Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

VISA, MasterCard Warn of 'Massive' Breach At Credit Card Processor

Soulskill posted more than 2 years ago | from the your-security:-priceless dept.

Crime 164

concealment writes with news that VISA and MasterCard have been warning banks of an incident at a U.S. card processor that may have compromised as many as 10 million credit card numbers. From the article: "Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area." According to the Wall Street Journal, the breached company is Global Payments Inc.

cancel ×

164 comments

Sorry! There are no comments related to the filter you selected.

No Source? (4, Insightful)

MrJones (4691) | more than 2 years ago | (#39522989)

The article has no credible source. Is this Spam?

Re:No Source? (5, Informative)

Anonymous Coward | more than 2 years ago | (#39523061)

Krebs is all over it:

http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/

Re:No Source? (5, Informative)

EliSowash (2532508) | more than 2 years ago | (#39523069)

No, it's real. I saw it on Krebs earlier. http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/ [krebsonsecurity.com]

Re:No Source? (5, Insightful)

ohnocitizen (1951674) | more than 2 years ago | (#39523353)

This actually impacted me. I live in NY, and was contacted my my credit card company. They informed me I was getting a new card, that visa and mastercard said there was a breach - but were not required to report who had compromised my credit card number. "At least they tell us there is a breach". This right here is why "the market" is insufficient protection for consumer rights. We need a law requiring credit card companies to disclose businesses that compromise data.

Re:No Source? (2)

Dyinobal (1427207) | more than 2 years ago | (#39523425)

Strange, my bank called me and told me that my credit card was possibly compromised back when Valve got hacked and then I got a new one two days later in the mail.

Perhaps you were just faster than they were, it does take time for them to contact people.

Re:No Source? (3, Insightful)

scubamage (727538) | more than 2 years ago | (#39523559)

Most likely its a numbers thing. If visa has 300 call center reps and they have to call 20 people, it'll be done in a few minutes. However 300 reps calling 10 million will take a much, MUCH longer amount of time. Now these numbers are hyperbolic, but you get the idea. Most likely your branch office didn't have that many people affected by the valve hack (thankfully).

Re:No Source? (3, Informative)

binarylarry (1338699) | more than 2 years ago | (#39523457)

You aren't on the hook for the fraudulent charges.

Unless they can prove you actually made them, they have to pay for the charges.

If it's all on them, why do they need to give you a detailed breakdown?

Re:No Source? (5, Insightful)

wickerprints (1094741) | more than 2 years ago | (#39523755)

Because all borrowers end up indirectly paying for the cost of fraud. As is the case with many forms of financial risk, a lender typically insures against identity theft and credit card fraud. The cost of that insurance is factored into their interest rate and fee calculations and is passed on to the borrower.

Granted, insurance doesn't completely absolve the insured of all responsibility, in as much as a driver with car insurance would not think to be totally careless about driving. Lending institutions still have an interest in preventing fraud despite being insured. The point is that when fraud increases, or if there's a catastrophic breach (as in this case, opposed to isolated small-scale instances of ID theft), the associated financial costs eventually reach the borrowers.

Re:No Source? (1)

binarylarry (1338699) | more than 2 years ago | (#39523879)

If you make a fraud complaint and your lender jacks the interest rate way up, move to a different provider.

They have to give you advance notice so you can agree to the new terms anyway.

Re:No Source? (4, Insightful)

wickerprints (1094741) | more than 2 years ago | (#39525229)

Your response indicates you have entirely failed to grasp the meaning of my previous post.

Government regulation of the credit card industry prevents a lender from penalizing a fraud victim in the manner that you describe. A penalty in the form of a higher interest rate may only be applied if the borrower fails to pay an outstanding balance in a timely manner. A late fee may also be assessed. This is legal because a borrower's failure to repay the incurred debt is a reflection of their poor creditworthiness relative to other borrowers who pay their balance on time. However, a victim of fraud may not have had anything to do with the theft of the information that precipitated that fraud, which is the case with this data breach.

In relation to my previous post, then, the cost of insuring against losses due to fraud is passed on IN AGGREGATE to the entire pool of borrowers in the form of higher interest rates and/or fees, just like the way in which they factor in other costs of doing business (such as worker salaries, marketing, customer service, and legal representation). Competition between lenders exerts pressure to keep the interest rate low, but if the overall rate of fraud increases across ALL lenders, then the overall financial risk of lending money in this manner has also increased, and therefore the interest rate must also increase to reflect this risk trend.

