Cracker Gains Access to 2.2 Million Credit Cards 540
Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."
I think not. (Score:3, Insightful)
And how exactly do they know that all 2.2 million credit card #'s haven't been used fraudulently? I'm sure that there are at least a small percent of any given set of 2.2 million credit card #'s that are used fraudulently.
oops, missed the credibility express (Score:4, Insightful)
Uh, yeah, because it's so easy to verify that two MILLION credit card numbers haven't been used fraudulently.
I mean, come on, just through coincidence I'm sure some of the physical cards themselves have been stolen recently and used fraudulently.
Is there a name? (Score:2, Insightful)
How do they know? (Score:5, Insightful)
Sure, their owners might not have reported any fraudulent use yet (and the card issuers themselves may not have spotted any) but all it takes is for this hacker/cracker to have made one copy of the records which he then disseminated to one or more friends for a problem to occur.
At the very least, the owners of the system that was broken into should be contacting their customers to let them know that there is a small but real risk that their cards numbers might be out there and that they should double check their statements for any unusual items.
But, given that most companies would see something as proactive as this as marketing suicide (rather than use it to enforce the fact that they do everything to protect the security of their customers), I doubt that they will be so bold.
I wish mine were stolen... (Score:5, Insightful)
Hell i've had 3 fradulent transactions and only own 3 credit cards and two debit cards.
One thing i've noticed is that my card company seem good at stopping me from spending when they think i'm fradulent. Just put 7 currencies on your card in as many days and alarm bells seem to ring somewhere.... but catching real theives is a little too tricky
OUch (Score:5, Insightful)
Citizens Bank, a financial institution serving the Northeast, shut down the accounts of 8,800 customers whose card numbers had been accessed after being notified by MasterCard on Friday, bank spokeswoman Pamela Crawley said. All of those accounts were safe, she said.
I'll bet those people are just *thrilled* to have their accounts locked out. How many people are going to find their card mysteriously declined when doing their weekly grocery shop then ? I'm betting the bank hasn't made 8,800 phone calls to explain their position.
Hell of a way for VISA/MC to limit their liability - just cancel their cards ??Re:Thus Far (Score:3, Insightful)
Oh, yes. It doesn't look good for them, and it looks REALLY bad for the issuing banks, if nothing is done about it. But I still think that at least some people are going to be filing disputes on bad charges because of this.
Read the article (Score:0, Insightful)
It's better to troll than karma-whore. It's better to troll than do ANYTHING, in fact.
When will they learn? (Score:2, Insightful)
The lack of authentication is the biggest problem with it. And no, the PVV is not good enough for authentication either, its also printed on the card and some online stores require that number but store it with the CC# anyway.
I'm sure the banks have a huge amount of fraud on cards and eventually these costs get passed on to the customers.
Debit cards with PINs / Smartcards are the way to go.
Taking a stand on the terminology... (Score:2, Insightful)
We need to make it clear to the journalists what the differences are between a 'hacker' and a 'cracker'. I think we have the potential to make a difference; there just isn't any reason for the mangling of the word 'hacker' to go on any longer.
It should be a good word - not to be confused with those who pilfer databases for the hell of it.
Re:It's probably a matter of time... (Score:5, Insightful)
Re:Taking a stand on the terminology... (Score:3, Insightful)
Re:It's probably a matter of time... (Score:2, Insightful)
Re:PIN numbers? (Score:5, Insightful)
Can anybody explain to me why credit cards don't have PIN numbers like my ATM card does? Wouldn't this stop a tremendous amount of fraud?
No, because the PINs would probably be stored in the same unsecure manner that the other credit card information was. This is why PINs in general and/or 3 digit auth codes will be ineffective. What's needed here is better site security, not better credit card security.
All someone needs is someone's card number and expiration date and they can do whatever they want.
Kinda... You can actually specify any date in the future and the transaction will validate (if you use a system like Cybercash or Authorize.Net). If however, you have a human on the other side who checks the entered credit card information against what they get from the credit card company, then that human can manually disallow the transaciton.
Unfortunately, the only real way to secure information is to store it in an encrypted form such that the key needed to decrypt the information is physically separated from the machine which contains the data. However, many websites currently use the "key under the doormat" approach to security, which in theory is no better than storing the data unencrypted and hoping that no one hacks into the system and sees it.
