Cracker Gains Access to 2.2 Million Credit Cards 540
Doctor Sbaitso writes "CNN reports that a hacker bypassed the security system of a company that processes credit card transactions and gained access to approximately 2.2 million Visa and MasterCard credit cards. Fortunately, none of them seem to have been used fraudulently."
Yet.... (Score:5, Interesting)
2.2 million...it will be interesting to see what happends when who ever did this starts to sell them in bulk. Who is going to be responsible? The Credit Card companies or the site that got hosed?
Should prove interesting as these numbers start getting used. 2.2 is a little large of a block to just re-issue.
So.... (Score:3, Interesting)
Actually, things probably wouldn't be that bad.
Who in there right mind would use credit card numbers fraudulently on such a high-profile case? Surely jail time or fines would ensue, and that alone would keep most Americans from jumping to use the numbers.
Then again, there is the chance that many Americans would use those numbers. How about a program that automatically used those numbers to make fraudulent purchases? It would take weeks or months just to sort out bills. Would Visa and Mastercard even be able to handle that amount of traffic? No, something like this could destroy these two companies; it would be almost impossible for them to handle.
We should be moderately safe (Score:5, Interesting)
Which processor? (Score:5, Interesting)
PIN numbers? (Score:5, Interesting)
I do notice that sometimes, very rarely though, that sites will ask for that extra three digit code on the back of the card, to verify that you do in fact have the card in your hand. This the same concept as a PIN and I don't see why more web sites aren't doing it. It's not like they have to completely revamp their way of accepting credit cards, it should be a very simple fix.
Makes me want to go back to barder. Do you think ThinkGeek would accept two dead chickens and a half wheel of gouda for one of those mini tanks with the camera?
this report says 5 million cards (Score:4, Interesting)
http://www.forbes.com/markets/newswire/2003/02/
Re:How do they know? (Score:5, Interesting)
Of course, they don't know. They won't know for a while. But the answer is Nothing Stolen, and the answer will always be Nothing Stolen.
Credit card companies are like insurance companies, it's all about playing the odds, and statistics, and consumer behavioural models. Personally I've stopped trusting them a long time ago. While the public meme is that credit card theft is on the rise due to Internet transactions, I really wonder sometimes. As seen with other examples, the Internet is actually becoming an invaluable tool for revealing nefarious activity (patterns of activity that is) that would have been otherwise obfuscated by natural physical barriers. The media are hardly reliably objective in this sense.
Re:PIN numbers? (Score:4, Interesting)
As for the CSV (the num at the back of the card), a number of clearing houses use it. Its not *suppose* to be stored by the clearing house/site, but who's to say.
PIN #'s do stop fraud occuring over the counter, but not mail-ordering, web-site. Actually, it doesn't even stop over the counter, since all you need to do is wipe you card with a magnet and demand they do your card the old way, stating it works in every other store. (Most stores will relent if you pressure them).
Re:oops, missed the credibility express (Score:2, Interesting)
My dad and stepmom have a shared CC#. Last month, my dad went to San Diego on business, and she stayed home. If she went to Giant at the same time he was getting his rental car gassed up, that'd suck if they termed the card.
Because of technology... (Score:2, Interesting)
These days, you can buy blanks, printers, mag-stripe writers at most stores. Easily hackable. Too easy in fact.
Like the article mentioned, there are 500 millions cards in the US alone. If you calculate the cost to replace each card at $1, you've got 1/2 a billion $ fee. Companies are slowly going to the "smart (yeah right) card" but that just doesn't cut it. The whole system sucks, but companies don't really care because we're actually paying for it..! Wonder why you have a 21% interest fee while you can borrow at around 5-6% at the bank? The credit card companies simply balance their #'s every year... "ok we lost $X dollar, let's charge X% to customers". It's no magic... So why bother changing the system? It's perfect to the credit companies...!
Re:We should be moderately safe (Score:0, Interesting)
ahhh, but 2,200,000 *
Aaah ahhh, aaaaah but if we take a to be the number of credit cards stolen and b to be the number of those credit cards with a high rate of use and c to be the amount of people in high debt on those credit cards, then
x = (-b+SQRT(b*b-4*a*c))/2a or
x = (-b-SQRT(b*b-4*a*c))/2a,
which I think you'll find is a ferrari, or possibly an imaginary ferrari, depending on the number of people with a high use on their cards compared to the number of people in debt.
So who is it? (Score:5, Interesting)
Inquiring minds want to know...
