Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Breach Exposes 40M Credit Cards

Zonk posted more than 9 years ago | from the consider-the-planet-hacked dept.

Privacy 304

The Good Reverend writes "MasterCard International announced today that a security breach at CardSystems Solutions, a third party processor of payment card data, potentially exposed more than 40 million cards. Mastercard is aware of the specific card numbers affected, and is giving its member financial institutions the numbers that may have been compromised. Unlike many of the past high profile cases this one involves a hacker rather than lost packages. CNN Money, the New York Times, Reuters, MSNBC, ZDNet, C|Net, and the Washington Post are also covering the story."

cancel ×

304 comments

in other news... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12850380)

in other news, 40 million eggdrops just joined #cctraderz on efnet.

Proves that the hackers... (5, Insightful)

bpuli (654182) | more than 9 years ago | (#12850383)

will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream? Wonder how many more of these transactions processors have been compromised and don't even know it yet.

Re:Proves that the hackers... (1)

ninja_assault_kitten (883141) | more than 9 years ago | (#12850465)

Mastercard, like all credit providers have strict certification criteria (e.g. VISA CISP) or they will impose heave fines in the event of a breach. The necessary security controls *SHOULD* be in place if everyone's doing their job... Controls like encrypted storage of credit card and other customer data.

Re:Proves that the hackers... (2, Interesting)

whovian (107062) | more than 9 years ago | (#12850502)

will always exploit the weakest link in the chain. MasterCard itself might have the best security but what about all the systems downstream?

Agreed. One wonders how to trust your contractees and outsourcees. It would argue for the most data-secure companies to cut out the middleman and do their own processing.

The cynical side of me says that there lurks a propaganda campaign to be pushed here by those in favor of introducing new credit card feature, perhaps RFID or biometrics. I cannot say whether those are good solutions, but it certainly seems that some form of security that requires you to present physical evidence of your credit card or account seems in order -- may even a PIN?

Re:Proves that the hackers... (1)

IWannaBeAnAC (653701) | more than 9 years ago | (#12850589)

The UK has recently introduced PINs with their credit cards, and my credit card (with Dutch bank ABN-Amro) was just replaced, the new one also has a PIN with it. I haven't tried it out yet, but apparantly the ONLY way to authorize payments with it is to supply the PIN.

Re:Proves that the hackers... (5, Funny)

Ian Jefferies (605678) | more than 9 years ago | (#12850544)

Just wait for the spam social engineering angle to kick in:

"Just enter your credit card details into this site to see if your credit card number was one of those stolen"

(Answer: not until 5 seconds ago)

Re:Proves that the hackers... (5, Informative)

Anonymous Coward | more than 9 years ago | (#12850571)

Have to agree here. I work for a large mailing house company which processes client data and sends out bank statements and tax details and all sorts of other private information.

Having a in depth security background, I can safely say that the security of this place is shocking. The guys handling this sensitive data are just kids straight out of uni. The banks etc themselves can go to great lengths to protect their clients data, but then they outsource to 3rd parties and hand over all their data to be processed.

Posting anonymously for obvious reasons.

CardSystems is a MS .NET shop (-1, Troll)

QuietLagoon (813062) | more than 9 years ago | (#12850385)

Check out their careers page [cardsystems.com] .

Re:CardSystems is a MS .NET shop (1)

kirun (658684) | more than 9 years ago | (#12850419)

Best wait until Monday, when the new opening for Head of Information Security will be posted.

Re: CardSystems is a MS .NET shop (1)

Black Parrot (19622) | more than 9 years ago | (#12850488)


> Check out their careers page.

I wonder how many of those open positions have opened up since May 22.

If I worked there I'd certainly be looking for a lifeboat.

I think that we'll see more of this (1)

udderly (890305) | more than 9 years ago | (#12850392)

As the complexity and number of features that are added to information systems increase, the opportunities for compromises grows--probably exponentially. We will see a real change in the security policies only after one of the companies has an enormous financial loss.

A bit over 1/4 were mastercard branded... (3, Insightful)

the packrat (721656) | more than 9 years ago | (#12850394)

But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet.

So when is the other shoe going to fall?

Re: A bit over 1/4 were mastercard branded... (4, Insightful)

Black Parrot (19622) | more than 9 years ago | (#12850416)


> But that leaves a little under 3/4 who aren't mastercard branded. If it was a typical third-party payments system then it is likely that they handled other types of credit cards, just that those companies havent commented yet. So when is the other shoe going to fall?