To be absolutely clear, I am not talking about a scenario in which an individual borrower reports fraudulent activity on their account, and the lender then decides to punish that borrower by increasing their interest rate. What I am talking about is the big picture, in which the cost of credit card fraud and ID theft is spread out over the entire pool of borrowers because the risk of fraud is one component of the risk of lending money, and the risk of lending is part of why interest exists. Granted, this is a gross simplification of the way things actually work (as I do not discuss the role of merchants in this process, for example), but the basic point remains valid: the cost of fraud is eventually paid by the borrower. Even the merchants purchase insurance for their business, and factor these costs in the pricing of the goods and services they sell to consumers. All of it eventually falls on the shoulders of the consumer, who pays for it in the form of higher prices or higher interest.

Re:No Source? (2)

Aladrin (926209) | more than 2 years ago | (#39523773)

Because you want to know who was lazy with your private information, so you can deal with that situation.

Re:No Source? (1)

1s44c (552956) | more than 2 years ago | (#39524127)

If it's all on them, why do they need to give you a detailed breakdown?

Because whoever screwed up deserves to suffer for it.

Re:No Source? (0)

Anonymous Coward | more than 2 years ago | (#39523657)

Should've used bitcoin ;).

In all seriousness though, the CC model is broken. You want $5 for parking? Sure, let me give you enough personal information to charge me up to my credit limit...

Re:No Source? (4, Funny)

Taty'sEyes (2373326) | more than 2 years ago | (#39523717)

You haven't parked in NYC have you?

Re:No Source? (1)

Bigby (659157) | more than 2 years ago | (#39524825)

He can find $5 parking; There are several places where you can park for 10 minutes for around that price.

Re:No Source? (5, Insightful)

berashith (222128) | more than 2 years ago | (#39523663)

100% agree. I just went through this a few weeks ago. VISA told my card issuer that there had been a breach. They actually sent me a new card, but didnt tell me until fraudulent use occured. This was before my new card arrived, which actually shortened the amount of time that I had no credit card. I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.

Re:No Source? (3, Insightful)

tlhIngan (30335) | more than 2 years ago | (#39524561)

This was before my new card arrived, which actually shortened the amount of time that I had no credit card. I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.

And what makes you think it was the *business* that was hacked? Retailers obtain a merchant account and the merchant bank provides the processing equipment. That equipment talks to a credit card processor who handles the transactions and transfers and such.

A credit card processor being breached means it affects MANY retailers at once. Boycotting one business over the breach may mean you're still vulnerable as your new go-to place can use the same processor.

For many businesses, there's nothing to breach - the information is temporairly stored on that terminal you use for the duration, and the only thing the retailer has is the tiny slip of paper they get at the end. Which is probably why credit card processors get attacked, rather than individual companies.

Even online companies do the same - that box you enter your information into may be temporarily hosted by the store, but the information is promptly forwarded to a credit card processor and forgotten by the store's server to reduce PCI requirements. Some make it obvious when they forward you to Google, Amazon or Paypal, or to a processor's site directly. Most don't, even though in the back end they're really proxying the processor's site.

Now, now (1)

ThatsNotPudding (1045640) | more than 2 years ago | (#39524667)

Let's not go breathing on the House of Cards that is modern Western Economic policy!

Re:No Source? (4, Interesting)

slew (2918) | more than 2 years ago | (#39524815)

...I wanted to know who had the breach, so I could avoid ever giving them business that wasnt cash based, but they would not tell me. That part pisses me off. There needs to be an awareness as to which vendors dont find it worth their time to protect me , so I can make a decision to not use them.

I don't know if you can believe the story, but if the breach occured with a credit card processor and not the retailer. The Credit card processor is the retailer's vendor (e.g., the company that the retailer contracts with to process credit card batches). This vendor relationship is not unlike the company that the retailer buys paperclips from, or the company that processes their payroll. Credit card processing is a highly competitive industry. Some retailers will often switch processors every few years when competing companies offer promotions with lower merchant fees (the fees/percentage that they charge the retailer for processing a credit card transaction).

