Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck News Your Rights Online

Up To 1.5 Million Visa, MasterCard Credit Card Numbers Stolen 189

An anonymous reader writes "Global Payments, the U.S.-based credit card processor company that experienced a security breach affecting Visa and MasterCard, confirmed that the breached portion of its processing system was confined to North America. The company also finally revealed how many credit card numbers were stolen: around 1,500,000."
This discussion has been archived. No new comments can be posted.

Up To 1.5 Million Visa, MasterCard Credit Card Numbers Stolen

Comments Filter:
  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Monday April 02, 2012 @09:26AM (#39548529)
    Comment removed based on user account deletion
    • by robinsonne ( 952701 ) on Monday April 02, 2012 @09:29AM (#39548569)
      None whatsoever, but maybe I should go on a spending spree and max out my card so that the crook(s) have to pay my bill before they can do anything with my card!
      • by MetalliQaZ ( 539913 ) on Monday April 02, 2012 @09:37AM (#39548667)

        I assume that by "the crooks" you mean Mastercard and Visa, right? :)

      • Re:Recourse? (Score:5, Informative)

        by Solandri ( 704621 ) on Monday April 02, 2012 @11:14AM (#39549749)
        Don't do that. The banks and credit card companies have gamed it so that they don't pay for fraud - the merchants do. They've made it the merchant's responsibility to make sure the card is not being used fraudulently, while simultaneously pushing through a law which prohibits declining a card because the user refuses to show ID (because that would, y'know, discourage credit card use*). If you contest a charge and the merchant cannot prove that you actually made the charge (usually a copy of your signature on the charge slip), the processor will reverse the payment. The merchant is out the money and the merchandise. The card processor suffers the minor inconvenience of having to pay someone to field your phone call and having to run a second transaction to reverse the initial purchase. That is why some places will ask for your zip code or home phone number, or won't deliver to anywhere but your home address when you buy with a card. Those are the only tools merchants have to prevent fraud.

        * They also pushed through a law prohibiting merchants from charging extra for credit card transactions to cover the additional risk of fraud. Some merchants get around it by offering a cash discount.
        • by lgw ( 121541 )

          Pushed through a law? Really? By "law" you mean the contract the merchant signs in order to accept credit cards, right?

        • Re:Recourse? (Score:4, Informative)

          by Anonymous Coward on Monday April 02, 2012 @01:22PM (#39551519)

          Posted anon on purpose.

          I work for a credit card company and we give out both Visa and Mastercard. When there is a fraud, WE pay the money. If you need a new card WE pay for that new card.

          If you contest a charge and there is anything reasonable (so no cash withdrawal with your PIN code) we will FIRST give you the money back, then start the investigation and if there is no actual fraud (or more likely a fraud attempt of the cardholder) he will see it on a later bill.

          This means in many cases that the merchant has the money, the customer has nothing to pay and we end up with the bill.

          Now if the USofA would start using a modern system like the rest of the world, instead of still using the magnetic strip confirmed by a signature on the card, use the PIN code system with a chip. This seriously will increase security.

          As far as we are concerned, if you go to the US, it will cost US money, because of the backwater system that is used.

          Almost all of the world has changed to a more secure system, yet the US is somehow unable to get up to speed.

          Will it ecxlude all situations or all fraude? No, but it will seriously reduce it. How? If you do not have the code, you can only try to buy stuff on the Internet. The moment the card is noted as stolen, even that won't work, because the card is blocked from that moment on.

    • Re:Recourse? (Score:5, Informative)

      by Bigby ( 659157 ) on Monday April 02, 2012 @09:30AM (#39548587)

      Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

      And VISA already dropped Global Payments. Let the market and common law handle this...

      • Re:Recourse? (Score:5, Informative)

        by jmauro ( 32523 ) on Monday April 02, 2012 @09:31AM (#39548603)

        They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

        • They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

          Wait, VISA will still let insecure providers to process transactions?

          That makes no sense whatsoever. (I'm not disputing what you're saying, I just find it amazing they'd let someone who doesn't have good data security anywhere near transactions.)

          That's kind of letting a known burglar work for an alarm company. It kind of defeats the purpose in the first place.

          • Re:Recourse? (Score:4, Informative)

            by Raenex ( 947668 ) on Monday April 02, 2012 @03:42PM (#39553155)

            Wait, VISA will still let insecure providers to process transactions?

            Global Payments is a huge provider, and Visa couldn't just stop processing payments from them without impacting a huge number of merchants.

            (I'm not disputing what you're saying, I just find it amazing they'd let someone who doesn't have good data security anywhere near transactions.)

