Up To 1.5 Million Visa, MasterCard Credit Card Numbers Stolen

An anonymous reader writes "Global Payments, the U.S.-based credit card processor company that experienced a security breach affecting Visa and MasterCard, confirmed that the breached portion of its processing system was confined to North America. The company also finally revealed how many credit card numbers were stolen: around 1,500,000."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Recourse?

[robinsonne]

None whatsoever, but maybe I should go on a spending spree and max out my card so that the crook(s) have to pay my bill before they can do anything with my card!

Re:Recourse?

[MetalliQaZ]

I assume that by "the crooks" you mean Mastercard and Visa, right? :)

Re:Recourse?

[Solandri]

Don't do that. The banks and credit card companies have gamed it so that they don't pay for fraud - the merchants do. They've made it the merchant's responsibility to make sure the card is not being used fraudulently, while simultaneously pushing through a law which prohibits declining a card because the user refuses to show ID (because that would, y'know, discourage credit card use*). If you contest a charge and the merchant cannot prove that you actually made the charge (usually a copy of your signature on the charge slip), the processor will reverse the payment. The merchant is out the money and the merchandise. The card processor suffers the minor inconvenience of having to pay someone to field your phone call and having to run a second transaction to reverse the initial purchase. That is why some places will ask for your zip code or home phone number, or won't deliver to anywhere but your home address when you buy with a card. Those are the only tools merchants have to prevent fraud.

* They also pushed through a law prohibiting merchants from charging extra for credit card transactions to cover the additional risk of fraud. Some merchants get around it by offering a cash discount.

Re:

[lgw]

Pushed through a law? Really? By "law" you mean the contract the merchant signs in order to accept credit cards, right?

Re:Recourse?

[Anonymous Coward]

Posted anon on purpose.

I work for a credit card company and we give out both Visa and Mastercard. When there is a fraud, WE pay the money. If you need a new card WE pay for that new card.

If you contest a charge and there is anything reasonable (so no cash withdrawal with your PIN code) we will FIRST give you the money back, then start the investigation and if there is no actual fraud (or more likely a fraud attempt of the cardholder) he will see it on a later bill.

This means in many cases that the merchant has the money, the customer has nothing to pay and we end up with the bill.

Now if the USofA would start using a modern system like the rest of the world, instead of still using the magnetic strip confirmed by a signature on the card, use the PIN code system with a chip. This seriously will increase security.

As far as we are concerned, if you go to the US, it will cost US money, because of the backwater system that is used.

Almost all of the world has changed to a more secure system, yet the US is somehow unable to get up to speed.

Will it ecxlude all situations or all fraude? No, but it will seriously reduce it. How? If you do not have the code, you can only try to buy stuff on the Internet. The moment the card is noted as stolen, even that won't work, because the card is blocked from that moment on.

Re:

[s0nicfreak]

Since when is maxing out your own credit card illegal?

Re:

[KhabaLox]

It's not. But if you turn around and file a fraud claim on those charges, that would be illegal.

Re:

[s0nicfreak]

But that isn't what he said. He said the crooks would have to pay his bill before they could use his card.

Re:

[KhabaLox]

Oh. Well that idea is so stupid (for obvious reasons) I don't feel bad for not understanding it on the first pass. I guess he was trying to be funny?

Re:Recourse?

[Bigby]

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

And VISA already dropped Global Payments. Let the market and common law handle this...

Re:Recourse?

[jmauro]

They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

Re:

[gstoddart]

They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

Wait, VISA will still let insecure providers to process transactions?

That makes no sense whatsoever. (I'm not disputing what you're saying, I just find it amazing they'd let someone who doesn't have good data security anywhere near transactions.)

That's kind of letting a known burglar work for an alarm company. It kind of defeats the purpose in the first place.

Re:Recourse?

[Raenex]

Wait, VISA will still let insecure providers to process transactions?

Global Payments is a huge provider, and Visa couldn't just stop processing payments from them without impacting a huge number of merchants.

(I'm not disputing what you're saying, I just find it amazing they'd let someone who doesn't have good data security anywhere near transactions.)

Even companies who have good security can suffer a breach. I haven't seen any details on what happened, whether it was gross negligence, an inside job, or what. To even be processing with Visa, you have to pass security audits for basic procedures. They'll get whatever went wrong fixed and re-apply for approval.

