×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

189 comments

Recourse? (5, Interesting)

mws1066 (1057218) | about 2 years ago | (#39548529)

And what recourse do card holders have? How do we know if our number was stolen, passed around, and now someone is just holding onto it indefinitely and might leap to use it after this whole thing blows over? A bit frightening.

Re:Recourse? (5, Funny)

robinsonne (952701) | about 2 years ago | (#39548569)

None whatsoever, but maybe I should go on a spending spree and max out my card so that the crook(s) have to pay my bill before they can do anything with my card!

Re:Recourse? (1)

Anonymous Coward | about 2 years ago | (#39548799)

You could also rob a bank... breaking the law to ourselves is fun!

Re:Recourse? (2)

s0nicfreak (615390) | about 2 years ago | (#39549195)

Since when is maxing out your own credit card illegal?

Re:Recourse? (1)

KhabaLox (1906148) | about 2 years ago | (#39549349)

It's not. But if you turn around and file a fraud claim on those charges, that would be illegal.

Re:Recourse? (2)

s0nicfreak (615390) | about 2 years ago | (#39549413)

But that isn't what he said. He said the crooks would have to pay his bill before they could use his card.

Re:Recourse? (0)

sexconker (1179573) | about 2 years ago | (#39549737)

It's not. But if you turn around and file a fraud claim on those charges, that would be illegal.

And that's not what he said he was going to do.
He said he was going to max it out to perform a DoS on potential attackers. If they want to charge shit with his card, they'll first have to make a payment so the account is below the credit limit.

Re:Recourse? (4, Informative)

Solandri (704621) | about 2 years ago | (#39549749)

Don't do that. The banks and credit card companies have gamed it so that they don't pay for fraud - the merchants do. They've made it the merchant's responsibility to make sure the card is not being used fraudulently, while simultaneously pushing through a law which prohibits declining a card because the user refuses to show ID (because that would, y'know, discourage credit card use*). If you contest a charge and the merchant cannot prove that you actually made the charge (usually a copy of your signature on the charge slip), the processor will reverse the payment. The merchant is out the money and the merchandise. The card processor suffers the minor inconvenience of having to pay someone to field your phone call and having to run a second transaction to reverse the initial purchase. That is why some places will ask for your zip code or home phone number, or won't deliver to anywhere but your home address when you buy with a card. Those are the only tools merchants have to prevent fraud.

* They also pushed through a law prohibiting merchants from charging extra for credit card transactions to cover the additional risk of fraud. Some merchants get around it by offering a cash discount.

Re:Recourse? (4, Informative)

Bigby (659157) | about 2 years ago | (#39548587)

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

And VISA already dropped Global Payments. Let the market and common law handle this...

Re:Recourse? (4, Informative)

jmauro (32523) | about 2 years ago | (#39548603)

They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

Re:Recourse? (5, Informative)

SniperJoe (1984152) | about 2 years ago | (#39548749)

Actually, that's not true at all. If you fail to report fraudulent transactions within 60 days of statement mailing, the bank and/or credit card company is not responsible for any investigation or repayment under the Fair Credit Billing Act.

http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm [ftc.gov]

Re:Recourse? (4, Informative)

tripleevenfall (1990004) | about 2 years ago | (#39548777)

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Aside from this, it seems likely they will notify the people who were affected and issue them new cards if they can identify who they were. It may not be possible to tell which numbers were stolen, only which were exposed.

Re:Recourse? (1)

SniperJoe (1984152) | about 2 years ago | (#39549501)

Oh, you're absolutely right. The burden to consumers is not high at all, nor should it be. Contrast that with the burden for debit card transactions or electronic transfers, which only covers two business days. As you said, if you're doing what you SHOULD be doing, you're going to be protected under the law. I just don't want people to have a false sense of security that if they use a credit card, they're protected from fraudulent transactions in perpetuity, because that simply isn't the case.

From what I have heard and read, the banks have already begun notifying people and issuing new cards. I have a friend who was affected and he said that the bank called him on Friday to let him know that he'd have a new card on Monday. The only thing that is concerning at this point is that they have been wavering on the number of accounts exposed, going from 10 million to 54,000 and now to 1.5 million. That doesn't exactly inspire confidence, as they seem to be at the "we don't know what we don't know" stage.