The news has been reporting for the last 14 hours (at least) that the four major credit cards are all affected.

Also, this has been known since May 22, but everyone was keeping it quiet.

If there's another shoe, it's going to be that the breach was even larger than reported, or that they got more information than we're being told.

Re: A bit over 1/4 were mastercard branded... (1)

the packrat (721656) | more than 9 years ago | (#12850539)

The news has been reporting for the last 14 hours (at least) that the four major credit cards are all affected.

News other than ./, and quite a few of them are equating this breach with a 'Mastercard breach', which I why I added this comment here.

Also, this has been known since May 22, but everyone was keeping it quiet.

And given the current lack of comments from everyone except Mastercard, they are still keeping quiet. Most of the creditcard gateway product companies seem... overly disinterested in security. I expect this will prompt a long overdue audit of their collective security and turn up a bunch of other unrealised breaches. B>

Re:A bit over 1/4 were mastercard branded... (0)

Anonymous Coward | more than 9 years ago | (#12850428)

Actually they have already commented (visa for example and american express).

At least the nytimes article mentiones them.

RTFA PEOPLE (3, Informative)

Anonymous Coward | more than 9 years ago | (#12850396)

About 25 MILLION of the 40 WAS NOT a MasterCard, so there are a WHOLE bunch of credit card providers who like leaving you in the dark here people.

Stop lying (0)

Anonymous Coward | more than 9 years ago | (#12850503)

Jesus, yes people, please RTFA.
You'll soon find out that all major credit card companies were hit by this, that they all commented, that they all knew about the problem since May 22, but kept quite, on the request of the FBI (or so they claim).

And please mods, how about RTFA yourselves before modding an obvious troll like the parent informative?

And in other news... (1)

Kaorimoch (858523) | more than 9 years ago | (#12850397)

And in other news, the WidgetCard from the WidgetCard corporation, breaking tradition from the main Credit Card corporations, are proud to announce that they have not lost any cardholder's data. This is an especially newsworthy event due to its rareness.

More news at five.

US numbers only? (2, Interesting)

mr_tap (693311) | more than 9 years ago | (#12850399)

I wonder if it was only US CC numbers or if we all have to worry?

Re:US numbers only? (1)

bryan986 (833912) | more than 9 years ago | (#12850547)

I would think so, I do believe there are other countries with as large a porn appetite as the U.S. *cough* russia *couch*

Lesse (3, Funny)

yotto (590067) | more than 9 years ago | (#12850400)

Interest rate: 20%
Annual Fee: $40
Randomly being declined because the machine is on the fritz: $1-$1000 purchase down the drain.
Being the target of fraud through no fault of your own: Priceless.

There are some numbers hackers can't steal. (5, Funny)

game kid (805301) | more than 9 years ago | (#12850628)

there are some numbers hackers can't steal

for everything else there's MasterCard

(Accepted all over, even if it's not yours.)

FIRST POST!!!!!!!! (0, Offtopic)

programgeek (726420) | more than 9 years ago | (#12850402)

FIRST POST OMFGm

Cost of re-issuing cards (2, Interesting)

00squirrel (772984) | more than 9 years ago | (#12850407)

I've always wondered why credit card companies don't simply cancel and re-issue cards when somthing like this happens. I read in the MSNBC article that it costs $10.00 per card to do that, which means this particular incident would cost the credit card companies about $400,000,000.00 to reissue cards. That is a ton of money!

Re:Cost of re-issuing cards (0)

Anonymous Coward | more than 9 years ago | (#12850431)

That is a ton of money!

It is a lot more than a ton if they pay in coins. :-)

Re: Cost of re-issuing cards (1)

Black Parrot (19622) | more than 9 years ago | (#12850441)


> I read in the MSNBC article that it costs $10.00 per card to do that, which means this particular incident would cost the credit card companies about $400,000,000.00 to reissue cards. That is a ton of money!

One story I read on this said that it would cost banks a billion dollars to replace the cards, which is why people weren't being sent new cards already. (They've known about this for several weeks now.)

What I would like to see (4, Interesting)

Timesprout (579035) | more than 9 years ago | (#12850410)

since people here (Ireland) and the UK are basically being encouraged to rack up debt is some one to crack Mastercard/Visa and wipe out all the amounts owed on credit cards. Might encourage the financial institution to be a little less carefree with their lending policies.

