passed down to the retailers, when clearly the morons who are handing out the credit cards to the thiefs have some responsibility to share.

CC companies DO foot the bill for fraud.

[Anonymous Coward]

Since I work for one, I'll be AC for now.

CC companies foot the bill for fraud, as long as there was no gross negiligence on the part of the merchant (and some other rules). That would translate into vastly dissimilar signatures, a white dude using a black dude's card (with a photo) and so forth.

There are several reasons why cc technology is slow to roll out. The current way liability is distributed between issuer and acquirer (you have your customer relationship to the issuer, while the merchant has their relationship to the acquirer), there is insufficient incentive to invest the billions of dollars a smart card rollout costs. There are even incentives in the system to underreport fraud. It is simply more cost effective to monitor the transactions, and use software+humans to identify fraud as early as possible. Remember, most fraud is "skimming" (copy the magstripe, put it onto a counterfeit card). Skimming will happen as long as we have a magstripe, and there is little incentive for developing nations to implement smart cards. That means that the magstripe will be around for a looong time. So, a smart card solution would only reduce the problems to an unknown degree (since the fraud would migrate across borders). The alternative is to make cards that only work in countries with interoperable smart cards.

Simply put, there are more cost effective ways of handling fraud without alienating your customers (PIN entry is really not an option, since people forget their PIN all the time on low-usage cards)

For online authorizations, I think the one-use cardnumber is a good solution, as well as the idea of a browser plug-in.

Of course, I have wet dreams of biometrics. We might actually see that sometime. There will be a rollout of smart cards at SOME point, and the longer that takes, the lower the extra cost of using biometrics. We'll see.

Re:one way to know.

[Cyberdyne]

We talking bricks & mortar or online here? If the former, most places don't call in charges below the "floor limit". In the UK this is usually around £50 - depending on the store and the nature of the transaction. This is simply because it takes a while to do a verify even when it is all automated. Of course all online places call in every txn, because the time is less critical.

Personally, I can't even remember the last time I bought something on CC using anything other than an EFTPOS terminal - which automatically verifies every transaction with the bank operating it, as well as keeping an internal 'hotlist' of stolen cards, updated nightly. (Done properly, the call costs somewhere around 1p - at which point, even on a 50p transaction, the 2.5% cut will cover it. The modem racks and servers will cost more, of course, but you need most of that infrastructure in place anyway...)

Are you thinking of the "manual" verification procedures used on suspicious or very large transactions, where the store telephones the bank, who then ask you questions to confirm your identity??

If I were the issuing bank, I'd put a 'verify' flag on the cards immediately (vendor must confirm identity directly, i.e. have you call the bank to check it's really you), and rush a replacement card out to each cardholder. That way, the cardholders are only inconvenienced for the day or two it takes to FedEx (or whatever) the new card out - yes, it's expensive to repeat this for 2.2m people, but compared to the cost of having to honor a string of dishonest transactions you can't bill the cardholder for?

Re:one way to know.

[radish]

That's exactly what I'm talking about - EFTPOS. There is a myth that they clear every txn - they simply don't (I've worked in shops using them, and more recently in the financial sector). As I said, most shops (particularly large department stores and supermarkets) cannot clear the required number of txns quickly enough, so they set a limit - anything below that is just approved automatically provided the card is not on a watch list. The actual value of the limit varies by shop and by day and is secret (as knowledge of it would be useful to a fraudster).

Re:one way to know.

[battjt]

I think my wife's card was part of this. She got a call from the bank last week telling her that her card was dead.

My father runs a men's wear store. Last month sometime, he was told that any transaction that he didn't call in would result in a $50 fee.

Joe

Re:Credit card security is a joke

[dbitter1]

but it's not universal and it's pretty unreliable since there are so many different ways to format addresses and they don't always match what's in the bank database. (#10 101 1st St., 101-10 First St., 101 1st Street Suite 10, etc

Actually, it isnt. The ole USPS has addressed this, and there _IS_ a standardized format. You can purchase software to "sanitize" your lists and make them match any other sanitized list. It's actually mandatory for bulk mailing rates.

If you are a true sadist, you can read about it here [usps.com]