Re:Recourse? (2)

tripleevenfall (1990004) | about 2 years ago | (#39549587)

I had a Citi mastercard which had some fraudulent charges posted to it... two different charges for Italian dresses, about $300 each. (what the heck?)

I called and reported it. I had to sign an affidavit of fraud and fax it back to them. They canceled my old card and overnighted me a new one, and the charge came off the account about a week later. It was really pretty easy.

Re:Recourse? (0)

Albanach (527650) | about 2 years ago | (#39549529)

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Why should I be doing this? I make dozens, perhaps hundreds of transactions each month. My looking over my statement is easily subject to human error.

It should be much harder for this information to be stolen. We should have more one-time use numbers for online transactions. Credit card firms could prohibit merchants storing complete credit card numbers, instead providing an individual merchant with an authorization code restricted to that merchant and that individual card number. Then if their database was compromised, the thief acquires only a number that's not by itself valid and useful only to that retailer.

US card issuers could adopt and require chip and pin like the rest of the world.

U.S. card issuers could start demanding retailers check signatures.

There are technological solutions available. Requiring me to account for each line of the statement is woefully inefficient and simply passes the buck from where it should be resting.

Re:Recourse? (5, Funny)

tripleevenfall (1990004) | about 2 years ago | (#39549601)

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Why should I be doing this? I make dozens, perhaps hundreds of transactions each month. My looking over my statement is easily subject to human error.

Why should you look after your own finances? I wouldn't think higher critical reasoning would be required to convince you to do so.

Re:Recourse? (0)

Anonymous Coward | about 2 years ago | (#39548803)

And VISA already dropped Global Payments. Let the market and common law handle this...

Nope. Just dropped from secure providers, as someone else said.

End result? VISA charges Global a higher fee per transaction, which will likely be passed onto the merchants who then pass it on to customers.

That is, if the merchant's are smart and just ditch Global (... not a bad idea in actuality, even ignoring all this). That said, it could be worse. Heartland's a bunch of idiots.

Re:Recourse? (0)

Anonymous Coward | about 2 years ago | (#39549159)

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

That's not a recourse. If my Visa debit card is used to commit fraud, those charges come directly out of my bank account. They bank's liability stops at restoring those funds at some unspecified point in the future. The bank will not repair any secondary issues caused by the fraud. Bounced rent/mortgage payments can create a world of hassle. Bouncing a credit card payment can kick you up to a 29% APR. Who's going to take responsibility for those damages? That's right, you are.

Re:Recourse? (2)

Rakishi (759894) | about 2 years ago | (#39549457)

Debit != Credit.

Learn the difference and learn to read before commenting next time.

Debit cards are stupid for just the reasons you listed, all of which credit cards are basically immune to.

Re:Recourse? (0)

Anonymous Coward | about 2 years ago | (#39549507)

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

Depends on the jurisdiction. Most laws in North America say that your maximum liability for fraudulent transactions is $50.

Even then, most banks will waive that.

Re:Recourse? (2, Interesting)

Anonymous Coward | about 2 years ago | (#39549647)

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

Bwahahaha! You've never had to experience the nightmare of having fraudulent transactions on your c/card, have you? The issuers make you jump through a ridiculous number of hoops, legal papers, police statements, that unless you have large sums against you, you simply give up trying to to remove them.

It's a complete myth you can reverse transaction on credit cards, perpetuated by Visa and Co to keep the public in happy blindness. At least until they experience the problems for themselves.

Re:Recourse? (0)

pak9rabid (1011935) | about 2 years ago | (#39548593)

And what recourse do card holders have?

You could, oh I don't know, cancel your cards and replace them? But I guess complaining about it on /. is more fun.

Re:Recourse? (0)

Anonymous Coward | about 2 years ago | (#39548715)

cuz spending an hour a day for the next week talking to some guy in kerblekistan is fun? damn right posting on /. is more fun.