Re:What I would like to see (1)

antifoidulus (807088) | more than 9 years ago | (#12850438)

I wonder if some unscrupulous people will do this on a smaller scale. Most credit card companies have fraud protection. Usually in cases where an individual's card is stolen the companies refund the person whose card was stolen and then try to track down whoever stole the card. However, with 40 million of these stolen, it is going to be very hard for the companies to figure out who really was victimized and who is trying to get some free stuff.
Well, consideringi the way CC companies abuse interest rates, I hardly have pity on them though....

Re:What I would like to see (0)

Anonymous Coward | more than 9 years ago | (#12850456)

a) You've been watching too much Fight Club
b) The have redundent systems and offline backups, dumbass.
c) You are stupid.

Re:What I would like to see (1)

timmyf2371 (586051) | more than 9 years ago | (#12850529)

On the other hand, we could always ask the "responsible" adults who take out these credit cards to actually take responsibility for once and only take out and use credit they can afford to pay back?

My father has many many credit cards which give him potential credit facilities to the tune of over twice his annual salary. His credit file is near perfect with the exception of a few late payments to cards (by a few days) and he has certainly never taken on more credit than he can afford.

Yes, maybe credit card companies should have a "responsibility test" which takes into account whether potential customers are willing to take responsibility for their actions and reject those who would rather not, however their current checks such as credit reference checks and the like do give a fairly accurate picture of people's finances and the people applying for these cards should take responsibility rather than blaming the card companies themselves.

Re:What I would like to see (1)

bigtallmofo (695287) | more than 9 years ago | (#12850552)

I agree with your common sense post.

Just thought I'd add that your father's credit might be better than he thinks. You don't appear to be in the U.S., but the big credit reporting agencies in the U.S. don't even have a record of "a few days late". Typically, one must be 30+ days, 60+ days, 90+ days or 120+ days late on a payment for it to fall into one of the negative slots that affect one's credit.

Of course, that doesn't stop the credit card company from penalizing you for being a few days late with late charges, increasing your interest rate, etc. That's becoming more and more common.

Ever hear of "Personal Responsibility"? (1)

bigtallmofo (695287) | more than 9 years ago | (#12850533)

Credit, like electricity, is provided to people to use as a tool. One can use that tool responsibly. For instance:

1. Don't buy things you can't afford
2. Don't stick your finger in a light socket

Or one can use such tools irresponsibly and think that consequences don't apply to them.

I wonder which type of person you are?

being a site full of geeks (3, Interesting)

circletimessquare (444983) | more than 9 years ago | (#12850411)

everyone here will be proposing a technical solution

but let me posit my own nontechnical solution: the processor must pay for a replacement card for every single victim

Re:being a site full of geeks (4, Insightful)

gweihir (88907) | more than 9 years ago | (#12850421)

the processor must pay for a replacement card for every single victim

An one more: Processors should have mandatory insurance against this event. Then the insurance company would check their security with a keen eye....

Re:being a site full of geeks (0)

Anonymous Coward | more than 9 years ago | (#12850612)

the processor must pay for a replacement card for every single victim

Who says they don't already do this? CardSystems will have to pay Millions of dollars for violating their service level agreement with Master card and the issuing banks.

Besides, Master card frequently audits third-party processors and has a mountain of security that a company has to comply with to be eligable to process credit cards.

The solution is to just use TSYS [tsys.com] . An excellent third-party credit card processor ;)Shameless plug for employer

The card number / expiry-date system is stupid (3, Insightful)

mukund (163654) | more than 9 years ago | (#12850412)

Banks and financial institutions need to start using public-key encryption to authenticate a user rather than a card number and expiry date. Many visa/master cards already come as smart cards these days and it should be easy to upgrade them to operate as a JavaCard for example. Couple this with a USB card reader issued by the bank. A website can then ask for a signed payment (to be signed in a chip inside the card) valid for a short time period and only usable once in the transaction only. You verify it by looking at the reader, or a display on the card itself and reading the name of the store you're making the payment for, and press a button on the card or on the reader to grant/deny it. In this way, no external software outside the card is involved with granting money which can be tampered with. The signature takes place in the card. No credit card numbers stored. Payment made. Everyone's happy.