How did they know ? (Score:2, Interesting)
Re:No Encryption? (Score:1, Interesting)
Or how about his: Why does the webserver box have the appropriate privileges to run a query on the database for all credit card numbers. Name one situation where the credit card's website would have to query and output an entire credit card number to an outside connection. Why are the systems for public access and confidential access on the same subnet and able to directly communicate.
Sounds like a stupid admin set-up an IIS box and had it access a database server with database administrator privileges. First, you'd have to be a moron to still be using IIS. Second, you'd have to be a total moron to not apply a security patch. Don't give me that "our administrator doesn't have time" bullshit. You do the five-alarm, red-alert security stuff first, the people who complain about lock-ups while playing solitaire can sit and spin. If the management doesn't understand that, fuck 'em. Might as well leave and go elsewhere, since you'll be canned anyway when the network is compromised.
It's pretty apparent to me that "easy to install and configure" is tailor-made for those who are fucking lazy morons who don't do any planning before implementation.
Re:No Encryption? (Score:1, Interesting)
Passwords aren't stored "encrypted." They're stored using a one-way hash. When you type in your password, it's hashed and compared to the stored one-way hash. Idea being that if someone has access to the hashes, they can't (easily) get back the password and you actually need the password, not the hash, for authentication (assuming the authentication system/program hasn't been comprimised, which is really necessary).
You'll note that you always have to type in your password when you log in to your system. You'll note that when a credit card processor wants to make a transaction with a bank, they don't send a hash, but rather an account number. Therefore, they store the account number somewhere, cleartext. It wouldn't help if they stored and tramsmitted hashes - then someone could just steal the hashes and use them just like account numbers.
It would be possible to set up a trust system which uses public key crypto: a concatentation of (CC number + transaction amount + name of parties involved + timestamp) is encrypted using the bank's public key and only this ciphertext is stored and transmitted to the bank. Well, that would require some sort of infrastructure where the processors, merchants and banks interchange keys, and a really fucking big clue stick to convince merchants and processors not to store any of the original information, but instead just record the hash (bye-bye one-click patent). That ain't gonna happen.
Re:Clearly (Score:4, Interesting)
I know I'm going to be modded as a troll for this, but...
So we know that some terrorists were devoted enough to the cause of causing chaos that they actually enrolled themselves in flight school to learn how to do what they did. Is it that much of a stretch to think that they aren't aware that it is possible to steal credit cards numbers off the Internet? And do you think that by devoting the same amount of time to googling and reading some paint-by-numbers script kiddie how-to-steal-credit-cards blog someone dedicated to doing "very bad things" couldn't find a way to pull something like this off?
I'm not sure why everyone chose to mod the parent post as Funny. I find the prospect of Very Angry People stealing millions of credit cards quite frightening, myself...
Re:oops, missed the credibility express (Score:3, Interesting)
Which credit card processor fscked up? (Score:3, Interesting)
Ok so which CC processor got hacked? I am assume that when Visa/MC says 'processor' it means specifically a credit card processing network that receives and authorizes charges from merchants, not a consolidator like PayPal, and not an e-commerce gateway like CyberSource or VeriSign.
Was it Nova, Wells Fargo, Vital, BankAmerica, EFS, or ECHO? These are the only big non-regional credit-card processing networks in the US (AFAIK).
<Begin speculation>
Note that there was no mention of the Internet in the press release. This leads credence to the theory it was a private processor network (not TCP/IP or a web site) that got hacked somehow.
It must be a big processor, otherwise Visa/MC would finger them (and therefore shift the blame). It obviously wasn't Amex or Novus as they both offer competing plastic. And I doubt it was a bank-level processor like US Bancorp (again because they are smaller and would have been fingered.)
The people victimized are not just e-commerce shoppers but also customers at the grocery store, the shopping mall, etc. My worry is that it was a really big processor like Nova, which means that 2.2 million could be the tip of the iceberg.
<End speculation>
Re:So.... (Score:5, Interesting)
Well, I can imagine that if EVERYONE in the world got a list of a few million credit card numbers, you would suddenly see an awful lot of fraudulent purchases! I for one would be tempted, not to do something to get me in trouble (well they can try), but more likely a visit to my local net cafe to send some presents. Let's see:
- A full compendium of all O'Reilly Free software books, Debian DVD sets and an X-Box with the LinuxBios Mod installed for Bill Gates, Steve Ballmer, Scott McNeilly, Michael Dell and anyone else on those lines who took my fancy and whose address I could find. I might even send one to every elected official in my country while I'm at it!