            Even companies who have good security can suffer a breach. I haven't seen any details on what happened, whether it was gross negligence, an inside job, or what. To even be processing with Visa, you have to pass security audits for basic procedures. They'll get whatever went wrong fixed and re-apply for approval.

            The real problem here is the reliance on "secret" data (your credit card number) that is published on every transaction. With so many people and organizations involved, it's inevitable that these leaks will happen.

            It's 2012. There are much better solutions using smart cards and public/private keys.

      • Re:Recourse? (Score:5, Informative)

        by SniperJoe ( 1984152 ) on Monday April 02, 2012 @09:44AM (#39548749)
        Actually, that's not true at all. If you fail to report fraudulent transactions within 60 days of statement mailing, the bank and/or credit card company is not responsible for any investigation or repayment under the Fair Credit Billing Act.

        http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm [ftc.gov]
        • Re:Recourse? (Score:5, Informative)

          by tripleevenfall ( 1990004 ) on Monday April 02, 2012 @09:47AM (#39548777)

          The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

          Aside from this, it seems likely they will notify the people who were affected and issue them new cards if they can identify who they were. It may not be possible to tell which numbers were stolen, only which were exposed.

          • Oh, you're absolutely right. The burden to consumers is not high at all, nor should it be. Contrast that with the burden for debit card transactions or electronic transfers, which only covers two business days. As you said, if you're doing what you SHOULD be doing, you're going to be protected under the law. I just don't want people to have a false sense of security that if they use a credit card, they're protected from fraudulent transactions in perpetuity, because that simply isn't the case.

            From w
            • I had a Citi mastercard which had some fraudulent charges posted to it... two different charges for Italian dresses, about $300 each. (what the heck?)

              I called and reported it. I had to sign an affidavit of fraud and fax it back to them. They canceled my old card and overnighted me a new one, and the charge came off the account about a week later. It was really pretty easy.

          • All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

            Looking over? Doesn't anyone else use electronic bookkeeping and reconcile their bank statements? Money is so hard to come by. It is really worth your while to keep accurate records. And if you're nerdy enough to read this website...

            I spend a few minutes each day typing receipts and cash transactions into the computer. Just this very act has increased my savings. My theory is that it helps bring your transactions into consciousness. You can also get all sorts of cool charts and graphs, which helps me decid

            • by lgw ( 121541 )

              Everyone should keep a detailed budget, at least for a while. It really is educaitonal. But if you do that for a few years it becomes an empty ritual - you can manage by exception. What's sad is so very few people these days ever reach that point - it's no wonder that getting into "the 1%" seems impossible for so many. There are fundamental technical skills here that every adult should master (if only high school taught anything practically useful).

        • Comment removed based on user account deletion
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

        Bwahahaha! You've never had to experience the nightmare of having fraudulent transactions on your c/card, have you? The issuers make you jump through a ridiculous number of hoops, legal papers, police statements, that unless you have large sums against you, you simply give up trying to to remove them.

        It's a complete myth you can reverse transaction on credit cards, perpetuated by Visa and Co to keep the public in happy blindness. At least until they experience the problems for themselves.

        • by Rakishi ( 759894 )

          Wow, did a Visa executive make sweet love to your mother or something?

          As others have already pointed out, it is just that easy. Visa and Co don't care at all since they don't eat the cost.

          Last time I got hit with fraud, a single sale mind you, my card was suspended and I was called before the transaction was even finalized. New card was in my hands within two days and I even had thirty days to switch over any recurrent charges (as the old number stayed valid for those).

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      My bank called me...but then again it wasn't until after charges were made to my account. The jack@$$3$ wiped me out...now I have to go to my bank, and fill out an Affidavit of Fraud to get my money back. I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages (as well as assist with the cancellation of cards, since everyone should cancel a stolen card)...too bad that will never happen. I didn't choose for GP to be the processi

      • Re:Recourse? (Score:5, Interesting)

        by Anonymous Coward on Monday April 02, 2012 @09:39AM (#39548691)

        I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages

        Your recourse is through your bank and/or card issuer, not the processor, and that fact is greatly beneficial to you. A massive breach could easily put a company out of business, especially if that company were already in trouble. In that situation, if they were liable for your losses, you would have to wait years for bankruptcy court to sort it out, and you would likely only get back a portion of your losses. The bank that issued your card is legally required to have the cash on hand to be able to pay you back, so it works out much better for you that it is their obligation. Yes, you may have to fill out a few forms, and your money will not come back instantaneously, but I don't think there's a constitutional amendment requiring that you never be mildly inconvenienced, so suck it up and take it. Shit happens.