Re:Recourse? (1)

KhabaLox (1906148) | about 2 years ago | (#39549383)

Really? It takes you an 7 hours to call and cancel your card? You're doing something wrong. Even is the CSR on the other end is overseas and has an accent, it's never taken me more than 10-15 minutes to do that.

Re:Recourse? (4, Insightful)

Qzukk (229616) | about 2 years ago | (#39548725)

You could, oh I don't know, cancel your cards and replace them? But I guess complaining about it on /. is more fun.

That's not "recourse" that's "damage control".

Re:Recourse? (0)

Anonymous Coward | about 2 years ago | (#39548927)

Additionally, cancelling your credit card account will cause a hit to your credit score, which may cause problems opening a new account, or result in a higher interest rate. The person who suggested cancelling "your cards" may have been referring to the cards themselves, and not necessarily the credit account, but I think my point still needed to be made.

Re:Recourse? (2, Insightful)

Anonymous Coward | about 2 years ago | (#39548609)

My bank called me...but then again it wasn't until after charges were made to my account. The jack@$$3$ wiped me out...now I have to go to my bank, and fill out an Affidavit of Fraud to get my money back. I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages (as well as assist with the cancellation of cards, since everyone should cancel a stolen card)...too bad that will never happen. I didn't choose for GP to be the processing system used with my card, so I don't feel like this is my fault.

I would cancel my card right away and ask for a new one. It will be a minor inconvenience for you, but could prevent trouble in the future.

Re:Recourse? (5, Interesting)

Anonymous Coward | about 2 years ago | (#39548691)

I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages

Your recourse is through your bank and/or card issuer, not the processor, and that fact is greatly beneficial to you. A massive breach could easily put a company out of business, especially if that company were already in trouble. In that situation, if they were liable for your losses, you would have to wait years for bankruptcy court to sort it out, and you would likely only get back a portion of your losses. The bank that issued your card is legally required to have the cash on hand to be able to pay you back, so it works out much better for you that it is their obligation. Yes, you may have to fill out a few forms, and your money will not come back instantaneously, but I don't think there's a constitutional amendment requiring that you never be mildly inconvenienced, so suck it up and take it. Shit happens.

Re:Recourse? (4, Insightful)

KhabaLox (1906148) | about 2 years ago | (#39549403)

GP should be fine. It looks like the average loss is anywhere from $1 to $10 per account, so they're looking at an upper bound of $15-$20m, or about 5% of their unrestricted cash assets.

From an article [zdnet.com] linked to in TFA:

Global Payments, the processor blamed for a Visa and Mastercard data breach last week, is likely to be able to manage its financial hit related to beefing up security. ...
If that figure sticks, Global Payments can weather the data breach, analysts said. For instance, Wells Fargo Timothy Willi said in a research note that Global Payments, which has $300 million to $400 million in unrestricted cash, can pay for the damage.

Willi’s take, which lines up with other analysts, is based on the data breach suffered by Heartland in 2008. Heartland is another payment processor and the accounts compromised ran as high as 130 million in a breach that lasted for months. Heartland’s tab to data has been $147 million.

Given Global Payments’ compromised accounts is about 10 million the tab should be lower. RBS WorldPay also had 1.5 million accounts compromised with $9 million of fraud losses.

Re:Recourse? (5, Insightful)

modernzombie (1496981) | about 2 years ago | (#39548721)

My bank called me a couple months ago (not related to this incident) and said that they were cancelling my card and issuing me a new one because they had reason to believe it could have been compromised even though no fraudulent charges had been made. This seems like the appropriate thing to do. The card issuers should be contacting their customers to have the cards replaced.

Re:Recourse? (0)

Anonymous Coward | about 2 years ago | (#39548849)

this is less helpful when you travel all the time. oh hey look I'm away from home and now my card doesn't work. how convenient. I still have another week of business to do here. thanks visa.

Re:Recourse? (2)

RobertLTux (260313) | about 2 years ago | (#39548975)

"this is less helpful when you travel all the time. oh hey look I'm away from home and now my card doesn't work. how convenient. I still have another week of business to do here. thanks visa."

then they should not trigger unless they see "you" travel outside of your normal range (ie you mostly travel on the east coast of the US and they see "you" charge something in say China.).