- Amazon's entire porn collection (they have one I presume) for every censor on the planet.
- A cross sending of every spammers products I could come up with to all the other spammers.
God only knows what else could take my fancy, and god only knows how many orders would actually be filled. Heaven forbid anyone found a well known persons card in there, say Jack Valenti, I think he would find himself making some massive (or massive numbers of) donations to Mplayer, Freenet and any projects people could find which he campagins against.Do you REALLY think that people would hear on the radio about the 2.2 million credit card numbers 100 million people just recieved and think, "oooooooh they're gonna catch me if I touch them!"
The far more probable outcome is that an email of about 4 Mb (2,200,000 CC# * 20 bytes @ 90% compression) sent to 100 million people (or whatever the latest net use figures are) would be stopped at most ISPs very, very, very quickly as it would be lauching a large spam based DDOS against them (unless I underestimate the backbone out there). Sure it would get through to a lot of people, but unless it gets through to 10+% of hotmail or something similar, most users will have the fear you describe put into them.
A far more interesting prospect would be if instead of plain e-mailing the list around, a virus was used to propagate the data covertly by infecting web and/or email servers. If you get a web-server, you get it to gather the list and take part in attacking more hosts and passing it onto them, you also get it to add a link to every page at the trigger time so all visitors to that site gain access to the list. If you get an e-mail server, you just need to get the data there once and explode it out to all local mailboxes at the same trigger time (aswell as using the host to propagate). Then it comes down to a question of trying to balance the timings to maximise the number of boxes unchecked by the time of revelation.
Of course is there anything to stop the crackers from just dumping the data into all the P2P networks and letting it spread from there?
Finally I have to point out that I have no interest in obtaining these numbers (or any others, except my own :-) and I am certainly not advocating credit card fraud. Just saying that if an opportunity like you described (every email box got the list) came my way, I would be very tempted to try and enjoy myself with some humourous (to me) exploits from a safe place and that there would probably be tens or hundreds of thousands of other following suit. Damages would rack up pretty quickly.
Re:oops, missed the credibility express (Score:5, Interesting)
Unfortunately, the $300 ticket was to get my 13 year old step-daughter on a plane to see her dad. We didn't know til we got to the airport and Delta told us my card was stolen..
I pulled out my card, and my ID, and showed it to them.. Didn't matter.. I called the bank. They had no record of who did it, only that it was reported as stolen.
Took me 8 hours on the phones with the bank, airline, and every vendor I had bought from in the surrounding days to find out what happened.
When the airline called to verify the card, the bank took the fact that I was buying a ticket for her to be fraud, and cancelled my card immediately.
I went to the bank to get it fixed. They said they tried to contact me. They had my correct number on file (my cell), but said it was disconnected. I had them call my cell from their desk. Amazingly enough, it rang, and I answered.
I've had banks call me before to verify transactions. I have no problem with that. But, lying about it pisses me off.
I wonder how badly they'd handle me on a road trip. I drive from Florida to California and back on a semi-regular basis.. It takes me three days, with very little sleep. That would probably get the card cancelled too.. I'd hate to be stuck in Kent Texas with no gas and a cancelled credit card, because they thought I had traveled too far.
I had a whole stack of returned items, and a whole lot of merchants to apologize to for the bank's error. I never received an apology from the bank.
A month later (a week before xmas), they accidently closed my bank account. I didn't find out til the ATM took my new card.. Their system said there was fraudulent activity. Another bank error. They put all my funds on hold til Jan 6. Good thing I have friends who would loan me money over Christmas. It really sucks to ask your friends to buy everything.. But, they all got paid back after I got my money back.
Every bill check I had sent out previous got bounced. Wells Fargo *ALSO* charged me $25 per check for NSF, even though the funds were in the account, but they erroniously put on fraud hold by them.
You wouldn't believe how pissed I was when I got to the bank. I was polite at first.. They continued to tell me how they were keeping my money.. So, I got louder.. They threatened to call the cops. I told them to. I *WANTED* a cop to hear them saying that they made a mistake and took my money, and wouldn't give it to me.
The bank security were the only nice people working there. One of the guards told me how they screwed him over too, so he was completely sympathetic. He was just standing around to make sure I didn't get physically violent. No problem there, I don't get physically violent, he doesn't have to do anything but stand there.
Warning! Never Use Wells Fargo Bank!
I finally got the second set of NSF fees dropped after a few hours of screaming.. Hopefully the customers who overheard the incident had second thoughts of keeping their account at Wells Fargo.