        • Re:Recourse? (Score:5, Insightful)

          by KhabaLox ( 1906148 ) on Monday April 02, 2012 @10:47AM (#39549403)

          GP should be fine. It looks like the average loss is anywhere from $1 to $10 per account, so they're looking at an upper bound of $15-$20m, or about 5% of their unrestricted cash assets.

          From an article [zdnet.com] linked to in TFA:

          Global Payments, the processor blamed for a Visa and Mastercard data breach last week, is likely to be able to manage its financial hit related to beefing up security. ...
          If that figure sticks, Global Payments can weather the data breach, analysts said. For instance, Wells Fargo Timothy Willi said in a research note that Global Payments, which has $300 million to $400 million in unrestricted cash, can pay for the damage.

          Willi’s take, which lines up with other analysts, is based on the data breach suffered by Heartland in 2008. Heartland is another payment processor and the accounts compromised ran as high as 130 million in a breach that lasted for months. Heartland’s tab to data has been $147 million.

          Given Global Payments’ compromised accounts is about 10 million the tab should be lower. RBS WorldPay also had 1.5 million accounts compromised with $9 million of fraud losses.

          • Re:Recourse? (Score:5, Insightful)

            by penix1 ( 722987 ) on Monday April 02, 2012 @11:42AM (#39550107) Homepage

            The problem with that analysis is it doesn't take into account the hit to reputation. These companies only exist because of trust that the data is correct and secure. Loss of that trust means people will jump ship faster than rats leaving a sinking ship. I suspect the only reason Heartland survived was it is an industry that is "too big to fail" meaning there are very few processors out there for people to jump ship to that hasn't suffered the same problems or worse.

            • Fair point. Without knowing anything about the industry though, I'd say that if Heartland can survive losing 130 million accounts, GP should be OK losing 1% of that.

      • Re:Recourse? (Score:5, Insightful)

        by modernzombie ( 1496981 ) on Monday April 02, 2012 @09:42AM (#39548721)
        My bank called me a couple months ago (not related to this incident) and said that they were cancelling my card and issuing me a new one because they had reason to believe it could have been compromised even though no fraudulent charges had been made. This seems like the appropriate thing to do. The card issuers should be contacting their customers to have the cards replaced.
      • I didn't choose for GP to be the processing system used with my card

        Sure you did, you just didn't check. You could have went to another merchant, but you decided not to, or that checking who they were going to use to process your credit card wasn't worth the trouble. I'm quite guilty of this myself. But you (we) did have the opportunity to find out and use something else, but we didn't because we couldn't be bothered. The risk was low enough that it wasn't worth the trouble. Until this happens often enough that people actually do think it's worth the bother, it will co

    • Comment removed based on user account deletion
      • Yes. My bank is not exactly one known for good behavior, but that said all it takes is a phone call for them to wipe the offending transactions, give me my money back, and start an investigation. Note I get my money back first. I've never once had them come back and go "hmm, no actually we want out cash back" - and I've had to do this some 10 times over the years.

      • I do with my bank card. But then, it is a local bank that by default blocks out-of-state (or international) charges and actually uses proper two-factor authentication for online banking, so I have a reasonable degree of confidence in their security systems generally speaking.

        Granted, I'm still fairly careful where and when I use it (and plan to switch to a credit card soon, if only for the rewards and credit-building aspect).

      • does anyone use a bank card and feel safe?

        If you use a bank issued visa/mastercard and the transactions are swiped (credit) instead of via a pin you have the same protections as a regular credit card. Transactions via a pin have limited rights and you may not be reimbursed for the full amount of the fraud. That's why the banks have promotions and special hardware (RFID) at the POS. They want to entice you to use your pin so they can get off cheap. If they spent less time being greedy I'm sure they could impliment a more secure system but I suppose

      • by Jmc23 ( 2353706 )
        Canadians.
      • Re:Recourse? (Score:5, Interesting)

        by sexconker ( 1179573 ) on Monday April 02, 2012 @11:25AM (#39549881)

        Well, yes, at least these are CREDIT cards, not bank cards. This is exactly why I don't have a bank card and only use a credit card - at least it provides a buffer to my money. If I see charges on a bill that are suspect, I don't HAVE to write the credit card company a check. But if a criminal got a hold of someone's bank card...

        Maybe I'm wrong - does anyone use a bank card and feel safe?

        I left Bank of America because of this (and other, previous horse shit).
        Some scam "company" initiated an ACH transaction against my checking account (not even a debit purchase, it was straight ACH).