The real problem here is the reliance on "secret" data (your credit card number) that is published on every transaction. With so many people and organizations involved, it's inevitable that these leaks will happen.

It's 2012. There are much better solutions using smart cards and public/private keys.

Re:Recourse?

[SniperJoe]

Actually, that's not true at all. If you fail to report fraudulent transactions within 60 days of statement mailing, the bank and/or credit card company is not responsible for any investigation or repayment under the Fair Credit Billing Act.

http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm [ftc.gov]

Re:Recourse?

[tripleevenfall]

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Aside from this, it seems likely they will notify the people who were affected and issue them new cards if they can identify who they were. It may not be possible to tell which numbers were stolen, only which were exposed.

Re:

[SniperJoe]

Oh, you're absolutely right. The burden to consumers is not high at all, nor should it be. Contrast that with the burden for debit card transactions or electronic transfers, which only covers two business days. As you said, if you're doing what you SHOULD be doing, you're going to be protected under the law. I just don't want people to have a false sense of security that if they use a credit card, they're protected from fraudulent transactions in perpetuity, because that simply isn't the case.

From w

Re:

[tripleevenfall]

I had a Citi mastercard which had some fraudulent charges posted to it... two different charges for Italian dresses, about $300 each. (what the heck?)

I called and reported it. I had to sign an affidavit of fraud and fax it back to them. They canceled my old card and overnighted me a new one, and the charge came off the account about a week later. It was really pretty easy.

Re:

[chocolatetrumpet]

All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Looking over? Doesn't anyone else use electronic bookkeeping and reconcile their bank statements? Money is so hard to come by. It is really worth your while to keep accurate records. And if you're nerdy enough to read this website...

I spend a few minutes each day typing receipts and cash transactions into the computer. Just this very act has increased my savings. My theory is that it helps bring your transactions into consciousness. You can also get all sorts of cool charts and graphs, which helps me decid

Re:

[lgw]

Everyone should keep a detailed budget, at least for a while. It really is educaitonal. But if you do that for a few years it becomes an empty ritual - you can manage by exception. What's sad is so very few people these days ever reach that point - it's no wonder that getting into "the 1%" seems impossible for so many. There are fundamental technical skills here that every adult should master (if only high school taught anything practically useful).

Re:

[SniperJoe]

Visa and Mastercard are migrating to "Chip and PIN" cards within the next year.

http://www.pcmag.com/article2/0,2817,2399772,00.asp [pcmag.com]

But even then, that's not a perfect solution, nor will it ever be. It will always be an arms race between the credit card companies and the thieves.

Re:Recourse?

[tripleevenfall]

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Why should I be doing this? I make dozens, perhaps hundreds of transactions each month. My looking over my statement is easily subject to human error.

Why should you look after your own finances? I wouldn't think higher critical reasoning would be required to convince you to do so.

Re:

[Albanach]

Am I not looking after my finances when I entrust them to (and pay handsomely for) banks to look after them?

Either through interest payments or transaction fees, we are paying a small fortune to multi-billion dollar corporations who want us to use their products so they can make even more money. Why should they be permitted to supply a product but not required to make sure it's reasonably secure?

Many of us are making almost every transaction by card these days - effectively paying banks something like 2.5%

Re:Recourse?

[lgw]

That's epic-scale lazy right there. The bank is not your friend. Never trust it. You don't just need to check against merchant-side errors, you need to check against errors made by your bank. I've had to switch banks before just because of the frequency of errors.

Sure, sure, everyone should prefer banks that get this stuff right, but how can you know if you don't verify? Talk about oblivious.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

Bwahahaha! You've never had to experience the nightmare of having fraudulent transactions on your c/card, have you? The issuers make you jump through a ridiculous number of hoops, legal papers, police statements, that unless you have large sums against you, you simply give up trying to to remove them.

It's a complete myth you can reverse transaction on credit cards, perpetuated by Visa and Co to keep the public in happy blindness. At least until they experience the problems for themselves.

Re:

[Rakishi]

Wow, did a Visa executive make sweet love to your mother or something?

As others have already pointed out, it is just that easy. Visa and Co don't care at all since they don't eat the cost.

Last time I got hit with fraud, a single sale mind you, my card was suspended and I was called before the transaction was even finalized. New card was in my hands within two days and I even had thirty days to switch over any recurrent charges (as the old number stayed valid for those).

Re:

[Rakishi]

Debit != Credit.

Learn the difference and learn to read before commenting next time.