[Rant Mode Off]
I'm now using a nice small bank, that doesn't have the same problems. I told them all about it when I opened my new account. They had heard similiar stories before about them. I'm on a first name basis with the new bank, and they love me.
Re:The best answer I've seen .... (Score:2, Interesting)
Actually, the credit card merchant regulations require the merchant to keep the credit card transaction information on file (in a safe place, let's hope!) for 3 years. It's not just to save time next order. It's in case the cardholder requests information about the charge (like, to contest a charge that might be fraudulent...), the merchant needs to provide all the supporting documentation including the card number, full name, address, etc. within 7 days.
So, it needs to be kept on file, but accessible only to authorized employees, just like the blank checks the company pays its own bills with.
Actually, smart merchants don't let a caller say "use the same card as last time", but require the customer to recite the full card number and expiration date all over again. That's what we do, and we also use Address Verification (AVS) to make sure that the address the caller gives matches what their bank has on file.
But it's not just computer files that need to be protected from unauthorized access and copying down of cc numbers. Plain old unlocked paper file cabinets (and trash dumpsters) can reveal a lot if a company is careless.
Re:Because of technology...AND GREED (Score:4, Interesting)
No offense, but you have to look back a little farther than that for the roots of credit card technology.
Back when credit cards were REALLY [dinersclubus.com] invented (1950), there was no mag stripe, just the embossed account numbers on the plastic. When you presented your card to a merchant, they were supposed to check a book of closed/fraudulent account numbers to make sure yours wasn't listed (I think they mailed these out monthly). The account numbers, like many state's driver's licenses or physician's DEA numbers, could also be checked for internal validity by using an algorithm. (Big flaw in that system was that your clerks had to have passed ninth grade math -- digital calculators were still decades in the future.)
I agree with your point that credit card companies pass costs through rather than absorb them. Fraud is simply a cost of doing business to them, and they make a hell of lot more money if they paper over fraud and ID theft. Why? Because the key to the credit card issuing game is, well, issuing. If publicity about stolen accounts give potential new card holders the willies, then the pyramid starts to fall apart.
Credit cards are the crack cocaine of the financial world, and the card issuers are the guys selling the rocks. They know it's a statistical certainty that x-percent of people who get cards will spend them to the max and then be unable to pay the cards off, and so, prevent being kicked to the highest APR bracket. Your first rock is usually free, too... ID theft and computer fraud are simply a tax the card issuers are willing to pay to keep the crack house open.
So we hear about this cracker who stole two million numbers or whatever. For every one of these guys, how many do we NOT hear about?
Re:Credit card security is a joke (Score:2, Interesting)
All the functions you say, first vendor, N transactions, N months. And also a charge limit, so that you can't lose too much money from a bad company either. I'm actually not afraid to give out a credit card number to companies I've never heard of anymore.
The bank? Föreningssparbanken in Sweden.
Discover is proactive (Score:2, Interesting)
The operator called and said something like, "Hello, this is Jan from Discover Card, Inc. We noticed there was an unusually high number of transactions on your account this weekend." She then asked if my credit card was in my possession and verify some of those transactions in question.
Seems like an expensive practice for the CC company, but I simply love it. I've never heard of any other company doing that, and I had no idea Discover did it until they gave me a call.
Re:Yet.... (Score:5, Interesting)
2.2 million...it will be interesting to see what happends when who ever did this starts to sell them in bulk. Who is going to be responsible? The Credit Card companies or the site that got hosed?
My credit card has been re-issued twice due to it being stolen en masse from a web site. The first time it was stolen from CD Universe [cnn.com] and the second time it was, ahem, another company [com.com]. In both cases, it was just an incredible pain in the ass to me.
In the first incident, I was in Best Buy, and my card was denied because it was marked as stolen, which is a good thing, except when the people are all looking at you like you're the thief. The second incident, I had ordered gifts from a bunch of sites when I was told my card was being rejected, and I had to call each site and get them to use a different card. Not the easiest thing in the world to do for some sites.
In any case, in both incident, hundreds of thousands of numbers were stolen, and both victims just told the issuing companies, and most issuing companies cancelled the numbers. I suspect even though this is 10x as many cards, they'll still do the same thing. The potential liablity is too great to do otherwise.
On the other hand, this might be enough to get the companies thinking about coming up with a better, less theft-prone system.
Re:"Cracker Gains Access to 2.2 PIN NUMBERS" (Score:2, Interesting)
So, if it didn't require an ATM terminal... wow. We're talking microseconds here?