Re:It's probably a matter of time... (Score:3, Insightful)
How would you (Score:3, Insightful)
Of'course they haven't been used fraudulently... (Score:2, Insightful)
All he needed to do to legally use a credit-card is swipe it into a machine or type in the number and presto!
Doesn't it make anyone wonder why nobody needs to present any form of identification when using a credit-card?
No Encryption? (Score:2, Insightful)
You encrypt the number like crazy when it's traveling to your server. You protect it with all the firewalls and whatnot you can muster. You limit who has legitimate access to it. And you don't encrypt it when it's stored on the server?
I don't get it. Passwords are stored encrypted. Why not credit cards?
For all the time I've spent reassuring my parents that it's okay to pay for things on the Internet because the encryption is impossible to break, things like this make me really nervous. I think we need legislation requiring all company databases that store credit cards to store them encrypted.
That way, if someone does break the encryption and get our credit card numbers, at least we can prosecute them under the DMCA!
Re:When will they learn? (Score:3, Insightful)
Your liability if someone steals and uses your debit card and it's provably your fault: every cent in your checking account, every cent in your linked savings, CD, brokerage accounts, and as many overdraw fees as your bank can stick you with.
Re:"Cracker Gains Access to 2.2 PIN NUMBERS" (Score:3, Insightful)
I'm pretty sure the machine knows it too (however briefly as it checks with the bank's servers)
However, retail websites wouldnt have to store your PIN, just authorize you briefly. That makes discovering PINs from 3rd parties impossible. You'd have the crack the credit card company, and thats the most 'logical' party to trust with the data that you need to use the account.
I agree with the parent post
one way to know. (Score:3, Insightful)
Crappy journalism (Score:3, Insightful)
Also, I love "Both card companies have zero-liability policies, which protect cardholders from being held responsible for unauthorized or fraudulent charges" -- as if they're so generous. For one thing, I think that "policy" is required by federal law, and if not it would be legally insane (and unenforceable) to hold subscribers liable for 3rd party mistakes. An interesting Q might be how long you could wait or fail to notice an ongoing fraudulent use of the card, assuming it didn't get maxed out within minutes.
Anyway, look for more probing articles. I'd like to know what *other* sensitive information might have been accessible? Wouldn't a list of social security numbers be nice? How'd you like to have to go get that number changed? I assume (hope, pray) SSN's weren't stored in the same sloppy way as these CC #'s, but it's perfectly possible at some other institution.
Re:PIN numbers? (Score:4, Insightful)
I don't think there's any reason to store the 3 digit number in a database. It's only used during transaction approval. I can see why merchants store accounts numbers, to keep records of transactions and such (though it's just lazy and insecure the way they manage that data sometimes). There really is no need to add a field in their dastabases for the extra 3 digits, since the account number already serves its purpose, and is guaranteed to be unique.
Of course, then the problem is not every merchant verifies the 3 digit code, so a theif doesn't even need it for some transactions. It is in the merchants' best interests to use the code, however, since the merchants foot the bill in fraud claims.
It's still not the greatest system, but it has some potential to curb fraud. Needs refining, but it's better than nothing.
Credit card security is a joke (Score:5, Insightful)
Here are a few things I'd like to see in the credit card infrastructure.
Some of these things would be a major overhaul. Some of them wouldn't. But any of them has to be doable for a lot less money than the credit industry claims it loses to fraud every year. I cannot comprehend why they don't do some of these things.
Re:How do they know? (Score:3, Insightful)
Check your statement, dispute if you get anything that doesn't match your records/recipets.
Its like saying I don't trust my grocery store. There really isn't that much trust thats needed.
Re:I think not. (Score:3, Insightful)
Whether that money is going to be there when the bill arrives or not is the rub. The credit card companies love that part. The whole point for them is to trick you into spending money you won't have for a long time... hence generating billions of dollars in interest and fees from stupid consumers (like me).
Re:I think not. (Score:3, Insightful)
They'd much rather have that, then the risk that you'll NEVER give back the money. Especially since the only thing they can really do if you don't pay is ask again and again if you'll please pay.
