Cracker Gains Access to 2.2 Million Credit Cards 540
Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."
Re:We should be moderately safe (Score:1, Informative)
Re:oops, missed the credibility express (Score:5, Informative)
Im sure they have prety good mertrics on what normal background fraud is. I doubt the statement means that each and every account has been hand checked, but just that that block of accounts dosent have a abnormal rate of fraud.
As others have pointed out it dosent realy matter for card holders, but its like any theft from a big company. (shoplifting, insurance fraud, etc) Eventualy it trickles down to the consumer...
The best answer I've seen .... (Score:5, Informative)
From their website, you can generate a random valid card number (tied to your real card of course) which is good for one and only one transaction.
Works pretty well for me so far...
But of course if your system has been hax0r3d with a trojan keylogger or something of the sort, the fraudmeister could login in as you and generate all the "one time" cards they wanted.
But still - a pretty good solution so far - IMHO
Re:OUch (Score:5, Informative)
Re:PIN numbers? (Score:4, Informative)
Even if you used one-way hashing, it'd still be weak, because with a typical 4-digit pin there aren't that many combinations -- so the hashes wouldn't be secure. So, since the hashes and the numbers would likely be colocated, it wouldn't add that much unless you made people use really long PINs or seriously modified credit card hardware to allow other inputs besides digits.
Re:What? (Score:3, Informative)
Cracker...
Get it?
Eh.
Re:It's probably a matter of time... (Score:4, Informative)
Hello?? (Score:3, Informative)
Re:PIN numbers? (Score:2, Informative)
Re:PIN numbers? (Score:1, Informative)
Problem is that this requires some sort of protocol: bank has to keep a secure central repository of PINs for each CC number issued and you need a protocol to query "is this PIN correct for this CC?" Bank would respond "yes" or "no." Needs some sort of secure channel to ensure hashes aren't intercepted mid-stream (x509 would serve nicely for this). Hopefully merchant won't store the PIN or hash, but that's too much to hope for.
Possible, but ain't gonna happen.
Re:We should be moderately safe (Score:5, Informative)
My dad lost his card visiting relatives about 100 miles away in Virginia and didn't even realize it. When he got home he got a call from the credit card company, who said their software flagged a $600 purchase made at Home Depot in Virginia which didn't fit his profile, and asked whether he had made it. Sure enough, he checked his wallet and his card was gone. He realized he had left it sitting on top of an ATM or something. He did not have to pay for the Home Depot purchase.
I was impressed with how well all that worked.
Re:Crackers (Score:1, Informative)
A Cracker is someone who is good at defeating copy protection in games. Back in the day crackers used to NOP over the passwords, the non-standard diskette reads, etc. and give us the game in a form that we could enjoy without encumberment.
That's what a cracker is.
There are, of course, people trying to change the classic meaning of the word. Kind of the same as the people trying to change the meaning of the term 'hacker.'
Re:How would you (Score:5, Informative)
At least, that's how it was done back in the day.
Consumers are protected from fraud? (Score:4, Informative)
But what usually is ignored is that while the consumer might not have to pay, the merchant who sold the goodies does have to pay. The credit card issuer doesn't pay for fraudulent charges -- they get "charged back" to the merchant who made the charge, and the merchant pays, plus a "chargeback fee" of $15 - $50 per transaction. It's one thing for a software download to go unpaid, it's quite another for a merchant to ship actual physical goods and not get paid for them.
Eventually the consumer does end up paying for fraudulent credit card charges, but just like insurance premiums, where any individual charges or payments might be small relative to the total public cost of the incident, you can be sure that in the aggregate the fees, interest, and other charges imposed by the credit card issuing banks will cover their losses and still make a profit, and the prices merchants have to charge for goods will, in the long run, certainly have to cover their losses and still make a profit.
In other words, the cost of credit card fraud is shifted away from the consumer (who is innocent of any single fraudulent charge on their particular card, so of course should not be forced to pay it), and becomes instead just part of the cost of doing business for everyone on the other side of the transaction.
Re:Credit Card Identification Code (Score:1, Informative)
The victim is not as much the consumer or the bank (Score:2, Informative)
At the end of the day, the entire loss from these fraudulent transactions is passed down to the retailers, when clearly the morons who are handing out the credit cards to the thiefs have some responsibility to share.
CC companies DO foot the bill for fraud. (Score:3, Informative)
CC companies foot the bill for fraud, as long as there was no gross negiligence on the part of the merchant (and some other rules). That would translate into vastly dissimilar signatures, a white dude using a black dude's card (with a photo) and so forth.
There are several reasons why cc technology is slow to roll out. The current way liability is distributed between issuer and acquirer (you have your customer relationship to the issuer, while the merchant has their relationship to the acquirer), there is insufficient incentive to invest the billions of dollars a smart card rollout costs. There are even incentives in the system to underreport fraud. It is simply more cost effective to monitor the transactions, and use software+humans to identify fraud as early as possible. Remember, most fraud is "skimming" (copy the magstripe, put it onto a counterfeit card). Skimming will happen as long as we have a magstripe, and there is little incentive for developing nations to implement smart cards. That means that the magstripe will be around for a looong time. So, a smart card solution would only reduce the problems to an unknown degree (since the fraud would migrate across borders). The alternative is to make cards that only work in countries with interoperable smart cards.
Simply put, there are more cost effective ways of handling fraud without alienating your customers (PIN entry is really not an option, since people forget their PIN all the time on low-usage cards)
For online authorizations, I think the one-use cardnumber is a good solution, as well as the idea of a browser plug-in.
Of course, I have wet dreams of biometrics. We might actually see that sometime. There will be a rollout of smart cards at SOME point, and the longer that takes, the lower the extra cost of using biometrics. We'll see.
Re:one way to know. (Score:4, Informative)
Personally, I can't even remember the last time I bought something on CC using anything other than an EFTPOS terminal - which automatically verifies every transaction with the bank operating it, as well as keeping an internal 'hotlist' of stolen cards, updated nightly. (Done properly, the call costs somewhere around 1p - at which point, even on a 50p transaction, the 2.5% cut will cover it. The modem racks and servers will cost more, of course, but you need most of that infrastructure in place anyway...)
Are you thinking of the "manual" verification procedures used on suspicious or very large transactions, where the store telephones the bank, who then ask you questions to confirm your identity??
If I were the issuing bank, I'd put a 'verify' flag on the cards immediately (vendor must confirm identity directly, i.e. have you call the bank to check it's really you), and rush a replacement card out to each cardholder. That way, the cardholders are only inconvenienced for the day or two it takes to FedEx (or whatever) the new card out - yes, it's expensive to repeat this for 2.2m people, but compared to the cost of having to honor a string of dishonest transactions you can't bill the cardholder for?
Re:one way to know. (Score:5, Informative)
Re:one way to know. (Score:4, Informative)
My father runs a men's wear store. Last month sometime, he was told that any transaction that he didn't call in would result in a $50 fee.
Joe
Re:Credit card security is a joke (Score:2, Informative)
Actually, it isnt. The ole USPS has addressed this, and there _IS_ a standardized format. You can purchase software to "sanitize" your lists and make them match any other sanitized list. It's actually mandatory for bulk mailing rates.
If you are a true sadist, you can read about it here [usps.com]