" We found it astonishing that our MCI and AT&T calling cards had the PIN number stored in the magnetic stripe WITH NO ENCRYPTION! [geocities.com] "
Yes, there's a lot of crappy PIN security out there. Best to avoid it.
Check if your card has crappy PIN security! Next time you swipe it through a POS debit machine at your local small store (which doesn't have a full-time linkup to the bank) enter the wrong PIN. If it tells you it's wrong without dialing out, and your bank is like mine and only supports PIN sizes between 4 and 6 digits, there's less than 1 million combinations to try. That shouldn't take a good computer more than a couple of minutes, and unless the debit machine has a demagnetizer, I don't think it can hurt your card. Of course, a smart person wouldn't take chances and would clone it first. Oh, look, now I can't enter the US. Oh well.
I think I'm going to buy the used POS debit machine I saw at the local junkshop. Could be piles of fun. I'll charge myself a dollar on it and see what happens...
How? (Score:4, Interesting)
They dont actually say somebody hacked into their network from the internet.
Serious lack of info?? (Score:2, Interesting)
Which company was hacked?
How do I determine if my CC# is part of the 2.2 million obtained?
Can the same routine the hacker used be used against other companies that process CCs?
Did the hacker access the CCs from the internet site directly or use the internet to access the companies internal Intranet to get the CCs?
Of course, this is Visa/MC. They don't have to be nice to customers and give out good info. What are their customers going to do, cancel their cards? (snicker)
Re:oops, missed the credibility express (Score:2, Interesting)
Security Saves (Score:2, Interesting)
TRAINING STAFF: The first line of defense is someone who won't just give 5 million credit card numbers out over the phone.
TRAINING STAFF: The second line of defense is someone who won't let leave their console logged on when they go to the bathroom.
TRAINING STAFF: The third line of defense is someone who doesn't give out his password to someone over the phone.
TRAINING STAFF:
Ok, so maybe it wasn't this easy,
Re:CC# generators. (Score:4, Interesting)
Up until about 4 years ago, you could use the CCtest# (4111-1111-1111-1111) to use the credit card phones in LAX and a few other major airports.
Re:Yet.... (Score:3, Interesting)
Which company does the transactions? (Score:3, Interesting)
Re:oops, missed the credibility express (Score:3, Interesting)
Mod me offtopic if you want, but there is something WEIRD about it. My brother and I have totally different addresses, we haven't lived together in over 12 years now -- and that was back in WI -- and now we even live in different states. I've never had an account at Netflix, never even been on their mailing list
Weird.
The only thing we have in common is our SSN being almost identical... but seeing as how I shouldn't even have been in the Netflix DB in the first place, THAT couldn't be it...
Hmmmmm..........
Re:oops, missed the credibility express (Score:4, Interesting)
Personally, when I was looking around for a bank, I checked out Wells Fargo. There were three warning signs that prevented me form using them:
1) To enter or exit you have to go through double-doors. Presumably, this should trigger an alarm if someone has a gun, and possibly lock them in. The doors didn't work well normally, and customers had a difficult time going in and out. I asked if the glass on the doors and windows was bullet-proof... When the answer was "no", I realized their double-doors were no security at all, and merely to lull customers into a false sense of security, and possibly deter moronic bank robbers.
2) I overheard a discussion, that one of the employees had refinaced a customer's home loan, but had simply not used the computer properly and signed the contract with the wrong percentage. The contract was signed, but the customer was going to get an unplesant surprise quite soon.
3) When I walked in, I glanced at a computer screen and saw the Windows NT sign-on screen... Nuff said.
I must say, for one single ~10 minute visit, that was more than enough to have me out of there as quickly as possible.
Re:I think not. (Score:4, Interesting)
On the otherhand, they really love people who never pay in full, but still make regular payments. A bit more than the minimum payment is best, since while they bleed you for more with minimum payment, it also increases risk. But 10-20% interest is better than 2% any day of the week, especially since it's compounding interest. Gotta love paying interest on unpaid interest. At least if you're the lender that is.
I used to work for a company that contracted with a sub-prime credit card company - they really wanted the accounts that garnered interest (the average interest on the cards was 28% - and yes, there were entire states they didn't market to because that interest rate is illegal in those states). The entire business model was trying to identify more consumers that had poor enough credit to need a card like this (did I mention the average $50 annual fee? Or the card with a $300 credit limit that had $250 in fees put on it when you signed up?) but wouldn't go delinquint -- which was a problem. The average prime lender has to right off 15%... which is why about a year ago they slashed their IT budget and my company laid off 60% of their staff. Last I heard they were going into debt collector status - buying up bad debt from other credit card companies to turn around and sell it to debt collection agencies. They're still in business last I checked, but barely.