Re:Recourse? (1)

Jmc23 (2353706) | about 2 years ago | (#39549217)

Which is why you're supposed to tell your travel schedule to your credit card companies. Lazy or a troll?

Re:Recourse? (4, Interesting)

whoever57 (658626) | about 2 years ago | (#39549423)

Which is why you're supposed to tell your travel schedule to your credit card companies. Lazy or a troll?

Recent experience: My wife went to the UK (we live in the USA) recently. I phoned the credit card company in advance and told them she would be in the UK. Cards on the account have been used in the UK on a fairly regular basis. Her card was suspended within a couple of days of her arrival. So, what's the point of calling the credit card company?

Re:Recourse? (1)

s0nicfreak (615390) | about 2 years ago | (#39549249)

Notice where he said they called him first? If this happened while you were away from home, you could simply say "wait a week until I get back home" or "can you fedex the new card to [where ever you are]?"

Re:Recourse? (0)

Anonymous Coward | about 2 years ago | (#39549111)

Yes, you are lucky on that count. We had one where the first we knew of any problem was when a sale was declined at a store. That is very embarrassing! Fortunately, we had another card - we actually don't run a balance on them and only use them for convenience. We called that bank and they said something to the effect of, "oh, yeah, our account database 'got out' so we cancelled all the cards and are going to send new ones". We asked when they had planned on notifying us that they cancelled our card and they acted surprised that we would even want to know. Dilholes. Then another time, we saw 3 charges of $900 from Japan. We called to dispute them and found that, again, their account database 'got out' and it this sort of thing was happening to a bunch of people. (These were both about 6 years ago). What a pain this kind of thing is. And they sure won't tell you anything about it - you have to call them to find out what lies they are telling today.

Re:Recourse? (0)

Anonymous Coward | about 2 years ago | (#39549391)

I think I would tell the bank "No thanks...keep the card" and move my money to a more secure bank.

Re:Recourse? (2)

KingMotley (944240) | about 2 years ago | (#39549569)

I didn't choose for GP to be the processing system used with my card

Sure you did, you just didn't check. You could have went to another merchant, but you decided not to, or that checking who they were going to use to process your credit card wasn't worth the trouble. I'm quite guilty of this myself. But you (we) did have the opportunity to find out and use something else, but we didn't because we couldn't be bothered. The risk was low enough that it wasn't worth the trouble. Until this happens often enough that people actually do think it's worth the bother, it will continue. It being companies that are supposed to safe guard your information don't. Simply because it's cheaper and more cost effective not to. Of course merchants will use whomever is cheapest, until there is a reason (people refuse to shop with them) to actually justify using 3rd parties who actually secure your information.

Re:Recourse? (1)

mws1066 (1057218) | about 2 years ago | (#39548747)

Well, yes, at least these are CREDIT cards, not bank cards. This is exactly why I don't have a bank card and only use a credit card - at least it provides a buffer to my money. If I see charges on a bill that are suspect, I don't HAVE to write the credit card company a check. But if a criminal got a hold of someone's bank card... Maybe I'm wrong - does anyone use a bank card and feel safe?

Re:Recourse? (2)

X0563511 (793323) | about 2 years ago | (#39548821)

Yes. My bank is not exactly one known for good behavior, but that said all it takes is a phone call for them to wipe the offending transactions, give me my money back, and start an investigation. Note I get my money back first. I've never once had them come back and go "hmm, no actually we want out cash back" - and I've had to do this some 10 times over the years.

Re:Recourse? (1)

Baloroth (2370816) | about 2 years ago | (#39548855)

I do with my bank card. But then, it is a local bank that by default blocks out-of-state (or international) charges and actually uses proper two-factor authentication for online banking, so I have a reasonable degree of confidence in their security systems generally speaking.

Granted, I'm still fairly careful where and when I use it (and plan to switch to a credit card soon, if only for the rewards and credit-building aspect).

Re:Recourse? (1)

shoehornjob (1632387) | about 2 years ago | (#39549187)

does anyone use a bank card and feel safe?