Even if you had been told what retailer the fraudulent charges were made at, since there are so many credit card processing companies, it's quite likely that the retailer didn't use the same processing company. Additionally, because of credit card merchant contracts, retailers are supposed to follow certain "merchant" rules (e..g, no minimum*** or maximum purchase amounts, no steering to different forms of payment, not allowed to require ID, etc, etc). So even if the retailer wanted to be more careful when trying to accept this apparently frauduant card transaction, they probably aren't allowed by contract to be as paranoid as you apparently want them to be...

So feel free to throw the baby out with the bath water, but it's might be just as likely that the retailer you want to disown actually helped the credit card company identify the fraudulent transaction before it appeared on your credit card statement. If that were the case, perhaps you should be thinking about thanking them, before you disown them?

*** As of part of the Dodd-Frank wall street reform act of 2010, retailers are now allowed by law to imposed a minimum transaction amount up to $10 (this law supercedes the language in the contracts in place with the credit card companies)

Re:No Source? (0)

Anonymous Coward | more than 2 years ago | (#39524881)

At least here in Ohio, state law waives our liability if we go public about the breach. There is a timeline for going public and police can dictate that you not go public under which case the deadline does not apply. Obviously, credit cards you primary liability comes from fines that you agree to as part of your merchant account agreement, but I still really like the law.

I'll give an example, we had a laptop stolen with a bunch of SSN's on it. Based on the nature of what happened, it was beileved that the person who stole it had no idea what was on it. Thus we were told to keep quite and way beyond the deadline a news release was finally released. I know they had been search pawn shops etc hoping to retreive the laptop and ensure it had been wiped; at which case they would have made the release. They immediately notified those potentially affected and we offered them free credit monitoring, so basically the idea was to not tip of the theif that the data may be more valueable than the laptop.

Re:No Source? (0)

magarity (164372) | more than 2 years ago | (#39523897)

What would you do if you knew whose system was compromised? Tie up the courts with lawsuits? Head over in a mob and smash their front windows? What are you going to do if their initial suspect turns out not to be at fault? File more suits? Form more mobs?

Re:No Source? (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39524221)

Maybe not do business with them anymore? All this free market bullshit rests on the assumption that consumers are (or at the very least can be) informed about the companies they're dealing with. If you can't even know about the company you might be interacting with, then how are you supposed to "vote with your dollars"?

Use Hypberbole Much? (2)

FreeUser (11483) | more than 2 years ago | (#39524551)

What would you do if you knew whose system was compromised? Tie up the courts with lawsuits? Head over in a mob and smash their front windows? What are you going to do if their initial suspect turns out not to be at fault? File more suits? Form more mobs?

What a silly assumption. I can't speak for the poster, but as one who agrees with him 100%, I'll tell you what I would do:

STOP GIVING THE COMPROMISED VENDOR MY CREDIT CARD NUMBER

If it's a parking garage I use, I'd start paying the bill in cash, with receipt. Ditto for any other vendor I need to use but is compromised. If it is someone I don't need to use, I'd dump them for a smarter or less corrupt competitor. Probably someone who vets their employees, or at least doesn't use a call center housed in the local penitentary.

I don't think anyone (except you) is thinking law suits, smashed windows, or forming mobs. We're just thinking about how to avoid having it happen a second (or third, or fourth) time.

But if the bank won't tell you who is stealing your credit card, you have no way of taking preventative measures, and getting a new credit card is a pain in the ass, particularly if you've set up most of your bills to clear through the card to amass reward points (which at 2-5% of your purchases can be very worthwhile), and have to go back through and do it all again, all the time wondering if one of them is the culprit.

Re:No Source? (0)

Anonymous Coward | more than 2 years ago | (#39524301)

If they disclose data before the investigation is over, it could make it harder to find out who is behind this. They should disclose it later on though.

Re:No Source? (1)

jdavidb (449077) | more than 2 years ago | (#39524521)

This right here is why "the market" is insufficient protection for consumer rights. We need a law requiring credit card companies to disclose businesses that compromise data.

You have not tested "the market." You have tested "the market with regulation." If you had tested "the market," then you could take your business elsewhere to someone who tells you what you need to know.

Re:No Source? (0)

Anonymous Coward | more than 2 years ago | (#39524603)

What rights were violated? You were notified, card was replaced, and you're not responsible for any unauthorized charges. Sounds like your "right" to be informed of things that won't hurt you was the only thing violated.