Debit cards are stupid for just the reasons you listed, all of which credit cards are basically immune to.

Debit and credit cards compromised

[jbov]

Debit != Credit. Learn the difference and learn to read before commenting next time

Heed your own advice before being rude. Global Payments processes debit, credit, and gift cards. Debit and credit cards were exposed by the breech. Fraudulent activity has been reported on both.

Re:

[Anonymous Coward]

My bank called me...but then again it wasn't until after charges were made to my account. The jack@$$3$ wiped me out...now I have to go to my bank, and fill out an Affidavit of Fraud to get my money back. I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages (as well as assist with the cancellation of cards, since everyone should cancel a stolen card)...too bad that will never happen. I didn't choose for GP to be the processi

Re:Recourse?

[Anonymous Coward]

I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages

Your recourse is through your bank and/or card issuer, not the processor, and that fact is greatly beneficial to you. A massive breach could easily put a company out of business, especially if that company were already in trouble. In that situation, if they were liable for your losses, you would have to wait years for bankruptcy court to sort it out, and you would likely only get back a portion of your losses. The bank that issued your card is legally required to have the cash on hand to be able to pay you back, so it works out much better for you that it is their obligation. Yes, you may have to fill out a few forms, and your money will not come back instantaneously, but I don't think there's a constitutional amendment requiring that you never be mildly inconvenienced, so suck it up and take it. Shit happens.

Re:Recourse?

[KhabaLox]

GP should be fine. It looks like the average loss is anywhere from $1 to $10 per account, so they're looking at an upper bound of $15-$20m, or about 5% of their unrestricted cash assets.

From an article [zdnet.com] linked to in TFA:

Global Payments, the processor blamed for a Visa and Mastercard data breach last week, is likely to be able to manage its financial hit related to beefing up security. ...
If that figure sticks, Global Payments can weather the data breach, analysts said. For instance, Wells Fargo Timothy Willi said in a research note that Global Payments, which has $300 million to $400 million in unrestricted cash, can pay for the damage.

Willi’s take, which lines up with other analysts, is based on the data breach suffered by Heartland in 2008. Heartland is another payment processor and the accounts compromised ran as high as 130 million in a breach that lasted for months. Heartland’s tab to data has been $147 million.

Given Global Payments’ compromised accounts is about 10 million the tab should be lower. RBS WorldPay also had 1.5 million accounts compromised with $9 million of fraud losses.

Re:Recourse?

[penix1]

The problem with that analysis is it doesn't take into account the hit to reputation. These companies only exist because of trust that the data is correct and secure. Loss of that trust means people will jump ship faster than rats leaving a sinking ship. I suspect the only reason Heartland survived was it is an industry that is "too big to fail" meaning there are very few processors out there for people to jump ship to that hasn't suffered the same problems or worse.

Re:

[KhabaLox]

Fair point. Without knowing anything about the industry though, I'd say that if Heartland can survive losing 130 million accounts, GP should be OK losing 1% of that.

Re:Recourse?

[modernzombie]

My bank called me a couple months ago (not related to this incident) and said that they were cancelling my card and issuing me a new one because they had reason to believe it could have been compromised even though no fraudulent charges had been made. This seems like the appropriate thing to do. The card issuers should be contacting their customers to have the cards replaced.

Re:

[RobertLTux]

"this is less helpful when you travel all the time. oh hey look I'm away from home and now my card doesn't work. how convenient. I still have another week of business to do here. thanks visa."

then they should not trigger unless they see "you" travel outside of your normal range (ie you mostly travel on the east coast of the US and they see "you" charge something in say China.).

Re:

[Jmc23]

Which is why you're supposed to tell your travel schedule to your credit card companies. Lazy or a troll?

Re:Recourse?

[whoever57]

Which is why you're supposed to tell your travel schedule to your credit card companies. Lazy or a troll?

Recent experience: My wife went to the UK (we live in the USA) recently. I phoned the credit card company in advance and told them she would be in the UK. Cards on the account have been used in the UK on a fairly regular basis. Her card was suspended within a couple of days of her arrival. So, what's the point of calling the credit card company?

Re:

[Kalriath]

That usually means the bank has placed a transaction block on that merchant - mine does the same with Entropay. It actually means it requires manual intervention to perform the transaction. In my case, I need a bank person on the phone to force the payment through.