If you use a bank issued visa/mastercard and the transactions are swiped (credit) instead of via a pin you have the same protections as a regular credit card. Transactions via a pin have limited rights and you may not be reimbursed for the full amount of the fraud. That's why the banks have promotions and special hardware (RFID) at the POS. They want to entice you to use your pin so they can get off cheap. If they spent less time being greedy I'm sure they could impliment a more secure system but I suppose that would not be in their best interest.

Re:Recourse? (1)

alen (225700) | about 2 years ago | (#39548751)

banks and others run anti-fraud software. one time i used one of my rarely used cards to open a microsoft support case. it was declined. a card with $0 balance. and my bank called me. i called them back later and they wanted to make sure it was me

Re:Recourse? (1)

OnlineAlias (828288) | about 2 years ago | (#39548893)

I was contacted this weekend by my CC company about this. My card was one of them. They asked to cancel my card numbers and next day aired new ones.

Re:Recourse? (3, Interesting)

rmandevi (2168940) | about 2 years ago | (#39549763)

That would have to be a pretty cagey crook. The breach occurred January-February. Global reported the breach to Visa, MasterCard, and Federal authorities once they detected it last month (source: http://phx.corporate-ir.net/phoenix.zhtml?c=125339&p=irol-newsArticle&ID=1678656&highlight= [corporate-ir.net]). The news only came out Friday to give the Feds enough time to investigate without tipping anyone off. Truth in posting: I work for one of Global's competitors.

ANother grain of sand (2)

geekoid (135745) | about 2 years ago | (#39548541)

on top of my theory that digital cash will prove to difficult to protect and ultimately fail; which is a shame, I like digital cash.

Re:ANother grain of sand (0)

Bigby (659157) | about 2 years ago | (#39548611)

It isn't a problem of digital cash. Physical cash can be stolen too. It is centralized digital cash. Doesn't bitcoin solve that issue? (not rhetorical; I don't know the details of bitcoin)

Re:ANother grain of sand (1)

vlm (69642) | about 2 years ago | (#39548709)

Doesn't bitcoin solve that issue? (not rhetorical; I don't know the details of bitcoin)

BTC only "decentralizes" properly if less than 50% of the transactions etc come from one person.. or group... so just dumping BTC on top of visa and mc will merely result in a oligopoly majority screwing with the block stream.

That is a problem with rolling out BTC, if you have a completely centrally controlled monopoly or oligopoly based financial system like the US, its hard to roll out gradually. The first mover will automatically control 99.9999% of the block stream making it no longer decentralized, or at least not decentralized until everyone ELSE moves to BTC.

Re:ANother grain of sand (1)

demachina (71715) | about 2 years ago | (#39548729)

Not entirely. You dont have the problem of identity/number theft but, theft of bitcoin wallets is relatively easy if you hack someones machine who has a bitcoin wallet.

The exchanges are also a weak point. At least one and probably more have been hacked, on top of which at present you can't have much confidence in the people that are running them in the first place since they are just geeks with servers who set up exchanges and some are better than others.

If you put large amounts in bitcoints you do have to make significant effort to protect them,

Re:ANother grain of sand (1)

vlm (69642) | about 2 years ago | (#39548825)

This is the old "use it as a store of value" argument vs the old "use it for free money transfers" argument.

It doesn't seem to be the ideal "store of value" system where wallets usually have something worth taking.
It already makes a hell of a fantastic zero commission international transfer system where wallets on both sides are always zero unless a transfer is in progress.

The latter use case seems much more likely to be the killer app than the former.

Re:ANother grain of sand (1)

rickb928 (945187) | about 2 years ago | (#39549121)

Bitcoin is not the example of a solution to anything that I would choose. Between security breaches at various brokers, exploitation of the algorithms, and speculation, Bitcoin seems a lot like pre-existing currencies. No fix.

Re:ANother grain of sand (0)

Anonymous Coward | about 2 years ago | (#39548695)

Hold on. Credit cards don't use any cryptography. I don't know why credit cards haven't been supplanted by a better digital cash system yet, but that's certainly possible.

Re:ANother grain of sand (1)

elsurexiste (1758620) | about 2 years ago | (#39548779)

It's not a a failure, and you said why: a lot of people like using credit cards!. Those companies already accept the fact that, every now and then, cards get stolen. They continue to operate under this scheme because it's so lucrative.