Ahhh! But you forget... (1)

bigtallmofo (695287) | more than 9 years ago | (#12850565)

Don't forget the super-duper-high-security last three digits on the back of the card!

I'm sure it's no problem at all that many online vendors ask for those last three digits and then store them alongside your credit card number and expiration date. Security problem solved. Done, and done.

Re:The card number / expiry-date system is stupid (1)

Ph33r th3 g(O)at (592622) | more than 9 years ago | (#12850577)

The use of a copiable token is stupid, as you point out. Visa and MasterCard agreed on a protocol [cam.ac.uk] called "Secure Electronic Transaction" that does indeed use PK cryptography, in 1996. Apparently they decided it was cheaper to let their customers bear the cost and hassle of dealing with the fraud in the existing system.

Not just mastercard -- VISA, etc. (1, Informative)

Anonymous Coward | more than 9 years ago | (#12850415)

The summary fails to mention that it isn't only Mastercard that is affected (e.g., look at the Washington Post article). VISA is affected as well, as are others. Apparently the breach was detected by the company handling the cards (CardSystems Solutions, Inc.) on May 22, but was only announced by Mastercard now, though they had been notifying banks in the interim. VISA spokespeople claim that they did not announce it sooner because there was an ongoing FBI investigation.

Re: Not just mastercard -- VISA, etc. (2, Insightful)

Black Parrot (19622) | more than 9 years ago | (#12850476)


> Apparently the breach was detected by the company handling the cards (CardSystems Solutions, Inc.) on May 22

One source I read said it was detected by the credit card companies when they noticed an upturn in the number of fraudulent transactions being reported to them by banks, and only then traced back to the clearinghouse.

> VISA spokespeople claim that they did not announce it sooner because there was an ongoing FBI investigation.

Yeah, supposedly there was an agreement to silence (for good reasons or bad), and the other participants are surprised (and probably outraged) that M/C broke the news.

And while the "FBI investigating" story is at least a semi-plausible reason for silence, I suspect the real motivation was "OMFG, let's stall as long as we can and hope Jesus comes back before word gets out". As mentioned in other threads, there are estimates that it will cost a billion dollars to replace all those cards.

Also, IIRC, in the past these exposures have always turned out to be much larger than first reported.

Slashdot is sloooooow (1)

Gorath99 (746654) | more than 9 years ago | (#12850418)

Jeez, even the mainstream newschannels have been reporting this since at least 9am local time (6 hours ago) and creditcards are hardly even used over here.

Seriously, news like this is important and should be spread as quickly as possible. It's a sad day when major international tech-related sites of slashdot's size take this long to report these things.

Re:Slashdot is sloooooow (0, Redundant)

rbarreira (836272) | more than 9 years ago | (#12850464)

No it isn't.

cascade effect.... (1)

ecalkin (468811) | more than 9 years ago | (#12850468)

i look at about 5 news sites (drudge, abcnews, newsmax, cnn, foxnews).

this was an interesting event as i saw this first about a day/day-and-a-half ago on one site. sometimes a news item will maybe hit 2 or three of these sites. one by one, this became a major news item on all five.

this is starting to capture peoples attention.

eric

Re:Slashdot is sloooooow--the way it works (1)

WebHostingGuy (825421) | more than 9 years ago | (#12850486)

That's because a lot of the times articles on these are submitted to the slashdot editors but they reject them for one reason or another (too much other news, editor doesn't think it is interesting, etc.) I know I submitted this yesterday but my submission was rejected, but now someone else resubmitted another day and it was accepted. It's just the way the system works.

Re:Slashdot is sloooooow (1)

mattyrobinson69 (751521) | more than 9 years ago | (#12850507)

/. is for the discussion, if you want up to date news read the news sites. its the same with people who use slashdot for security holes in software, go read a security site.

Re:Slashdot is sloooooow (1)

Gorath99 (746654) | more than 9 years ago | (#12850532)

/. is for the discussion

Why? The slogan is "News for Nerds," not "Discussion by Nerds." I would posit that the latter doesn't qualify as "Stuff that matters," either.

Re:Slashdot is sloooooow (1)

Sethra (55187) | more than 9 years ago | (#12850524)

In point of fact the actual theft of the data occured over a month ago. The public is only being notified now.

So what's a few hours here and there when the event is already so old?

