Up To 1.5 Million Visa, MasterCard Credit Card Numbers Stolen 189
An anonymous reader writes "Global Payments, the U.S.-based credit card processor company that experienced a security breach affecting Visa and MasterCard, confirmed that the breached portion of its processing system was confined to North America. The company also finally revealed how many credit card numbers were stolen: around 1,500,000."
Re:Recourse? (Score:2, Insightful)
My bank called me...but then again it wasn't until after charges were made to my account. The jack@$$3$ wiped me out...now I have to go to my bank, and fill out an Affidavit of Fraud to get my money back. I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages (as well as assist with the cancellation of cards, since everyone should cancel a stolen card)...too bad that will never happen. I didn't choose for GP to be the processing system used with my card, so I don't feel like this is my fault.
I would cancel my card right away and ask for a new one. It will be a minor inconvenience for you, but could prevent trouble in the future.
Re:Recourse? (Score:5, Insightful)
Re:Recourse? (Score:5, Insightful)
You could, oh I don't know, cancel your cards and replace them? But I guess complaining about it on /. is more fun.
That's not "recourse" that's "damage control".
Re:New Security Model (Score:5, Insightful)
Well it's not so much "we need a new security model" as "we need a security model". As you said, these things were never designed to be secure in the first place.
Lots of businesses and government organizations use your SSN as an authentication method-- i.e. knowing your SSN is considered proof that you are who you say you are. However, your SSN is also just your ID number, and you're constantly being asked to provide it to people. In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.
IMO we should be using some kind of private-key encryption to verify identity. I don't like the idea of being forced to identify yourself, but if they're requiring some kind of verification/authentication, it should at least be secure. Of course, this would also require us to develop and deploy an additional layer of infrastructure for providing/reading/revoking these private keys, and it would also raise questions of whether/when/how we want to allow anonymity in such a system. There are lots of issues to work out, but we should be working on it.
Easy fix (Score:5, Insightful)
The thing is there are so many better ways to do things right now. For starters, you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards. Chip and pin isn't perfect, but it's better than a magnetic stripe and a signature. For card not present transactions allow Visa card holders to create a one time credit card number (with a maximum limit) via the internet or over the phone. Want to buy something on line? Generate your own credit card number to the exact value of what you're buying. That CC # number expires at the end of the day - meaning that even if you gave it a ridiculous limit and then sent it to a shady site they'd have 24 hours to use it.
Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.
Re:Nothing was stolen (Score:5, Insightful)
Let me make your argument a different way, now tell me what the difference was:
(A) Smith borrowed the keys to Johnson's car, went to a locksmith and made a copy, gave Johnson his keys back as promised, and then sold the key to a guy who stole everything in the car.
(B) Jones sat down in front of a photograph by Johnson hanging in the gallery and took a photograph of it that looked essentially identical, and developed that photo of a photo in large prints for his wall and his friends.
There's plainly a legal and moral difference between what Smith did and what Jones did, even though both Smith and Jones took nothing directly from Johnson.
Re:Recourse? (Score:5, Insightful)
GP should be fine. It looks like the average loss is anywhere from $1 to $10 per account, so they're looking at an upper bound of $15-$20m, or about 5% of their unrestricted cash assets.
From an article [zdnet.com] linked to in TFA:
Global Payments, the processor blamed for a Visa and Mastercard data breach last week, is likely to be able to manage its financial hit related to beefing up security. ...
If that figure sticks, Global Payments can weather the data breach, analysts said. For instance, Wells Fargo Timothy Willi said in a research note that Global Payments, which has $300 million to $400 million in unrestricted cash, can pay for the damage.
Willi’s take, which lines up with other analysts, is based on the data breach suffered by Heartland in 2008. Heartland is another payment processor and the accounts compromised ran as high as 130 million in a breach that lasted for months. Heartland’s tab to data has been $147 million.
Given Global Payments’ compromised accounts is about 10 million the tab should be lower. RBS WorldPay also had 1.5 million accounts compromised with $9 million of fraud losses.
Re:Recourse? (Score:5, Insightful)
The problem with that analysis is it doesn't take into account the hit to reputation. These companies only exist because of trust that the data is correct and secure. Loss of that trust means people will jump ship faster than rats leaving a sinking ship. I suspect the only reason Heartland survived was it is an industry that is "too big to fail" meaning there are very few processors out there for people to jump ship to that hasn't suffered the same problems or worse.
Re:Recourse? (Score:4, Insightful)
That's epic-scale lazy right there. The bank is not your friend. Never trust it. You don't just need to check against merchant-side errors, you need to check against errors made by your bank. I've had to switch banks before just because of the frequency of errors.
Sure, sure, everyone should prefer banks that get this stuff right, but how can you know if you don't verify? Talk about oblivious.