Re:

[JDG1980]

this is less helpful when you travel all the time. oh hey look I'm away from home and now my card doesn't work. how convenient. I still have another week of business to do here. thanks visa.

Anecdotal experience: I have a Visa credit card through BB&T. I live in Georgia. A couple months ago, I got a call from the rep (forget whether it was BB&T or Visa) asking if I had made a transaction for a large amount of money (over $600, forget the exact amount) at a Walmart in Virginia. WTF? So someone had m

Re:

[KingMotley]

I didn't choose for GP to be the processing system used with my card

Sure you did, you just didn't check. You could have went to another merchant, but you decided not to, or that checking who they were going to use to process your credit card wasn't worth the trouble. I'm quite guilty of this myself. But you (we) did have the opportunity to find out and use something else, but we didn't because we couldn't be bothered. The risk was low enough that it wasn't worth the trouble. Until this happens often enough that people actually do think it's worth the bother, it will co

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[X0563511]

Yes. My bank is not exactly one known for good behavior, but that said all it takes is a phone call for them to wipe the offending transactions, give me my money back, and start an investigation. Note I get my money back first. I've never once had them come back and go "hmm, no actually we want out cash back" - and I've had to do this some 10 times over the years.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Baloroth]

I do with my bank card. But then, it is a local bank that by default blocks out-of-state (or international) charges and actually uses proper two-factor authentication for online banking, so I have a reasonable degree of confidence in their security systems generally speaking.

Granted, I'm still fairly careful where and when I use it (and plan to switch to a credit card soon, if only for the rewards and credit-building aspect).

Re:

[shoehornjob]

does anyone use a bank card and feel safe?

If you use a bank issued visa/mastercard and the transactions are swiped (credit) instead of via a pin you have the same protections as a regular credit card. Transactions via a pin have limited rights and you may not be reimbursed for the full amount of the fraud. That's why the banks have promotions and special hardware (RFID) at the POS. They want to entice you to use your pin so they can get off cheap. If they spent less time being greedy I'm sure they could impliment a more secure system but I suppose

Re:

[Jmc23]

Canadians.

Re:Recourse?

[sexconker]

Well, yes, at least these are CREDIT cards, not bank cards. This is exactly why I don't have a bank card and only use a credit card - at least it provides a buffer to my money. If I see charges on a bill that are suspect, I don't HAVE to write the credit card company a check. But if a criminal got a hold of someone's bank card...

Maybe I'm wrong - does anyone use a bank card and feel safe?

I left Bank of America because of this (and other, previous horse shit).
Some scam "company" initiated an ACH transaction against my checking account (not even a debit purchase, it was straight ACH).

They farm account numbers from dumpsters, internets, and call center slaves who are easy to bribe. Then they initiate fraudulent transactions for "supplemental medical insurance". You can go to their various shell websites and quickly see that the insurance is of course non-existent. The only service they offer is theft.

So I called Bank of America and said "This is bullshit." and they wanted to do the whole 7-10 day, affidavit, wait to get my money back, horseshit.
I got my money back faster (from the company) by threatening to sue and reporting them to the NY State Attorney's office.

Bank of America said they could not (would not) block future transactions from that company. Sure, they could block debits from that company for the same amount (down to the cent), so if they try to take $49.95 they can't get it, but if they try $49.96 or $4999.95 they get it instantly. BoA wouldn't even let me file a complaint against them. Since I had gotten my money back, they refused to let me file a claim where I did not seek a refund. Of course, why would the bank want to make my money secure or investigate fraud? They profit off transactions, interest, fees, fraudulent charges, etc.

My only option, according to BoA, was to open a new checking account to get a new number that hopefully they wouldn't be able to steal.
So I did. Except the new checking account wasn't at BoA.

Re:

[TheLink]

Would you be able to get the police involved, since it's theft and the Bank is actively aiding thieves? Not saying that you should (or shouldn't).

So when some guy on the street steals your money he's committed a crime, but if some company steals money from thousands of people they're just a good customer of the Bank?

Re:

[alen]

banks and others run anti-fraud software. one time i used one of my rarely used cards to open a microsoft support case. it was declined. a card with $0 balance. and my bank called me. i called them back later and they wanted to make sure it was me

Re:

[CubicleZombie]

And what recourse do card holders have?

Cash still works. For now, anyways.

Re:

[TheLink]

It's a bit like credit except you're actually spending your own money.

Rich people on the other hand use "leverage".

