8000 Credit Cards' Details Compromised In Australian Bank Breach

mask.of.sanity writes "Australia's largest bank, the Commonwealth Bank, has cancelled 8,000 credit cards after it detected a data breach at a merchant. Mastercard and Visa may issue penalties including fines to the acquiring bank under the payment industry's PCI-DSS compliance rules. News of breaches is uncommon in Australia because the nation does not have data breach disclosure laws."

1, 2, 3...

[koreaman]

I can't wait until this is wrongly attributed to "Anonymous" (which is more of a subculture than a group, anyway)

Re:

[koreaman]

Like I said, Anonymous isn't an organization. They're a subculture. Saying "Anonymous hacked this" has about as much value as saying "punks hacked this". "The punks" aren't a cohesive group and neither are Anonymous.

Anti-CBA spin?

[_merlin]

I don't get why so many stories are spinning this as though it's somehow CBA's fault. CBA detected the data breach, alerted the public, and cancelled affected cards. They failed to name and shame the company that suffered the breach, only indicating that it was a bank outside Australia. CBA deserves some credit for handling the situation as well as they could.

Re:Anti-CBA spin?

[robbak]

That's what I thought too. Even the statement about disclosure laws is out of place,as the laws that would apply are the laws in the country where the issuing bank and/or retailer is based.

CBA probably couldn't reveal the bank or retailer either, as they would probably end up fighting a defamation lawsuit.

Re:

[BiggerIsBetter]

CBA probably couldn't reveal the bank or retailer either, as they would probably end up fighting a defamation lawsuit.

Is speaking the truth not a defense against such lawsuits?

Re:

[jamesh]

CBA probably couldn't reveal the bank or retailer either, as they would probably end up fighting a defamation lawsuit.

Is speaking the truth not a defense against such lawsuits?

Depends on jurisdiction, but I think the truth is less relevant if the defamation was made maliciously . It could be that CBA noticed that the fraudulent activity was on cards which had previously been used at a common location (eg the merchant in question) and so it was only an alleged compromise at that merchant. It could also be that the merchant was a horse porn shop or something in which case they are also protecting their customers from having private information disclosed.

Re:

[dbIII]

Is speaking the truth not a defense against such lawsuits?

Not always. Some places instead have a "public interest" clause so that if it is true but it is successfully argued that it is not in the public interest you lose. The state where I live used to have defamation laws like that.

Re:

[Hazel Bergeron]

Because there are lots of ways of making credit cards far more secure which the banks refuse to use because the banks profit from a data breach.

If someone fraudulently uses a card, the bank will refund them by debiting the merchant's account, not out of its own infinite pool of generosity. And it'll usually fine the merchant, either per-transaction or by increasing the discount rate in the long term (or both).

Re:

[Kalriath]

Except if said merchant had 3DS authentication (Verified by Visa or MasterCard SecureCode), then the bank cannot actually reverse the transaction, and must eat the cost itself.

Worst part

[CTU]

The worst part there will be people who don't know there cards were canceled and try to use it. It will not be a happy sign especially if they did not bring enough cash or a different card to pay with. So I wonder if they will be compensated or can sue for such damages. I know I would if it gets me into any trouble ether with the law or a restaurant or store because I found out my card was not valid a little to late.

Re:

[Ravadill]

People whose cards were cancelled were contacted via SMS or email to let them know (depending on what contact details were available.)

Re:

[am 2k]

That won't help people who check their mails monthly (and I know some of those).

Re:

[hackertourist]

Interesting. My bank has a policy of never contacting its clients via email. They made a lot of noise about this last year when a number of phishers tried sending emails to the bank's clients.

Instead they use either snail mail, or the bank's internet portal (which uses a challenge-response mechanism linked to my debit card so it's reasonably secure).

Re:

[iamhassi]

SMS and email? Really? That's their notification method for letting me know that my main payment source for everything has been cancelled? Seems like this should be handled better, perhaps letters and phone calls would be more appropriate for something this important.

Re:

[jamesh]

I know I would if it gets me into any trouble ether with the law or a restaurant or store because I found out my card was not valid a little to late.

It's an offence in Australia to purchase goods (eg eat food in a restaurant or fill your car up with petrol) when you have or should have knowledge that you can't pay for it... I assume other countries have similar laws.