Re:Slashdot is sloooooow (0)

Anonymous Coward | more than 9 years ago | (#12850534)

let's see...

Is it a story about apple/ipod: No
Does it bash/talk about microsoft: No
Linux: No, no

we have to cover the queen using an ipod, the fastest growing brands, and random shoutouts for chinese freedom. talk about getting priorities straight, right?

Re:Slashdot is sloooooow (0)

Anonymous Coward | more than 9 years ago | (#12850626)

Slashdot is not a news site. It is a glorified blog. Not a single person working for Slashdot is "in the trenches." They simple sit there filtering user-submitted stories and determining which is more trollable (troll stories generate many more hits than less controversial, but factually correct stories).

This just proves that... (1)

Debiant (254216) | more than 9 years ago | (#12850423)

laws should passed to protect not only what information can be stored but by also how.
And that outsourcing adds complexity and more weak points that can fail.

A stupid question:

how anyone can possibly get so much information by hacking somewhere?

Being semi-pro it person, i'd think downloading so much information at once would easy to spot and made impossible too(and who needs at once so much info anyway?)
Or did they get so much information by getting it all one by one?

Re: This just proves that... (1)

Black Parrot (19622) | more than 9 years ago | (#12850447)


> how anyone can possibly get so much information by hacking somewhere?

The company is (was?) a clearinghouse for handling charges by the four major credit-card companies, and someone had a program listening in on the transactions for some unknown amount of time.

Re: This just proves that... (1)

Debiant (254216) | more than 9 years ago | (#12850475)

I looked more closey now the links given, and by CNN link it was a script in a database that seeked certain kind of information.

What it doesn't state is that how that information was then relayed forward.

Let's slashdot the economy! (3, Funny)

Black Parrot (19622) | more than 9 years ago | (#12850424)


To ensure that no one places any fraudulent charges on our credit cards, let's all run out to our favorite toy stores and run up our cards to their limits.

Re:Let's slashdot the economy! (0)

Anonymous Coward | more than 9 years ago | (#12850491)

I have just ordered a new laptop and 500 goatse dolls. I am safe.

What about debit cards? (1)

mgkimsal2 (200677) | more than 9 years ago | (#12850425)

From what I recall, debit card transactions don't give you the same protection as credit card transactions, even though they're both 'mastercard' or 'visa' branded and have identical looking numbers.

Re:What about debit cards? (1)

Algan (20532) | more than 9 years ago | (#12850523)

Yes, that is true from a legal point of view (AFAIK). However, most banks - in US at least - will provide the same type of protection. The downside is, in some instances, you don't get the money back until the dispute is resolved in your favor, which can take a couple of months. With a CC, you simply don't pay that portion of the bill. That is why I use my Debit/ATM card only for cash withdrawals at ATMs. I'm also seriously thinking of giving it up and getting an ATM only card.

Re:What about debit cards? (0)

Anonymous Coward | more than 9 years ago | (#12850530)

you're SOL pal. or "not our fucking problem", as at least Discover card would tell you.

Re:What about debit cards? (1)

bryan986 (833912) | more than 9 years ago | (#12850572)

I get 100% no fraud liability on my VISA/WellsFargo card, I have had it replaced on my request at no charge

My Card? (5, Funny)

valjean78 (92139) | more than 9 years ago | (#12850429)

Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised? :p

Re:My Card? (1, Funny)

Anonymous Coward | more than 9 years ago | (#12850442)

Yes you can check it out at

http://www.please.steal.my.credit.card.nu/ [credit.card.nu]

Re:My Card? (1)

datadriven (699893) | more than 9 years ago | (#12850444)

What, didn't you get the email from paypal to verify your account?

Re:My Card? (4, Funny)

arose (644256) | more than 9 years ago | (#12850450)

I'm setting one up right now... :-P

Re:My Card? (1)

hugesmile (587771) | more than 9 years ago | (#12850484)

Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised?

Sure, if you post your name, card number, and expiration date to slashdot, an automatic check will be run, and the results will be displayed.

If you receive the message "Comment Submitted. There will be a delay before the comment becomes part of the static page.", then this means you have been comprimised (sic). It's a perfectly fool-proof system, I primise.