Re:No Source? (0)

NoNonAlphaCharsHere (2201864) | more than 2 years ago | (#39523881)

Krebs is now returning 404 Page Not Found - although their home page has the same link, also returning 404.

Re:No Source? (1)

Anonymous Coward | more than 2 years ago | (#39523093)

http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html

Re:No Source? (4, Interesting)

CuriousGeorge113 (47122) | more than 2 years ago | (#39523303)

It seems like all of the links pertaining to this story point back to the Krebs blog as the source for the information. Yet, Krebs provides no 3rd party verification to the story other than a 'source'

Shit like this is how rumors get started. Can anyone verify with a statement from Visa/MC, a bank, etc? I'm not saying it isn't true, but even the WSJ article is referencing the Krebs blog.

Re:No Source? (3, Informative)

knarfling (735361) | more than 2 years ago | (#39523745)

The WSJ has an updated story here. [wsj.com] http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html?mod=WSJ_hp_LEFTTopStories [wsj.com]
From the link, Global Pay seems to be the processor, and it appears that only 26,094 VISA cards were affected. It did not mention how many MasterCard cards were affected. While that is a lot, it is nowhere near the 10 million speculated.

Re:No Source? (1)

buglista (1967502) | more than 2 years ago | (#39523859)

You should do your homework before sounding off. Mr Krebs knows his stuff - he's a journalist, not some guy sitting round in his pants writing the first thing that comes into his head.

Re:No Source? (3, Insightful)

CuriousGeorge113 (47122) | more than 2 years ago | (#39524341)

Credible sources are still fallible.

Re:No Source? (0)

Anonymous Coward | more than 2 years ago | (#39525091)

not some guy sitting round in his pants

Good to know, I wouldn't trust anyone wearing pants, they're trying to hide something.

Re:No Source? (1)

krept (697623) | more than 2 years ago | (#39524039)

Also when you try to read the full story it gives you a pleasant 404.

Re:No Source? (1)

krept (697623) | more than 2 years ago | (#39524065)

Edit - Nevermind. It works now.

Re:No Source? (2)

Pope (17780) | more than 2 years ago | (#39524043)

Why is this labelled "Funny?" There's no link in the submission, and clicking on the submitter's name goes to some site that has no story about this either. Talk about editor fail.

Re:No Source? (0)

Anonymous Coward | more than 2 years ago | (#39524071)

No it is not.

Please send me your credit card number, expiration date, CVV, pin code, bank account number, address, social security number, drivers license number, mothers maiden name, password to slashdot, passport number and name of first pet and we'll get right on checking if you're affected.

Re:No Source? (1)

MacGyver2210 (1053110) | more than 2 years ago | (#39525249)

Seems like there's plenty of sources, and it looks like they're updating it with more as they roll in.

Hahah. (-1)

Anonymous Coward | more than 2 years ago | (#39523007)

Suck it, New Yorkers!

Re:Hahah. (1)

mcavic (2007672) | more than 2 years ago | (#39523279)

the activity was geographically dispersed

http://majorgeeks.com/story.php?id=34000 [majorgeeks.com]

Re:Hahah. (3, Funny)

tripleevenfall (1990004) | more than 2 years ago | (#39523415)

Suck it, Tri-State Area!

Re:Hahah. (1)

Anonymous Coward | more than 2 years ago | (#39524169)

Curse you, Perry the Platypus!

Article: (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39523013)

http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/

Really, no fucking article? (5, Informative)

Anonymous Coward | more than 2 years ago | (#39523031)

And slashdot gets increasingly pathetic. Well, if anyone cares to RTFA:
http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html [wsj.com]

Not a whole lot of info from any source, Krebs seems to be the best though:
http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/#more-14393 [krebsonsecurity.com]

No Link! (1)

Anonymous Coward | more than 2 years ago | (#39523043)

No source, no reference, no ability to verify, no fine article to read, NO STORY.

I'm going to assume it's made up while I use my Mastercard to pay for parking my expensive car in New York City.

Some sources (0)

Anonymous Coward | more than 2 years ago | (#39523049)

http://www.forbes.com/sites/mickeymeece/2012/03/30/report-mastercard-and-visa-warn-of-massive-security-breach/
http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/

And many others. Amazing what a google search will find...

Shameless? (2)

TheMadTopher (1020341) | more than 2 years ago | (#39523057)

People got ideas from watching Shameless?