Not being aware that your card was just cancelled does not meet the above criteria though so I think you'd be safe from the law. The restaurant might be a little pissed, but i'm sure it wouldn't be the first time and they'd have a way of dealing with it (can you wash dishes? :)

Re:

[iamhassi]

In the US you could be arrested, put in jail, released on bail (if you can afford thousands of dollars) whenever the judge sets your bail (next business day, so you might be there the weekend), and then when you go to the hearing you could bring the email or letter showing proof you didn't know. If you can't afford bail then you sit in jail for several weeks until the hearing.

of course all of this depends on if the cop wants to arrest you or not, he could just write a ticket if he wants to be nice.

And the merchant was...?

[jamesh]

So who was the merchant? I'm not a CBA customer but if it was a merchant who had a breach, surely it isn't just CBA customers who were affected?

Re:

[halowolf]

One of the random TV news stories I saw, mentioned that the breach spread to Westpac too. Since it was a merchant that had the breach, I would expect most CC providers to be affected to some degree.

Re:

[dakameleon]

Usually, there's a single bank that provides the POS equipment to process the transactions - you'll see it as the branded card processing machines at the register. This leads to the conclusion that CBA was the POS provider for this particular merchant - the question of their liability could be due to a flaw in their system allowing the data to be compromised.

NAB has them too

[MavEtJu]

In the last two years I have been given a replacement credit-card from the NAB bank twice.

One day everything work fine, the next day they don't work anymore and three days later when you call them they say that they are in the process of re-issueing them.

Thanks for not letting me know on day one, and thanks for not being able to buy anything for two weeks.

Re:NAB has them too

[BarryHaworth]

This must be why I couldn't use an ATM last Thursday.

I'm with the CBA, and twice in the last few years I've had my card cancelled and reissued. The first time it was because of a data breach like this one - a card skimmer had been used on one of the ATMs in my area and all people who had used ATMs in the vicinity had cards cancelled & reissued. The more recent time it was just me - someone had skimmed my card and used it to make a purchase in London.

Both times the bank was very efficient, and while there was the inconvenience of waiting for a new card and, in the second instance, waiting for the stolen money to be recovered there was otherwise no problem.

Re:

[Anonymous Coward]

And you are drawing cash from an ATM using a credit card?
Eh? Wtf? What is the interest rate you are going to have to pay on that?
More fool you I say.

Re:

[MavEtJu]

Australia has the concept of Debit "Credit-Cards", which immediately deduct the money from the account.

I assume the person you replied to has one of them.

Re:

[iamhassi]

Debit credit cards are common in the US, AC was trolling

Re:

[Zanadou]

Australia has the concept of Debit "Credit-Cards", which immediately deduct the money from the account.

I assume the person you replied to has one of them.

Not quite, (most) Australians hold credit cards that can be used to access/authorise withdrawals from a normal debit (savings) account that is "bundled" together to the same cardholder. In practice, this means that credit cards seem to "act" like debit cards... but actually it's just binding two accounts together so that they can be accessed via one piece of plastic. This is why Australian ATMs and POS machines give a person the choice to press a "saving"/"cheque" (debt account—cheque accounts are bec

Re:

[lazybeam]

The "Cheque" button usually accesses a secondary "savings" account these days :) Or a business "cheque" account even if you don't have paper cheques to go with it.

And I think you mean that there's three buttons on EFTPOS machines: "Savings", "Cheque" and "Credit". Most ATMs seem to have an extra option or two for accessing other accounts.

I've had a Visa debit card for 10 years: it is basically a Visa card with $0 credit limit. Handy for buying stuff from the Internet (and the Internet itself) without having

Re:

[unreadepitaph]

It's called a cash advance.
Since they now have pin numbers on Credit Cards you can withdraw from ATM's using it.
The interest rate on cash advances are generally the same or 1% higher than the cards (If you have a base rate of like 11% or a little higher they will be about 19-20%) interest rate except they apply straight away.
So you're not paying that much interest on top of them anyway.

Re:

[Calydor]

My bank issues as standard a MasterCard which also serves as a standard ATM card. Go to an ATM and it connects to your account, refusing to pay out money if you try to withdraw more than either your daily limit or the total on the account, whichever is lower.

It's a system that works pretty well, IMO.

Re:

[BlueScreenO'Life]

You know there are cards that can be used either as a credit card or as a debit card, right?

Why fine the bank?