Oh well... better job now anyway.
Companies should send a note to card owners (Score:2, Interesting)
So people can effectively control their bank account.
Do they expect that all internet users check their bank account usage from now for 12 months or more?
A serious company would do that.
It is better to send 2 million people in panic than 40 million (or 560)
They're so poor they send a press note claiming nobody used the c.cards
This happened/ is happening (Score:3, Interesting)
There are ongoing frauds where small amounts in fraudulent "service fees" or subscriptions to porn sites are being charged on hundreds of thousands of cards every month. The charges are small enough that most card holders don't bother to track them down and get hit up month after month for years.
There is a web page about one of these frauds here [faughnan.com] In this particular fraud the card numbers were taken from a shady bank that did CC transactions for porn sites. The con men would make charges under a variety of entities posing as subscription based porn sites so the card holder would not only be paying for his original porn purchase but other fraudulent ones besides - pretty smart because it wouldn't set of any alarms at the card company (the guy is already making legitimate purchases of that particular product) and the numbers are small enough that the guy wouldn't bother doing anything about it if he even notices. Since it's porn, and some of it he really *did* sign up for, he might be too embarassed to do anything about it even if he realises some of the charges are fraudulent. This particular fraud ended up making between $40 and $50 million dollars off of about 900,000 card holders.
Re:Die, credit cards (Score:3, Interesting)
A credit card sized 10-key (with decimal point, enter, and clear) with small one line LCD (or equivalent device) at top, with a thumbprint authentication utility on the side, and a printed circuit on the back for generating flux to simulate a magnetic strip for use in standard CC readers and maybe for automated amount entry(a circuit tuned to the GPS frequencies of the area where the card is allowed to be used could be embedded to charge small capacitors for power, and also possibly for use in theft detection). Embedded in the card is:
1) Account Private Key (encrypted by a reversible crypto with the key being the output of a perceptron neural net trained to recognize all authorized users thumbprints [or other biometric authentication could and should be used as it becomes viable] with a constant result set [this is much simpler than you would think])
2) Account Public Key (signed by institution [aka VISA or Verisign whichever gets to this idea first])
The card has 4 states:
Off, Amount query, thumbprint authorization, and encrypted transaction display and encrypted transaction activation of magnetic strip.
Essentially the card waits for an authorized thumbprint to activate the card going to the amount input, after the user enters the amount (or maybe the amount can automatically be transferred to the card using the strip or smart card interface or something), the transaction is signed by the private key, and then the signed transaction is made available on the LCD and the pseudo magnetic strip (which is cleared after swiping it or hitting the clear button). You get the point, its just like a remote cert mechanism for transactions. Just an idea.
Re:I think not. (Score:3, Interesting)
I agree with you on the credit limit thing - my wife had almost $33000 in debt, most on a single card (a Discover card) when I met her, and she only earned $32000/yr at that time. She was making minimal payments (yet nearly equal to my house payment) monthly and paying off very little principal.
I was just the opposite - I've only paid one interest payment ever, and that because mail took nearly two weeks to get to the CC company because of the Halloween blizzard of 1992 (and no, they didn't let it slide because of the weather - even though I bitched about it). I got my first and only increase ever about 4 months after that - from $3000 to $4250. My brother, with the exact same card and usually a standing balance, has the maximum $50000 limit. My credit rating is outstanding (when I applied for my home equity loan, the lady said she'd never seen one that high), so they sure aren't basing it on that.
Re:Die, credit cards (Score:3, Interesting)
There are new ways in place to make it a little more difficult for theives to make fradulaent purchases. Most places now make you give them the expiration date of the card and that is checked to be valid in real-time. Also, they can do real-time checks of the name of the card holder as well as the zip code. It's really up to the merchant as to how much risk they want to take. In fact, the merchant will usually get better rates if they implement these anti-fraud measures force the customer to give them their zip code or whatever.
The credit card system is vastly better than the check system as far as fraud goes. There exists a system called ACH (Automated Clearing House, I think) in which you only need the person's name, bank routing number, and bank account number, all of which are always printed right on the front of a personal check. And unlike a credit card that you only hand over temporarily to a merchant, you send checks to people all the time. There are a number of things you can buy online or mailorder using ACH (lots of bill-pay places, etc). Makes you think twice the next time you want to pay some stranger with a personal check.