Re: My Card? (1)

Black Parrot (19622) | more than 9 years ago | (#12850510)


> Is there a form somewhere that I can enter my credit card information to check if my cc number has been comprimised? :p

I see that you :p'd it, but one of my first thoughts was that someone could probably set up a phishing page for "enter your card number, name, and social security number (for verification purposes only, of course), and our database will tell you whether your card number was harvested".

Phew... (0)

Anonymous Coward | more than 9 years ago | (#12850434)

...I thought maybe I really did order that 13" translucent pink dildo while I was drunk the other night.

This is simply the price of outsourcing. (5, Interesting)

0xdeaddead (797696) | more than 9 years ago | (#12850437)

See in the banking industry we run these "penetration scans" all the time, that are TOTALY WORTHLESS. I cannot emphasize this enough, that running the weakest setup possbile will pass their "tests" with flying colours. The people doing these tests (Some certified security specialists!) Think that firewalls are magical devices that know how to stop the pesky hackers. Bottom line is that people are involved, they are out of their element, and simply placeholders. Management in general needs to get out of this "placerholder" mentality when it comes to jobs, and just fire people that are not doing their jobs.

Ok enough ranting, but trust me, in the late 90s banks were trying to outsource as many things as possible from customer service, to invoicing, bills, credit collections, applications and so on. As you can see when the "Credit card company" becomes nothing more than a brand, and a board of execs, everything is out of their control, not to mention every peice of the old credit empire is open for attack.....

If anything the question is why did it take so long to find them?!

Re:This is simply the price of outsourcing. (1)

PunkPig (738544) | more than 9 years ago | (#12850596)

Banks outsourcing in the late 90's? It is still going strong today.

Oh well i'm sure that they all have iron clad SLAs with their outsourcing partners.....and when the outsourcing partner goes bankrupt as a result of royaly screwing up.....Oh well. I guess it is just time to bring in some more consultants to find a new and better vendor (or break down the process even further for more vendors). Good times....good times

No socialist regulation is needed (0)

Travoltus (110240) | more than 9 years ago | (#12850454)

As usual, private industry is regulating itself and solving its own problems.

If the Government got involved they'd regulate these companies and we'd have security breaches all over the place, like the IRS...

Oh wait, exactly how many IRS breaches have we had so far?

Someone get me a direct line to Fox News, STAT!!!

Re:No socialist regulation is needed (0)

Anonymous Coward | more than 9 years ago | (#12850477)

What the hell are you talking about? The IRS isn't a bank, nor is it an issuer of credit cards. Why would crackers want to hack the IRS?

Re: No socialist regulation is needed (1)

Black Parrot (19622) | more than 9 years ago | (#12850495)


> Why would crackers want to hack the IRS?

Probably a gold mine for identity theft resources.

Also, lots of people give their bank account's routing number for automagic deposit of their refund. Maybe there's a way to forge that kind of transaction and clean out people's bank accounts?

Re:No socialist regulation is needed (1)

Travoltus (110240) | more than 9 years ago | (#12850535)

Not to mention the name, address and SSN itself (which, AFAIK, are on every tax return, by nature) being practically the keys to the whole kingdom...

Re:No socialist regulation is needed (1)

anthony_dipierro (543308) | more than 9 years ago | (#12850498)

Sounds great. Let's make it as hard to buy something from a store as it is to file a tax return. As a paid tax preparer, my profits would go through the roof.

About your tagline... (0)

Anonymous Coward | more than 9 years ago | (#12850578)

Running linux is like having all the components needed to make a lightsabre rattling around loose in a cardboard box.

If the IRS was breached, would they say? (1)

G4from128k (686170) | more than 9 years ago | (#12850621)

Oh wait, exactly how many IRS breaches have we had so far?

I doubt the IRS would be forthcoming if their was a breach (although there are the occasional articles about corrupt IRS employees). In fact, a breach would probably be classified and not be allowed to be published. In contrast, a card processing company knows that it exposes itself to greater liability if it fails to alert its partners (card issuers/banks) of a problem.

Missing the real story here (0)

Anonymous Coward | more than 9 years ago | (#12850459)

or at least a very important aspect of the story.

"MasterCard said its investigation found that CardSystems, in violation of MasterCard's rules, was storing cardholders' account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the bank handling the merchants' transactions but not retained by CardSystems."

As /. readers are always so preoccupied (and rightly so, as this example shows) with what happens to their personal data, this aspect shouldn't be overlooked.