You dont need to know! (Score:3, Insightful)
Re:PIN numbers? (Score:2, Insightful)
Re:Yet.... (Score:3, Insightful)
It will be the merchant who gets hosed. Those 5 million cards will be used to stiff merchants across the world. And when it comes to credit card fraud the merchant always gets the short stick.
To add insult to injury, if a merchant gets a chargeback rate of more than 1%, Visa/MC has the right to start charging the merchant up to $10000/mo for 'research fees', that is if they don't drop the merchant entirely (and thereby put them out of business -- a not uncommon event for smaller businesses).
No cards used fraudulently? (Score:2, Insightful)
Heh. I haven't read all the posts on this article yet, but I'm sure I'm not the only one thats thinking about this "coincidence" ...
Starting at the beginning of the month, and every 4 days since then, someone has been using my friends Visa card to buy Calcium Pills and have them shipped to his house. This is the first time this had ever happened to him.
The people made 3 orders using two different emails addresses. When the first orders arrived at the door, he called the Bank and had them put a stop on his card. There were two more attempts made, and the email addresses where the orders originated (at least the order confirmations weren't bounced back) were then delivered to the police, and our district attorney's office. We have yet to hear from anyone on the matter.
Whether this has anything to do with what has happened is beyond me, but its a little interesting that this happened at the same time.
It was not a gateway (Score:2, Insightful)
We use a randomly generated code specific to each transaction, user, time, and credit card that only our bank (in theory) can track back to an actual credit card. We don't know and therefore don't have any of our customer's credit cards.
I'm Sacrificing +2 Karma To Say This.... (Score:2, Insightful)
How is it that a credit card company can determine (within hours!) that not a single one out of their +2 MILLION accounts have been tampered with, but yet, it takes them like 3 months to resolve a single dispute over an unauthorized charge to *my* account?
I used to have a pretty good bullshit detector.... Until this Timmy-riffic article came along and broke the fucking needle off, that is.
Your grandma's card at the supermart got taken (Score:3, Insightful)
The number of cards is too large for any gateway IMHO. I will bet money that a private processor network got hacked, or the central database for said network, i.e., ECHO, EFS or something on that scale.
These networks are used for dialup and leased line access for authorizations. This means your grandmother's card used at the grocery store could now be in the hand of a hax0r.
Reuters is reporting 5 million cards [forbes.com].
Re:So....Speedy delivery. (Score:1, Insightful)
An interesting mental excercise (BTW do you crack DirectTV cards?), but the majority of credit card transactions are electronic in nature (yes that includes mail order[1], and web sites). Anyone submitting such a number would be refused, and redflagged. Remember it's not only crime that can move at the speed of light.
[1] Yes I use to handle both.
Re:I think not. (Score:3, Insightful)
Simpler, more secure way (Score:2, Insightful)
I would like to see it overhauled too. However, I'd prefer to see credit cards that use strong cryptography. These days, we have the proper algorithms pretty much worked out, and we have enough very cheap computing devices available to do it.
Basically, crypto allows you do two helpful things with a good degree of certainty:
Now, the fundamental problem with credit card transactions these days is that, although signatures and photo IDs are used peripherally, fundamentally they are based on the idea (just like social security numbers) that they will be kept secret, because knowing the number allows you to exercise the privileges that come with holding the account. But, there is no way to use the account other than to give away the secret . And worse, you either seriously restrict your buying or you end up giving the secret away to people who you can't really trust and who have no big incentive to protect the secret. And even those who you legitimately want to have the secret (your insurance company) can screw up and overcharge, because they have the power (if not the legal right) to charge your account any amount any number of times once they have the secret.
Cryptography can basically eliminate all those problems.
Here's how I envision a future credit card transaction working:
There would be some drawbacks (big effort to change over, etc.), but the following benefits would, I think, outweigh them:
OK, I could go on, but basically the situation right now is that the system is horribly insecure, and we're relying on legal penalties to try and prevent fraud. But, with strong cryptography, we have the capability to do a million times better, and it really wouldn't be all that inconvenient. And the scary part is, a working prototype of this system can be built in maybe 24 hours using Perl and GPG or similar.
Dmn Credit Cards (Score:2, Insightful)
---
Why is it that programmers always confuse Halloween with Christmas?