Sketchy source is sketchy (3, Informative)

milbournosphere (1273186) | more than 2 years ago | (#39523081)

Here's an article from the WSJ: http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html [wsj.com]

That said, a window of 21 Jan to 25 Feb...that's quite a big window...

Re:Sketchy source is sketchy (0)

Anonymous Coward | more than 2 years ago | (#39524115)

Meh, that's nothing. OSU waited twice that long [thelantern.com] before announcing they lost the social security number of everyone who ever applied to their college, worked for them (contractor, full time, etc.) or was ever affiliated with them. OSU isn't even a bank. It's certainly pathetic with all things considered, but blatant disregard for consumers seems to be the industry standard. And they still haven't announced what happened to this date. Oh, and the identity theft protection program they gave everyone? It's just a thing where some middle-man company takes your 1-credit-report-per-year and tells you if they see anything, and requires money if you want any of the services they say are provided for free. Sort of like shareware.

Let's hope (4, Funny)

JamesP (688957) | more than 2 years ago | (#39523099)

Re:Let's hope (3, Funny)

jeffmeden (135043) | more than 2 years ago | (#39523185)

Good read... From the story:

PCI SSC have responded and are investigating him and the company. Our software has now moved on[...]

Phew!

[...]to PayPal so we know it's safe,

ah FUCK

There are some ideas so idiotic (1)

mombodog (920359) | more than 2 years ago | (#39524325)

"There are some ideas so idiotic that only an intellectual could believe them" George Orwell

Thankfully! (5, Funny)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#39523101)

Luckily, nobody would be stupid enough to build a money transfer system where the user ID and the authentication secret are identical, so this breach should be no big deal.

Oh wait.

Fuck.

Re:Thankfully! (5, Informative)

Anonymous Coward | more than 2 years ago | (#39523447)

What do you expect when the parties that can best improve security (banks, VISA, Mastercard) have made sure that merchants (who can do very little about security) carry most of the liability from security failures?

Banks, VISA, and Mastercard make tons of money from transaction fees, so they want to make transactions as easy as possible. They don't have to pay much for security breaches, so they are willing to sacrifice security for more transactions and more fees.

If a buyer goes into a store with a stolen card, there is practically nothing a merchant can do to detect the fraud and stop the buyer from walking out the door with merchandise. Who pays for the fraud? The merchant.

Until banks are on the hook for this fraud, nothing will change.

Re:Thankfully! (2)

jeffmeden (135043) | more than 2 years ago | (#39523813)

What do you expect when the parties that can best improve security (banks, VISA, Mastercard) have made sure that merchants (who can do very little about security) carry most of the liability from security failures?

Banks, VISA, and Mastercard make tons of money from transaction fees, so they want to make transactions as easy as possible. They don't have to pay much for security breaches, so they are willing to sacrifice security for more transactions and more fees.

If a buyer goes into a store with a stolen card, there is practically nothing a merchant can do to detect the fraud and stop the buyer from walking out the door with merchandise. Who pays for the fraud? The merchant.

Until banks are on the hook for this fraud, nothing will change.

Never mind that the merchant can utter the words "can I see your ID?" and then, in one brilliant move, authenticate AND authorize the user of said card... But how many do that?

On the other hand, pretty much any card can be used in debit/PIN mode but it affects how the transaction is processed and how much it will cost the merchant (why, exactly?) so thanks to the banks, there is a "Stigma" against using debit mode (and when its used against credit cards it often appears as a cash advance) and the merchants will try to steer you away from it on small purchases and steer you toward it on large purchases. Until all that is sorted out, no one wins.

Re:Thankfully! (3, Informative)

Anonymous Coward | more than 2 years ago | (#39524041)

Never mind that the merchant can utter the words "can I see your ID?" and then, in one brilliant move, authenticate AND authorize the user of said card...

Actually, Visa prohibits merchants from asking to see your ID. Lots of stores do it anyway, but it's a breach of their Terms of Service.

Re:Thankfully! (2)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#39524343)

It's also a bit irrelevant in online transactions, unmanned POS terminals, etc. so anybody relying on ID checking to stop anything more sophisticated than utter morons buying a pack of cigs at 7-11 after a mugging is fooling themselves.

Re:Thankfully! (0)

Anonymous Coward | more than 2 years ago | (#39524315)

Never mind that the merchant can utter the words "can I see your ID?" and then, in one brilliant move, authenticate AND authorize the user of said card... But how many do that?