Re:

[OnlineAlias]

I was contacted this weekend by my CC company about this. My card was one of them. They asked to cancel my card numbers and next day aired new ones.

Re:Recourse?

[neokushan]

Give me your CC number and I'll let you know if it's one of the compromised ones.

>_>

Re:

[rmandevi]

That would have to be a pretty cagey crook. The breach occurred January-February. Global reported the breach to Visa, MasterCard, and Federal authorities once they detected it last month (source: http://phx.corporate-ir.net/phoenix.zhtml?c=125339&p=irol-newsArticle&ID=1678656&highlight= [corporate-ir.net]). The news only came out Friday to give the Feds enough time to investigate without tipping anyone off. Truth in posting: I work for one of Global's competitors.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Recourse?

[Qzukk]

You could, oh I don't know, cancel your cards and replace them? But I guess complaining about it on /. is more fun.

That's not "recourse" that's "damage control".

Re:Recourse?

[tripleevenfall]

We give trucker cap. Look good for ladies.

Re:

[KhabaLox]

Really? It takes you an 7 hours to call and cancel your card? You're doing something wrong. Even is the CSR on the other end is overseas and has an accent, it's never taken me more than 10-15 minutes to do that.

ANother grain of sand

[geekoid]

on top of my theory that digital cash will prove to difficult to protect and ultimately fail; which is a shame, I like digital cash.

Re:

[elsurexiste]

It's not a a failure, and you said why: a lot of people like using credit cards!. Those companies already accept the fact that, every now and then, cards get stolen. They continue to operate under this scheme because it's so lucrative.

Re:

[vlm]

Doesn't bitcoin solve that issue? (not rhetorical; I don't know the details of bitcoin)

BTC only "decentralizes" properly if less than 50% of the transactions etc come from one person.. or group... so just dumping BTC on top of visa and mc will merely result in a oligopoly majority screwing with the block stream.

That is a problem with rolling out BTC, if you have a completely centrally controlled monopoly or oligopoly based financial system like the US, its hard to roll out gradually. The first mover will automatically control 99.9999% of the block stream making it no longer decentralized, or

Re:

[sexconker]

Doesn't bitcoin solve that issue? (not rhetorical; I don't know the details of bitcoin)

BTC only "decentralizes" properly if less than 50% of the transactions etc come from one person.. or group... so just dumping BTC on top of visa and mc will merely result in a oligopoly majority screwing with the block stream.

That is a problem with rolling out BTC, if you have a completely centrally controlled monopoly or oligopoly based financial system like the US, its hard to roll out gradually. The first mover will automatically control 99.9999% of the block stream making it no longer decentralized, or at least not decentralized until everyone ELSE moves to BTC.

No, it has nothing to do with 50%. It's simply that if you control more of the network, you are more likely to get away with tampering with transactions unnoticed.

You would need 100% control to guarantee no one would see you rigging shit. Even then, the entire transaction history is viewable to all, and all mined results are verifiable. In order to falsify a transaction you'd have to falsify a mining result and steal some wallet files. Since it's just mountains of hashwork, you're better off just mining

Re:

[vlm]

Hmm I think we agree the majority controls. I'm going further and saying truth or falsehood is in the eye of the 51%. You're saying a false transaction believed by 51% is still false, I'm saying it defines truth, at least in-band. If you also had GPG signed web of trust receipts to compare with the in-band history... well thats cheating, kinda, because its out of band.

Re:

[demachina]

Not entirely. You dont have the problem of identity/number theft but, theft of bitcoin wallets is relatively easy if you hack someones machine who has a bitcoin wallet.

The exchanges are also a weak point. At least one and probably more have been hacked, on top of which at present you can't have much confidence in the people that are running them in the first place since they are just geeks with servers who set up exchanges and some are better than others.

If you put large amounts in bitcoints you do have t

Re:

[vlm]

This is the old "use it as a store of value" argument vs the old "use it for free money transfers" argument.

It doesn't seem to be the ideal "store of value" system where wallets usually have something worth taking.
It already makes a hell of a fantastic zero commission international transfer system where wallets on both sides are always zero unless a transfer is in progress.

The latter use case seems much more likely to be the killer app than the former.

Re:

[rickb928]

Bitcoin is not the example of a solution to anything that I would choose. Between security breaches at various brokers, exploitation of the algorithms, and speculation, Bitcoin seems a lot like pre-existing currencies. No fix.

Re:

[gox]

exploitation of the algorithms

This never happened.