Where is the list ? (4, Funny)

Lennie (16154) | about 2 years ago | (#39548559)

I want to check if mine is on the list ;-)

Re:Where is the list ? (1)

Anonymous Coward | about 2 years ago | (#39548613)

*glances in wallet*
I'm safe.

Re:Where is the list ? (1)

Anonymous Coward | about 2 years ago | (#39548661)

Then you're in luck, as I've developed a site that will tell you.

Simply enter your name and card number... it will tell you straight away. Nevermind the sketchy url, I swear it's legit.

Re:Where is the list ? (1)

vlm (69642) | about 2 years ago | (#39548759)

Then you're in luck, as I've developed a site that will tell you.

Simply enter your name and card number... it will tell you straight away. Nevermind the sketchy url, I swear it's legit.

AC is the guy who invented www.google.com?

Don't laugh, people do this "all the time", or at least they used to. Journalist types used to strongly encourage it to see if someone had released your number in a goog accessible location... which has happened in the past.
This is why some people freaked out about search histories being released / stolen / whatever, at least aside from the people nervous about their queries for "tranny midget sheep scat pr0n" and of course "how to make chloroform"

Re:Where is the list ? (1)

kakaburra (2508064) | about 2 years ago | (#39548931)

"Please post your card number, we will check if your card is in the database.... for free!!.." .. :P

Re:Where is the list ? (1)

KingMotley (944240) | about 2 years ago | (#39549697)

I too would like a copy of this supposed "list". I want to see if it's complete or not, by checking if your number is in there.

New Security Model (5, Informative)

MetalliQaZ (539913) | about 2 years ago | (#39548607)

That government guy from the cyberwar scare story last week had it right... We need a new security model. Just assume that your credit card numbers, your social security number, etc., are already compromised. Those things were never designed to be secure, and companies that we trust with this data simply can't keep them safe. We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

Re:New Security Model (1)

Thanshin (1188877) | about 2 years ago | (#39548701)

We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

And now that we're talking politics...

Re:New Security Model (1)

Anonymous Coward | about 2 years ago | (#39548767)

Smartcards could massively reduce the risk for a lot of these problems. The main issue I can see for us consumers is that if we were using them then you might have less legal protection in the event of fraud because since they are more secure then you may be held more liable (even though they're not perfectly secure). Similar problem to the "Verified by Visa" and such (search it).

Re:New Security Model (1)

Anonymous Coward | about 2 years ago | (#39548785)

Of course we *COULD* do it, but why would we?

The current system is a great benefit to banks, who aren't liable for the majority of credit card fraud. They could secure it, but it would probably mean fewer credit card transactions, which means fewer transaction fees. So why would they want to cut into their own profit?

Right now, merchants are liable for fraud. Of course, merchants can't do squat to stop fraud. Hell, RSA Security was hacked last year. If they can be hacked, anyone can be hacked.

The whole system needs to be overhauled, but without government intervention or a consumer revolt, nothing is going to change.

Re:New Security Model (5, Insightful)

nine-times (778537) | about 2 years ago | (#39548815)

Well it's not so much "we need a new security model" as "we need a security model". As you said, these things were never designed to be secure in the first place.

Lots of businesses and government organizations use your SSN as an authentication method-- i.e. knowing your SSN is considered proof that you are who you say you are. However, your SSN is also just your ID number, and you're constantly being asked to provide it to people. In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

IMO we should be using some kind of private-key encryption to verify identity. I don't like the idea of being forced to identify yourself, but if they're requiring some kind of verification/authentication, it should at least be secure. Of course, this would also require us to develop and deploy an additional layer of infrastructure for providing/reading/revoking these private keys, and it would also raise questions of whether/when/how we want to allow anonymity in such a system. There are lots of issues to work out, but we should be working on it.

Re:New Security Model (1)

KhabaLox (1906148) | about 2 years ago | (#39549487)

In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

+1 Insightful

It's kind of obvious, but then I guess most insightful comments are in hindsight.