VERY common for high value transactions in India (and required for transactions of over INR10k (USD200))

Re:Thankfully! (3, Informative)

forand (530402) | more than 2 years ago | (#39524423)

As someone else who replied to your message noted: VISA (and in face MasterCard) explicitly forbid this in their terms of service. More can be found here [creditcardforum.com] which also links directly to the TOS in question.

Re:Thankfully! (0)

Anonymous Coward | more than 2 years ago | (#39524959)

I always refuse to present additional identification. I've never had any store refuse to complete the transaction. I know I'm being a bit of a PITA but I figure that if nobody complains nothing changes. I understand, and actually agree with, the idea of asking for additional ID in many cases. Until the policy changes I think people and stores should be aware of it and follow the rules. It would be helpful to point out the problem to police departments, too, since they frequently tell merchants that it is a good idea to require additional ID. On a side note, many years ago one of my favorite nation-wide department stores stopped asking for additional ID when I wrote checks. I asked a friend who worked there why they policy changed. His reply was informative: we figured out that people who passed bad checks had fake IDs.

Re:Thankfully! (0)

Anonymous Coward | more than 2 years ago | (#39525235)

The links in the article you referenced do not lead to the correct places anymore. I've looked up things like this in the past and find the search term "merchant agreement" useful when I really want to track down the official rules.

Here is a reference to a Mastercard FAQ which has one entry dealing with additional identification. Basically, from reading other merchant agreements, a merchant can require additional identification when it is required for other reasons beyond mere acceptance of the card, for example, complying with local laws such as age confirmation before buying alcohol, filling out additional warranty or insurance information, making deliveries, etc. However, the merchant cannot make additional ID a requirement for completing a credit card transaction.

http://www.mastercard.us/support/problems-using-mastercard.html

Re:Thankfully! (0)

Anonymous Coward | more than 2 years ago | (#39525265)

And, these same companies require ID's in India
http://www.rupeetimes.com/news/credit_cards/big_purchases_using_credit_cards_may_require_id_cards_2678.html

Re:Thankfully! (2, Informative)

Anonymous Coward | more than 2 years ago | (#39524853)

Merchants are not allowed to refuse credit card purchases because of ID. For example my wife can use my credit card, even though my name is on it. Visa wants to make sure that purchasing is as easy and frictionless as possible. The amount lost to fraud is miniscule compared to the profits made.

Re:Thankfully! (0)

Anonymous Coward | more than 2 years ago | (#39525139)

> But how many do that?

Other than Best Buy, every company I know that did that ended-up paying huge fines. It is against the merchant agreements, and it is against state law in several states. Unless you're big enough to have congressmen in your pockets, you can't flaunt the law and contracts like that. You simply cannot break the law and break your agreement with your bank and illegally demand something you shouldn't.

Re:Thankfully! (1)

ackthpt (218170) | more than 2 years ago | (#39524185)

What do you expect when the parties that can best improve security (banks, VISA, Mastercard) have made sure that merchants (who can do very little about security) carry most of the liability from security failures?

Banks, VISA, and Mastercard make tons of money from transaction fees, so they want to make transactions as easy as possible. They don't have to pay much for security breaches, so they are willing to sacrifice security for more transactions and more fees.

If a buyer goes into a store with a stolen card, there is practically nothing a merchant can do to detect the fraud and stop the buyer from walking out the door with merchandise. Who pays for the fraud? The merchant.

Until banks are on the hook for this fraud, nothing will change.

Every time the Banks expose something like this I wish they would be punished. Punishment discourages repeats of behavior. Force they to have an audit or their system architecture, procedures, processes and who has access to what and then perform these audits on a regular basis.

Re:Thankfully! (0)

Anonymous Coward | more than 2 years ago | (#39523991)

Look up these systems: VbV (Verified by Visa), MastercardSecurecode and 3D secure
Essentially the same thing, but offer awesome protection when transacting online at the cost of some functionality and convenience (no auto renewals, no credit card payments over the phone, things like Amazon 1-click ordering not possible)
Essentially, when using a protected card on a website that supports this system, the chances of your card being compromised are miniscule compared to the normal system
Cards fallback to the normal system on non supporting websites though

Re:Thankfully! (0)

Anonymous Coward | more than 2 years ago | (#39524333)

Except I've dealt with large online merchants where this verification is completely ignored. They don't care if this goes through or not (the transaction is processed on their end irrespective of this measure, and I've gotten confirmation of that). What good does it do if it's handled like this? Security for the consumer is an inconvenience and is not important. The only thing of importance is getting the money out of our pockets.