Bitcoin seems a lot like pre-existing currencies. No fix.

Well, it is supposed to fix the problems with and overcome limitations of centralized control, nothing else. And it does it to a certain degree.

Theft is a problem when there is a point where value is stored. Bitcoin can solve this by requiring multiple signatures for a transaction (there is experimental support for this already). So, you can store these keys in different locations. Keys never have to be in the same place ever to confirm a transaction, so this is very different from divid

Where is the list ?

[Lennie]

I want to check if mine is on the list ;-)

Re:

[HaaPoo]

I have the list, give you number to me to verify.

Re:

[KingMotley]

I too would like a copy of this supposed "list". I want to see if it's complete or not, by checking if your number is in there.

Re:

[vlm]

Then you're in luck, as I've developed a site that will tell you.

Simply enter your name and card number... it will tell you straight away. Nevermind the sketchy url, I swear it's legit.

AC is the guy who invented www.google.com?

Don't laugh, people do this "all the time", or at least they used to. Journalist types used to strongly encourage it to see if someone had released your number in a goog accessible location... which has happened in the past.
This is why some people freaked out about search histories being released / stolen / whatever, at least aside from the people nervous about their queries for "tranny midget sheep scat pr0n" and of course "how to make chloroform"

New Security Model

[MetalliQaZ]

That government guy from the cyberwar scare story last week had it right... We need a new security model. Just assume that your credit card numbers, your social security number, etc., are already compromised. Those things were never designed to be secure, and companies that we trust with this data simply can't keep them safe. We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

Re:

[Thanshin]

We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

And now that we're talking politics...

Re:New Security Model

[nine-times]

Well it's not so much "we need a new security model" as "we need a security model". As you said, these things were never designed to be secure in the first place.

Lots of businesses and government organizations use your SSN as an authentication method-- i.e. knowing your SSN is considered proof that you are who you say you are. However, your SSN is also just your ID number, and you're constantly being asked to provide it to people. In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

IMO we should be using some kind of private-key encryption to verify identity. I don't like the idea of being forced to identify yourself, but if they're requiring some kind of verification/authentication, it should at least be secure. Of course, this would also require us to develop and deploy an additional layer of infrastructure for providing/reading/revoking these private keys, and it would also raise questions of whether/when/how we want to allow anonymity in such a system. There are lots of issues to work out, but we should be working on it.

Re:

[KhabaLox]

In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

+1 Insightful

It's kind of obvious, but then I guess most insightful comments are in hindsight.

Re:

[TheLink]

But if the systems were designed to be secure would "normal" people be better off in practice?

Don't get me wrong, I'd be happy if things really became more secure. But as long as Banks, regulators etc keep calling "identity theft", "identity theft" and not bank fraud, what do you think will actually happen?

Paranoid slashdotters might be able to keep good control over some fancy "foolproof" transaction system. But do you think most people would? They can't even secure their computers and phones.

So cynical me

Re:

[jez9999]

Indeed, 'cards' as a throwback from the 90s and it's a shame they're still widespread. I've been thinking for a while now that instead of issuing you with a 'card', the banks should switch to issuing you with something akin to an RSA SecurID tag. You attach it to your keyring and it has a number that changes every 30 seconds or something, which you must supply to login to online banking or make online transactions. For physical transactions, RFID could be used combined with a PIN. Lose the thing and you

Re:

[Jmc23]

Welcome to Mexico.

Re:

[KhabaLox]

Welcome to Mexico.

Does this mean you have RFID key fobs or compromised banks? I want to assume the latter, but I also don't want to be racist.

Re:

[Jmc23]

RFID isn't safe, not even close. I do have a little keyfob that generates a new number every minute that has to be input to do any transactions online.

Re:

[compro01]

I've been thinking for a while now that instead of issuing you with a 'card', the banks should switch to issuing you with something akin to an RSA SecurID tag.

That wouldn't be much better than current systems if the processor has shitty security. They can just lift the seed files off the processor's servers and go on their merry way.

Can't steal a number

[Thanshin]

You can't steal a number! It's not stealing if you still have your copy of the number! It's copyright infringement at the most.

Also, if put them one after the other, they stole a single number!

73

There you are, you can keep that number in exchange. I never liked 73 anyway.

You're welcome.

Re:

[TheGratefulNet]

73 is ok. and if the situation is right, 88 can be acceptable, as well ;)

Eh, oh well.