Re:New Security Model (2)

jez9999 (618189) | about 2 years ago | (#39548953)

Indeed, 'cards' as a throwback from the 90s and it's a shame they're still widespread. I've been thinking for a while now that instead of issuing you with a 'card', the banks should switch to issuing you with something akin to an RSA SecurID tag. You attach it to your keyring and it has a number that changes every 30 seconds or something, which you must supply to login to online banking or make online transactions. For physical transactions, RFID could be used combined with a PIN. Lose the thing and you phone up and cancel it immediately. This should stop a lot of the fraud that happens, and in theory there's no way to defeat it unless that bank's system themselves are compromised.

Re:New Security Model (1)

compro01 (777531) | about 2 years ago | (#39549297)

I've been thinking for a while now that instead of issuing you with a 'card', the banks should switch to issuing you with something akin to an RSA SecurID tag.

That wouldn't be much better than current systems if the processor has shitty security. They can just lift the seed files off the processor's servers and go on their merry way.

Can't steal a number (3, Interesting)

Thanshin (1188877) | about 2 years ago | (#39548679)

You can't steal a number! It's not stealing if you still have your copy of the number! It's copyright infringement at the most.

Also, if put them one after the other, they stole a single number!

73

There you are, you can keep that number in exchange. I never liked 73 anyway.

You're welcome.

Cancelled on saturday (1)

aztrailerpunk (1971174) | about 2 years ago | (#39548757)

The bank had cancelled my card on Saturday morning stating that my number was reported to have been hacked. I had nothing taken but it was nice to know that they were on top of it just in case. The only hindrance to me was that I to run to the bank and get a temp card.

But it's ok... (-1)

Anonymous Coward | about 2 years ago | (#39548773)

Because it was Visa/MasterCard and not Sony, /. won't make a big fuss over it.

Easy fix (4, Insightful)

alaffin (585965) | about 2 years ago | (#39548839)

The thing is there are so many better ways to do things right now. For starters, you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards. Chip and pin isn't perfect, but it's better than a magnetic stripe and a signature. For card not present transactions allow Visa card holders to create a one time credit card number (with a maximum limit) via the internet or over the phone. Want to buy something on line? Generate your own credit card number to the exact value of what you're buying. That CC # number expires at the end of the day - meaning that even if you gave it a ridiculous limit and then sent it to a shady site they'd have 24 hours to use it.

Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.

Re:Easy fix (2)

Chatterton (228704) | about 2 years ago | (#39549087)

The problem is that for the bank the money lost is 'minimal'. In the 50 billion $ a year of CC fraud, most of that amount is lost by the merchants and not the bank. The chargeback is from the merchant to the card owner, but the merchand didn't get the sold product back. Now, if a law say that the fraud should be at the charge of the banks, you can be sure that the fixes will be implemented in the following hour !!!

Re:Easy fix (0)

Anonymous Coward | about 2 years ago | (#39549273)

You can't "force" the retailers to do anything because they are the customers.

We the card holding poens are the product - we have no say.

Re:Easy fix (2)

rickb928 (945187) | about 2 years ago | (#39549335)

"you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards."

Um, the players in this aren't interested yet. The cost of replacing cards ia high enough for them to avoid it until 'forced', and not by 'you'. the government maybe, or a bank that gets burned too much to bear. In Britain, little old ladies are being shoulder-surfed at ATMs and wiped out, and since it's chip and pin, the banks hold onto their policies and refuse to make them good - see, chip and pin is most useful as a risk-shifiting device. The bank is off the hook because it is 'so secure' that you must have given your pin to someone. Your fault. Card not present transactions are a different story...

"For card not present transactions allow Visa card holders to create a one time credit card number"

This already is possible. Ask your bank, and if they don't, maybe you need a new bank. These go by several different names.

Re:Easy fix (0)

Anonymous Coward | about 2 years ago | (#39549387)

Both my bank card and credit card offer one time card numbers, or recurring card numbers which can have expiration or cost limits. Don't all do that? Can't imagine doing online business without it.

Dudes, SHARED, not STOLEN (-1, Troll)

Rogerborg (306625) | about 2 years ago | (#39548923)

The numbers are still there, man, it's, like, totally just a bunch of bits and bytes and junk.