Because 31 OCT = 25 DEC.
Re:Credit card security is a joke (Score:3, Insightful)
banks losing billions a year to fraud...
Banks don't lose out - they merely do a chargeback to the merchant, and unless they can prove the transaction was authorised they are the ones that lose the money. Since most fraud is mail-order or uses signatures clearly nothing like the one on the card 99% of the time they lose out.
Gareth
No, Seriously, it's better if we don't know who... (Score:3, Insightful)
A third party processor could be, for example, Authorize.net, Verisign, Card Service Intl, or any of the other Payment Gateways, I believe.
I know it sucks that we can't find out which third party processor it is, so we can all stop using them, but I'll take the unpopular position that it's a good idea to not have that information disclosed to the public.
The bad publicity from a mess like this could put a struggling company out of business when everyone stops using them. Do they deserve to go out of business? Sure, but that's not the point.
If a company discovers someone has hacked into one of their servers with access to a database full of credit card numbers, and they know that notifying Visa, MasterCard, and the FBI is going to put them out of business with bad publicity, how many companies are going to report it?
They could rationalize that while there is evidence the server was cracked, there is no proof that someone actually downloaded credit card numbers from the server. Maybe it was a worm that just infected the server and tried to find more vulnerable servers, and did nothing more. Or maybe they were just setting up an ftp server for their mp3 collection.
Is it worth publicly releasing this information that right now only 3 people in the company know about, and all but guarantee they will go out of business? Or should they just rebuild the server, fix the problem, and hope that no credit card numbers were stolen, and if they were, that they don't get traced back to you if they are used fraudulently?
Personally, I was in that situation two years ago, and we opted to just rebuild the server and hope that the 10,000 credit card numbers sitting on the cracked server were never found. Was it the right thing to do? No. Was it illegal? Hard to say. But the negative impact to the company could have been devastating, so we decided to report nothing. We never heard about any of the credit cards being used fraudulently, which wasn't surprising, and we went out of business a year later anyway, which also wasn't surprising.
So my point is, if companies that get cracked can report it without having to go public, Visa and MasterCard would probably be able to stop a lot more fraud before it happens. I would guess the vast majority of known server compromises go unreported now because companies are afraid to come forward and tarnish their name.
Put away your tinfoil hat (Score:4, Insightful)
They're not "profiling your consumption," because it's not your money you're spending - it's theirs. Until you pay your bill, you've spent THEIR money, and thus have every right to track what you buy and protect their money from being spent fraudulently.
If someone steals your card and charges up $10K, who do you think gets stuck with the loss? Certainly not you! So if you want them to stop watching what you buy, I'd suggest you agree to be liable for any and all fraudulent charges, without limitation.
Take a Valium, you paranoid, X-File watching, crop-circle worshipping, black-helicopter-fearing freedom-junkie. If you're so scared of it, then cut up your credit card and pay for everything with cash.
On a side note, is anyone else a little worried about how it is presently impossible to live without a bank? In Canada, stores are not obligated to accept cash. That surprised me. It seems to me that cash should be the one things stores should not be allowed to decline. If I choose to pay for my gas with cash, I should be allowed - but that right is not guaranteed in Canada. Think about all the bills you pay in a month. How many of them could be paid with cash? My car payment comes out of my bank account. So does my mortgage. None of my utilities accept cash; cheque or automatic withdrawl only (i.e., bank account required). Is it possible to carry on a normal life without a bank account in present day?
Die, credit cards (Score:4, Insightful)
I think the moral of the story is that CCs are *really* bad from an authentication point of view. For chrissake, the *number* is enough to let you bypass the thing.
A replacement (probably public key/smartcard) system would be a *much* better idea -- you'd have to physically steal a card to abuse it. No more grabbing a database or a recipt and having free rein.
There are only two drawbacks to this: first, there's a *huge* installed base of CC users and support, and second, anyone instituting it (VISA, whatever) is going to have to overcome temptation to try charging percentages of transactions (the reason we don't have e-cash now is because of overly greedy financial services companies who couldn't manage this).
OTOH (Score:4, Insightful)
Credit cards work both ways. Be intelligent, and they will be an asset. Be stupid, and they will be a liability.