        They farm account numbers from dumpsters, internets, and call center slaves who are easy to bribe. Then they initiate fraudulent transactions for "supplemental medical insurance". You can go to their various shell websites and quickly see that the insurance is of course non-existent. The only service they offer is theft.

        So I called Bank of America and said "This is bullshit." and they wanted to do the whole 7-10 day, affidavit, wait to get my money back, horseshit.
        I got my money back faster (from the company) by threatening to sue and reporting them to the NY State Attorney's office.

        Bank of America said they could not (would not) block future transactions from that company. Sure, they could block debits from that company for the same amount (down to the cent), so if they try to take $49.95 they can't get it, but if they try $49.96 or $4999.95 they get it instantly. BoA wouldn't even let me file a complaint against them. Since I had gotten my money back, they refused to let me file a claim where I did not seek a refund. Of course, why would the bank want to make my money secure or investigate fraud? They profit off transactions, interest, fees, fraudulent charges, etc.

        My only option, according to BoA, was to open a new checking account to get a new number that hopefully they wouldn't be able to steal.
        So I did. Except the new checking account wasn't at BoA.

        • by TheLink ( 130905 )
          Would you be able to get the police involved, since it's theft and the Bank is actively aiding thieves? Not saying that you should (or shouldn't).

          So when some guy on the street steals your money he's committed a crime, but if some company steals money from thousands of people they're just a good customer of the Bank?
    • by alen ( 225700 )

      banks and others run anti-fraud software. one time i used one of my rarely used cards to open a microsoft support case. it was declined. a card with $0 balance. and my bank called me. i called them back later and they wanted to make sure it was me

    • And what recourse do card holders have?

      Cash still works. For now, anyways.

    • I was contacted this weekend by my CC company about this. My card was one of them. They asked to cancel my card numbers and next day aired new ones.
    • by neokushan ( 932374 ) on Monday April 02, 2012 @10:11AM (#39548999)

      Give me your CC number and I'll let you know if it's one of the compromised ones.

      >_>

    • Re: (Score:3, Interesting)

      by rmandevi ( 2168940 )
      That would have to be a pretty cagey crook. The breach occurred January-February. Global reported the breach to Visa, MasterCard, and Federal authorities once they detected it last month (source: http://phx.corporate-ir.net/phoenix.zhtml?c=125339&p=irol-newsArticle&ID=1678656&highlight= [corporate-ir.net]). The news only came out Friday to give the Feds enough time to investigate without tipping anyone off. Truth in posting: I work for one of Global's competitors.
    • Comment removed based on user account deletion
  • on top of my theory that digital cash will prove to difficult to protect and ultimately fail; which is a shame, I like digital cash.

    • It's not a a failure, and you said why: a lot of people like using credit cards!. Those companies already accept the fact that, every now and then, cards get stolen. They continue to operate under this scheme because it's so lucrative.

  • by Lennie ( 16154 ) on Monday April 02, 2012 @09:28AM (#39548559)

    I want to check if mine is on the list ;-)

    • by HaaPoo ( 696098 )
      I have the list, give you number to me to verify.
    • I too would like a copy of this supposed "list". I want to see if it's complete or not, by checking if your number is in there.

  • New Security Model (Score:5, Informative)

    by MetalliQaZ ( 539913 ) on Monday April 02, 2012 @09:32AM (#39548607)

    That government guy from the cyberwar scare story last week had it right... We need a new security model. Just assume that your credit card numbers, your social security number, etc., are already compromised. Those things were never designed to be secure, and companies that we trust with this data simply can't keep them safe. We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

    • We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

      And now that we're talking politics...

    • by nine-times ( 778537 ) <nine.times@gmail.com> on Monday April 02, 2012 @09:51AM (#39548815) Homepage

      Well it's not so much "we need a new security model" as "we need a security model". As you said, these things were never designed to be secure in the first place.

      Lots of businesses and government organizations use your SSN as an authentication method-- i.e. knowing your SSN is considered proof that you are who you say you are. However, your SSN is also just your ID number, and you're constantly being asked to provide it to people. In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

      IMO we should be using some kind of private-key encryption to verify identity. I don't like the idea of being forced to identify yourself, but if they're requiring some kind of verification/authentication, it should at least be secure. Of course, this would also require us to develop and deploy an additional layer of infrastructure for providing/reading/revoking these private keys, and it would also raise questions of whether/when/how we want to allow anonymity in such a system. There are lots of issues to work out, but we should be working on it.

      • In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

        +1 Insightful

        It's kind of obvious, but then I guess most insightful comments are in hindsight.

      • by TheLink ( 130905 )

        But if the systems were designed to be secure would "normal" people be better off in practice?