[hackertourist]

TFS mentions that "Mastercard and Visa may issue penalties including fines to the acquiring bank ". Why is that when the breach didn't occur at the bank, but at a merchant?

Re:

[hakey]

The summary removed the important bit. There is a second unnamed "acquiring bank" that is potentially responsible. From TFA: "Mastercard and Visa may issue penalties including fines to the acquiring bank, not CommBank, under the payment industry’s PCI-DSS compliance rules."

Re:

[xelah]

PCI DSS is enforced via contracts....so I presume that VISA/Mastercard have a contract with the acquiring bank, the acquiring bank has a contract with the merchant and the liabilities get passed along the chain. You can bet the merchant will end up paying unless it's so obviously the bank's fault that they can't get away with claiming otherwise.

It was more than just CommBank

[unreadepitaph]

All of the big 4 had to cancel and re-issue a heap of cards not just the Commonwealth Bank.

Which Bank?

[SwampChicken]

*smirk*

Re:

[MrKaos]

Oh, I wish I had mod points

the only reason this is news

[Anonymous Coward]

the awful behaviour of banks in the US that go to extreme lengths to blame the credit card holder
here we have a bank outside the US that should be a decent example of what banks should do
- tell your customers that their cards no longer work and why
- priority issue them new cards as they may be reliant on the credit cards
- don't name who screwed the pooch. customers can contact the bank if they want more info
- the bank absorbs the cost of the fraudulent transactions (kept low by picking up on the activity ea

CBA? Lol Sony

[Xachariah]

As a reminder, the Sony hack involved 12.3 million credit cards. This isn't counting the 77 million people who 'just' had their data stolen.

This hack is less than one fifteen hundreth in scope (1/1500th). To put it in car analogy form, if Sony's breach was a quarter mile drag race, CBA's breach would be rolling 10 inches forward at a stop light.

This doesn't mean that every breach of data is deplorable. Just remember how bad the Sony breach was.

Re:

[MrKaos]

As a reminder, the Sony hack involved 12.3 million credit cards. This isn't counting the 77 million people who 'just' had their data stolen. This hack is less than one fifteen hundreth in scope (1/1500th). To put it in car analogy form, if Sony's breach was a quarter mile drag race, CBA's breach would be rolling 10 inches forward at a stop light. This doesn't mean that every breach of data is deplorable. Just remember how bad the Sony breach was.

Incidentally, did you realise it's the commonwealth bank.

Re:

[laxguy]

You might also choose to remember that there were no reports of fraudulent charges on the cards that were involved because the security codes required to use the card were not taken.. just something to keep in mind when you're trying to flame Sony.

Credit cards are too weak

[Stonefish]

The fact that a most credit card transactions are based upon a couple magic numbers and a date makes them easy to defraud. Fixing this problem isn't rocket science. With smartcards, crypto and near field readers this problems shouldn't be hard to make this go away. A vender generates a transaction, you digitally sign it and the vendor gets the signed result. You could even put the credit institution in the loop if you wished. Its funny but Google appears to be pushing the technology that would facilitate th

Re:

[Raenex]

The fact that a most credit card transactions are based upon a couple magic numbers and a date makes them easy to defraud. Fixing this problem isn't rocket science. With smartcards, crypto and near field readers this problems shouldn't be hard to make this go away.

You are right. What's really pathetic is that public-private key crypto has been available for decades, yet the big credit card companies (Visa, MasterCard) have either been too afraid or stupid to move to it.

The last time they updated security, they added another secret number (that 3-digit number on the back of your card). The only difference was that this number is not supposed to be stored by the merchant.

There are hundreds of thousands of merchants. Trying to get them all tightly secured is a joke, yet

Re:

[xelah]

Isn't that roughly what Chip and PIN does?

For distance sales something as simple as a button on the card/a device which displays a time-dependent number would make a huge difference. I already have a device for a company bank account which does this (but it uses a PIN as well). Merchants want to be able to perform repeat charges, do automated refunds, etc., but that could be done by issuing the merchant with a token only they can use during authorization.

8,000?

[goodmanj]

8000 credit cards? Wow, that's twice as many cards as were stolen from TJX Companies [wikipedia.org] in A SINGLE HOUR between 2005-2007.

Australia, I love you. You're both terrifyingly tough and adorably tiny. Like a snarling chihuahua.

Re:

[Geminii]

A _poisonous_ chihuahua. With fangs, spurs, tentacles, and the ability to drop out of trees onto you.