Re:Thankfully! (1)

0123456 (636235) | more than 2 years ago | (#39525331)

Essentially the same thing, but offer awesome protection when transacting online at the cost of some functionality and convenience (no auto renewals, no credit card payments over the phone, things like Amazon 1-click ordering not possible)

I think you mean: 'encourage users to enter confidential information into random web sites and cause many people to abort their purchase and go somewhere else'.

These crappy things are one of the main reasons why I keep my Amex card.

Re:Thankfully! (2)

Lev13than (581686) | more than 2 years ago | (#39525391)

Luckily, nobody would be stupid enough to build a money transfer system where the user ID and the authentication secret are identical, so this breach should be no big deal.

Reason #568 for the US to move to EMV. If this had happened in Europe or Canada, the card data would have been encrypted before getting sent to Global Payments, so using the info to clone cards would not have been possible.

Here's a source link (0)

ISurfTooMuch (1010305) | more than 2 years ago | (#39523111)

My boss just sent me a link to an article about this. However, it's a Fox News link, so I feel sort of dirty even clicking on it and even more so for posting it. Please don't mod me down, since it's the only link I can find.

http://www.foxnews.com/us/2012/03/30/visa-mastercard-warn-massive-security-breach-report-says/ [foxnews.com]

Re:Here's a source link (0)

Anonymous Coward | more than 2 years ago | (#39523171)

Grow up

Re:Here's a source link (2)

cvtan (752695) | more than 2 years ago | (#39523253)

Eeeww!

future systems should not rely on privldgd info (0)

Anonymous Coward | more than 2 years ago | (#39523121)

We are all becoming increasingly aware that in a well connected information based society, the idea of privileged information will become a relic of the past. As a civilization, we need to start moving towards a model where it is understood that anyone can potentially have access to any information, nothing is private, and change behaviors and systems of interaction to work around this.

Criminal (2)

koan (80826) | more than 2 years ago | (#39523145)

They should have to tell us who the processor is, by law.

It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.

https://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/#more-14393 [krebsonsecurity.com]

Re:Criminal (1)

wiredmikey (1824622) | more than 2 years ago | (#39523661)

It's Global Payments, Inc. Will have more info on it shortly!

Credit Card Fraud generates profits for banks (4, Informative)

Dainsanefh (2009638) | more than 2 years ago | (#39523287)

because each time when there is a chargeback, the bank will take back the money from the merchant + $25 per transaction as a penalty. They have no incentives to make the system more secure.

Re:Credit Card Fraud generates profits for banks (2, Informative)

Anonymous Coward | more than 2 years ago | (#39523435)

$25 is overstating it (at least in my experience) but yeah, you don't get the % back you had to pay to take the transaction in the first place, and if you get too many you get dropped by the processor or penalized with a higher % charge.

Keep in mind that the banks don't want merchants doing any kind of ID checks or anything that makes it harder to use the card (how could they have ads where the guy who pulls out his checkbook causes the whole line of people to crash into each other?)

Re:Credit Card Fraud generates profits for banks (2)

rgbrenner (317308) | more than 2 years ago | (#39523517)

$15-$50 is the typical range for a chargeback fee. I would say $25 is about average.

So where is all the vile, piss and hate? (0)

Anonymous Coward | more than 2 years ago | (#39523333)

I guess Im confused at how the internet was set on fire with blind and furious hatred towards sony for getting hacked. How everyone blamed them, sued them and was wishing death upon the big evil corporation and so on but no one seems to be hating visa/mastercard for letting 10 million cards be compromised. Then again square, bioware, hb gary, iraqi government, and hundreds of other places all got hacked as well but no one hated them for it.

Not to mention even the government was bitching about sony taking a week or announce the theft but this is only now being announced for events that happened back in JAN?

Re:So where is all the vile, piss and hate? (2)

BronsCon (927697) | more than 2 years ago | (#39523567)

no one seems to be hating visa/mastercard for letting 10 million cards be compromised.

Uhm... Because it wasn't Visa and Mastercard who let it happen?