        Don't get me wrong, I'd be happy if things really became more secure. But as long as Banks, regulators etc keep calling "identity theft", "identity theft" and not bank fraud, what do you think will actually happen?

        Paranoid slashdotters might be able to keep good control over some fancy "foolproof" transaction system. But do you think most people would? They can't even secure their computers and phones.

        So cynical me

    • by jez9999 ( 618189 )

      Indeed, 'cards' as a throwback from the 90s and it's a shame they're still widespread. I've been thinking for a while now that instead of issuing you with a 'card', the banks should switch to issuing you with something akin to an RSA SecurID tag. You attach it to your keyring and it has a number that changes every 30 seconds or something, which you must supply to login to online banking or make online transactions. For physical transactions, RFID could be used combined with a PIN. Lose the thing and you

      • by Jmc23 ( 2353706 )
        Welcome to Mexico.
        • Welcome to Mexico.

          Does this mean you have RFID key fobs or compromised banks? I want to assume the latter, but I also don't want to be racist.

          • by Jmc23 ( 2353706 )
            RFID isn't safe, not even close. I do have a little keyfob that generates a new number every minute that has to be input to do any transactions online.
      • I've been thinking for a while now that instead of issuing you with a 'card', the banks should switch to issuing you with something akin to an RSA SecurID tag.

        That wouldn't be much better than current systems if the processor has shitty security. They can just lift the seed files off the processor's servers and go on their merry way.

  • Can't steal a number (Score:4, Interesting)

    by Thanshin ( 1188877 ) on Monday April 02, 2012 @09:38AM (#39548679)

    You can't steal a number! It's not stealing if you still have your copy of the number! It's copyright infringement at the most.

    Also, if put them one after the other, they stole a single number!

    73

    There you are, you can keep that number in exchange. I never liked 73 anyway.

    You're welcome.

  • My card expires in a few months anyway, guess I'll just step up getting a new one.
  • Easy fix (Score:5, Insightful)

    by alaffin ( 585965 ) on Monday April 02, 2012 @09:54AM (#39548839) Journal

    The thing is there are so many better ways to do things right now. For starters, you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards. Chip and pin isn't perfect, but it's better than a magnetic stripe and a signature. For card not present transactions allow Visa card holders to create a one time credit card number (with a maximum limit) via the internet or over the phone. Want to buy something on line? Generate your own credit card number to the exact value of what you're buying. That CC # number expires at the end of the day - meaning that even if you gave it a ridiculous limit and then sent it to a shady site they'd have 24 hours to use it.

    Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.

    • The problem is that for the bank the money lost is 'minimal'. In the 50 billion $ a year of CC fraud, most of that amount is lost by the merchants and not the bank. The chargeback is from the merchant to the card owner, but the merchand didn't get the sold product back. Now, if a law say that the fraud should be at the charge of the banks, you can be sure that the fixes will be implemented in the following hour !!!

    • "you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards."

      Um, the players in this aren't interested yet. The cost of replacing cards ia high enough for them to avoid it until 'forced', and not by 'you'. the government maybe, or a bank that gets burned too much to bear. In Britain, little old ladies are being shoulder-surfed at ATMs and wiped out, and since it's chip and pin, the banks hold onto their policies and refuse

    • by tgd ( 2822 )

      Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.

      It has -- quite literally -- nothing to do with the cost of the fixes. Most of the world has already gone chip+PIN. The reason you don't see it in the US is very simple: it slows down the transaction. That's why Visa and MC have been pushing for contactless payments. Tap your card and off you go. Simple as that. Its also why most stores no longer require signatures under $25 -- the networks have mandated that. You can actually lose your merchant account or pay penalties if you are caught asking people to si

      • They know exactly how much they lose from fraud

        >=0

        They just shove it up the merchant's ass, who are then out the money, the merchandise, the transaction fee, and a chargeback fee.

    • by Wildclaw ( 15718 )

      Want to buy something on line?

      Enter your credit card number and get redirected to your bank's site where you have to verify the purchase using your own bank's security solution. This functionality already exists on an international level as I have had it happen while buying something from Japan, while living in Sweden.

    • Comment removed based on user account deletion
  • How many? (Score:4, Interesting)

    by rickb928 ( 945187 ) on Monday April 02, 2012 @10:44AM (#39549389) Homepage Journal

    Krebs on Security stated the number was 10 million. GP and all initially admitted to 50,000.

    I'm betting on Krebs. He's pretty reliable, or at least his sources are.

  • At what point do we just assume that all CC #s have been stolen and if you haven't had your card # stolen yet, it's just a matter of time.

Like punning, programming is a play on words.

Working...