[JustAnotherIdiot]

My card expires in a few months anyway, guess I'll just step up getting a new one.

Easy fix

[alaffin]

The thing is there are so many better ways to do things right now. For starters, you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards. Chip and pin isn't perfect, but it's better than a magnetic stripe and a signature. For card not present transactions allow Visa card holders to create a one time credit card number (with a maximum limit) via the internet or over the phone. Want to buy something on line? Generate your own credit card number to the exact value of what you're buying. That CC # number expires at the end of the day - meaning that even if you gave it a ridiculous limit and then sent it to a shady site they'd have 24 hours to use it.

Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.

Re:

[Chatterton]

The problem is that for the bank the money lost is 'minimal'. In the 50 billion $ a year of CC fraud, most of that amount is lost by the merchants and not the bank. The chargeback is from the merchant to the card owner, but the merchand didn't get the sold product back. Now, if a law say that the fraud should be at the charge of the banks, you can be sure that the fixes will be implemented in the following hour !!!

Re:

[rickb928]

"you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards."

Um, the players in this aren't interested yet. The cost of replacing cards ia high enough for them to avoid it until 'forced', and not by 'you'. the government maybe, or a bank that gets burned too much to bear. In Britain, little old ladies are being shoulder-surfed at ATMs and wiped out, and since it's chip and pin, the banks hold onto their policies and refuse

Re:

[tgd]

Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.

It has -- quite literally -- nothing to do with the cost of the fixes. Most of the world has already gone chip+PIN. The reason you don't see it in the US is very simple: it slows down the transaction. That's why Visa and MC have been pushing for contactless payments. Tap your card and off you go. Simple as that. Its also why most stores no longer require signatures under $25 -- the networks have mandated that. You can actually lose your merchant account or pay penalties if you are caught asking people to si

Re:

[compro01]

They know exactly how much they lose from fraud

>=0

They just shove it up the merchant's ass, who are then out the money, the merchandise, the transaction fee, and a chargeback fee.

Re:

[Wildclaw]

Want to buy something on line?

Enter your credit card number and get redirected to your bank's site where you have to verify the purchase using your own bank's security solution. This functionality already exists on an international level as I have had it happen while buying something from Japan, while living in Sweden.

Re:

[account_deleted]

Comment removed based on user account deletion

How many?

[rickb928]

Krebs on Security stated the number was 10 million. GP and all initially admitted to 50,000.

I'm betting on Krebs. He's pretty reliable, or at least his sources are.

Just give up already.

[erik umenhofer]

At what point do we just assume that all CC #s have been stolen and if you haven't had your card # stolen yet, it's just a matter of time.

Re:

[Spad]

Duplicated without consent.

Re:

[biodata]

You are right, the numbers were not stolen, and noone had anything stolen from them, except anyone who ends up paying for any fraudulent transactions. I'm pretty sure we don't own 'our own' credit card numbers, the numbers belong to the banks is my guess, or to a number issuing authority which leases them to the banks. The numbers were not stolen from the banks, they were copied from a third party, who disclosed them, possibly by mishandling or bad security practices, to another third party. The banks ch

Re:

[who_stole_my_kidneys]

I have to disagree. If your in the business of Security, just focusing on implementing PCI compliance or SOX or SEC etc. recommendations leaves you clue less to how hackers actually penetrate networks. You need to know more about what it is your running and how to mitigate other exploitable features that are not included in some compliance mandates. And the best way to learn that, get your hands dirty.

Re:Nothing was stolen

[dkleinsc]

Let me make your argument a different way, now tell me what the difference was:
(A) Smith borrowed the keys to Johnson's car, went to a locksmith and made a copy, gave Johnson his keys back as promised, and then sold the key to a guy who stole everything in the car.
(B) Jones sat down in front of a photograph by Johnson hanging in the gallery and took a photograph of it that looked essentially identical, and developed that photo of a photo in large prints for his wall and his friends.

There's plainly a legal and moral difference between what Smith did and what Jones did, even though both Smith and Jones took nothing directly from Johnson.

Re:

[KhabaLox]

I'm guessing most /.ers don't have a problem with the people copying the CC numbers. They just have a problem with them using those numbers to buy stuff.

Re:

[ACS Solver]

Idiotic argument. The problem isn't the criminals having the card numbers per se. The problem is that these numbers can then be used to steal your money - as in actually steal because you won't have the money afterwards.