A payment processor used by some parking garages let it happen; that this company happens to process Visa and Mastercard payments is inconsequential to that fact.

I blame price gouging by New York parking garages (1)

s_p_oneil (795792) | more than 2 years ago | (#39523407)

I blame price gouging by New York parking garages:
"most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area"

When prices get so outrageous that a large group in the city joins forces to steal the funds to cover them, you know that price gouging has gotten way out of hand.

Re:I blame price gouging by New York parking garag (1)

sunderland56 (621843) | more than 2 years ago | (#39524543)

They also say "10 million accounts". I have a hard time seeing how 10 million different people parked in NYC in a one month period (21 Jan to 25 Feb).

Re:I blame price gouging by New York parking garag (1)

s_p_oneil (795792) | more than 2 years ago | (#39525321)

My comment was meant as a joke. It was so ridiculous that I don't see how anyone could take it seriously.

Parking Garages? (2)

trongey (21550) | more than 2 years ago | (#39523583)

They have milllions of accounts and all they can think to do is pay for parking? Sounds like the time my checking account got hijacked. I think what irritated me more than anything was that they went to the trouble of making a card then used it to buy a bunch of lame stuff at Kmart. I mean, if you're stealing people's money at least do something interesting with it.

Re:Parking Garages? (2)

Dainsanefh (2009638) | more than 2 years ago | (#39523669)

It probably just a test. Wait a few days to see the big-ticket stuff showing up on your statement.

Re:Parking Garages? (1)

trongey (21550) | more than 2 years ago | (#39524327)

I certainly hope so. Oh, wait. Parking is actually about all they could pay for with my Mastercard right now.

Re:Parking Garages? (2)

Spykk (823586) | more than 2 years ago | (#39523735)

I suspect that the parking garage is where the card numbers were compromised. Someone likely dismantled the credit card reader when noone was around and added a simple device that tapped into the current MSRs signal line and logged everything to an sd card. They could even give it a bluetooth or wifi interface if they wanted to be fancy about it.

Re:Parking Garages? (1)

Isis242 (69188) | more than 2 years ago | (#39524273)

I wonder if this was what happened to me last week. My card was declined when I tried to pay for coffee, when I called my bank they said it was their internal monitoring person and not the company they contract to detect fraud that spotted the problem. She said it was a test transaction at the Empire Hotel in NYC. They charge a small amount then back it out as soon as they see its authorized.

If it is a different breach I guess I might have my third debit card number of the year. :(

Re:Parking Garages? (1)

Anomalyst (742352) | more than 2 years ago | (#39524391)

So you are suggesting blackjack and hookers?

Global Processing (0)

Anonymous Coward | more than 2 years ago | (#39524141)

A birdy told me the source of the leak was Global Processing's direct merchant base.

Incentive to beef up security? Nope... (1)

wwiiol_toofless (991717) | more than 2 years ago | (#39524147)

Because those customers who were defrauded will be responsible for any illegal charges made, maybe taxpayer dollars... But Visa, Mastercard will not be financially responsible no, no, no.

Re:Incentive to beef up security? Nope... (1)

icebraining (1313345) | more than 2 years ago | (#39524913)

1. It wasn't VISA/MC who suffered the leak.

2. It's the merchant who pays, not the customers (directly, at least)

Translation: (1)

LanceUppercut (766964) | more than 2 years ago | (#39524209)

"Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach" Translation: US State Department dispatched armed propaganda-enforcement teams who are currently holding the PR departments of Visa and MasterCard at gunpoint, forcing them to immediately come up with an official explanation that would tie the crime to "Russian crooks", as is usually required by the State Department's censorship and propaganda guidelines.

I think mine was one of them (0)

Anonymous Coward | more than 2 years ago | (#39524389)

Just recently I was notified by my bank that my Visa card had been compromised. I still had it in my possession, so I knew the card wasn't stolen. It turns out that I was in NYC recently and had used it there. However, I didn't patronize any parking garages. Hmm.

"150 million identities stolen from IRS" (1)

peter303 (12292) | more than 2 years ago | (#39524969)

Is a headline I expect some day due to weak government security. They do protect themselves somewhat by working in COBOL, OS-360 and tape drives. Few hackers are interested in those.

hmm.... (0)

Anonymous Coward | more than 2 years ago | (#39524991)

For once the email warning in my spam folder DID come true

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?