Or do we only apply that argument to music and movies and porn, hmm?

Nothing was stolen (-1, Troll)

SilverJets (131916) | about 2 years ago | (#39549029)

Nothing was stolen. They made a copy of a file or files that contained the credit card numbers. The company still has their copy of those numbers so they haven't actually lost anything.

So at most this is what? copyright infringement?

//Hey if that bullshiat argument works for "acquiring" a digital copy of a song that wasn't paid for it should be applied here as well

Re:Nothing was stolen (4, Insightful)

dkleinsc (563838) | about 2 years ago | (#39549395)

Let me make your argument a different way, now tell me what the difference was:
(A) Smith borrowed the keys to Johnson's car, went to a locksmith and made a copy, gave Johnson his keys back as promised, and then sold the key to a guy who stole everything in the car.
(B) Jones sat down in front of a photograph by Johnson hanging in the gallery and took a photograph of it that looked essentially identical, and developed that photo of a photo in large prints for his wall and his friends.

There's plainly a legal and moral difference between what Smith did and what Jones did, even though both Smith and Jones took nothing directly from Johnson.

Re:Nothing was stolen (1)

KhabaLox (1906148) | about 2 years ago | (#39549551)

I'm guessing most /.ers don't have a problem with the people copying the CC numbers. They just have a problem with them using those numbers to buy stuff.

Picked the right time (0)

Anonymous Coward | about 2 years ago | (#39549037)

Of course they make sure to announce it on the same day as the Final Four championship. They want this story to get buried. Just like when Heartland processing made sure to announce their breach the same day as Pres. Obama's inauguration.

Many hats (1)

NetNinja (469346) | about 2 years ago | (#39549043)

This is what happens when you have companies who have people who wear many hats and don't commit a person to watching over security. I see it all day long, they want someone who has PCI experience but they also want you to manage the network and everything else that plugs into the wall.

Companies who deal with credit card information needs to dedicate a security person to ensure that all PCI guidelines are being enforced and followed.
There are specific tools and software that PCI compliant companies have to have in place. I bet you the compliance guy was working on the other 10 emergencys that had nothing to do with PCI at the time the breach occured.
Guess who gets fired now.

Re:Many hats (2)

who_stole_my_kidneys (1956012) | about 2 years ago | (#39549319)

I have to disagree. If your in the business of Security, just focusing on implementing PCI compliance or SOX or SEC etc. recommendations leaves you clue less to how hackers actually penetrate networks. You need to know more about what it is your running and how to mitigate other exploitable features that are not included in some compliance mandates. And the best way to learn that, get your hands dirty.

Re:Many hats (0)

Anonymous Coward | about 2 years ago | (#39549645)

I think the bigger problem is companies who don't understand that security is a continuous process and that passing the audit is not an end unto itself.

Yes, we (IT staff already seriously bogged down) want you to hire someone to do security. Yes, even when we're not being audited. No, they won't be idle sitting around doing nothing, security is a continuous process. No, it's probably not a good idea to make him double as the network engineer and triple as the VMware guy. Yes, he should know those things, but he shouldn't spend all of his time administering and troubleshooting them. His focus should be security, that is to say he should be staying abreast of the latest threats, and tuning the IDS, monitoring software, etc., and educating IT and the users on the need to follow the security model.

Yes, we won't be audited again for 6 months, but that's not the point. Technically, I would think, we would want to be secure. There's more at stake then just failing an audit. If we had someone who was really good at this security stuff, they could keep the 'ship' on the right course and we would sail through any audits. We wouldn't have the mad scramble to remediate a bunch of things each time.

Yes, a good security person might cost money, but not as much as the cost of being breached, and not even as much as the cost of the outside consultants we use to do the same thing. We would still need some hours for outside companies to do penetration testing, but we wouldn't need nearly as many hours of external consultants.

How many? (3, Interesting)

rickb928 (945187) | about 2 years ago | (#39549389)

Krebs on Security stated the number was 10 million. GP and all initially admitted to 50,000.

I'm betting on Krebs. He's pretty reliable, or at least his sources are.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...