What took so long? (1)

DAldredge (2353) | more than 9 years ago | (#12850460)

Why did it take /. so long to cover this story? I mean the political sites had this story 12 hours ago.

What has happened to /.?

You mean cracker? (1)

torstenvl (769732) | more than 9 years ago | (#12850493)

Or was it Eric S. Raymond [catb.org] who illegally stole the credit card information?

The press may co-opt our sub-cultural language for their own gross-oversimplification purposes. That doesn't mean Slashdot has to follow suit.

Definition from the Jargon File:
hacker n. [originally, someone who makes furniture with an axe]

  1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming.
  3. A person capable of appreciating hack value.
  4. A person who is good at programming quickly.
  5. An expert at a particular program, or one who frequently does work using it or on it; as in "a Unix hacker". (Definitions 1 through 5 are correlated, and people who fit them congregate.)
  6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example.
  7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.
  8. [deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence "password hacker", "network hacker". The correct term for this sense is cracker.

Re:You mean cracker? (1)

timmyf2371 (586051) | more than 9 years ago | (#12850570)

Per Dictionary.com [reference.com] :

hacker Audio pronunciation of "hacker" ( P ) Pronunciation Key (hkr)
n. Informal

1. One who is proficient at using or programming a computer; a computer buff.
2. One who uses programming skills to gain illegal access to a computer network or file.
3. One who enthusiastically pursues a game or sport: a weekend tennis hacker.

In the evolving English language, words can have two different meanings. I encourage you to read the second definition as listed above and stop your wishful thinking that English is going to somehow become a dead and non-evolving language like some other European languages.

Re:You mean cracker? (1)

torstenvl (769732) | more than 9 years ago | (#12850634)

Problem: you base your argument on the assumption that 'English' takes precedent over 'Nerdish' on a nerd site.

Re:You mean cracker? (0)

Anonymous Coward | more than 9 years ago | (#12850575)

This debate died in 1999.

Could someone be so kind to... (2, Funny)

MTO_B. (814477) | more than 9 years ago | (#12850494)

Could someone be so kind to check if my credit card number was exposed?
My cc number is 5122-5655-1459-0444.
Reverse code: 444

If it was exposed I want to cancel it so the hacker cant use it.

Thanks. ;-)

Re:Could someone be so kind to... (1)

kabbor (856635) | more than 9 years ago | (#12850543)

Sorry. In order to check this we need your, um, Full Name (Please enter it exacty as it appears on your card

Weakest link (4, Interesting)

hellfire (86129) | more than 9 years ago | (#12850497)

It's not surprising someone other than MasterCard actually had a list of card numbers stolen. I have customers all the time tell me how they don't like what they feel are draconian measures to protect the credit card numbers people have in their own systems. What they fail to understand is that Visa and Mastercard require us to do this, and the protections we have are customer service.

But they still complain, because their customers and they themselves don't ever notice. Hell at one point I was told by a demanding customer to remove the protections because he said "I'll risk it." I was tempted to show him how insecure he was by remotely accessing his system, getting his list of customer phone numbers, and telling all his customers that he was careless with credit card numbers and their numbers could have easily been stolen from his system.

People are pretty careless about credit card security. It's usually in the name of convenience and visible customer service. Credit card security is invisible service. Being able to purchase something conveniently flies right in the face of having security which just might prevent you from selling something to someone, so some people don't care, as long as they are selling. Owners care once they find out that they'll be issued chargebacks, but individual salesreps will write down every credit card number on a piece of paper if it means making money for them personally.

Visa and Mastercard have the right idea, and in the press release I like how they said that they gave cardsystems a "limited amount of time" to basically get their act together so this doesn't happen again. Education and enforcement of regulations... nice to see an organization, especially one that is a corporation, actually give a damn.

Reset the Debt (2, Interesting)

jvmatthe (116058) | more than 9 years ago | (#12850505)

Remember how a notable movie (based on a notable novel) a few years ago had, as part of its plot, a plan to reset the credit card debt of the world? With the rate of security breaches we've seen, I have to wonder if the system won't lead to such a problem on its own, not through someone wanting to reset the debt but rather from a massive case of distributed fraud as the result of these kinds of security breaches.

I mean, what do you do when something like 40 million transactions could be legit ... or could be bogus? There's no human way to know what's real and what's not if you have to check every one of them. I'm sure they have computerized methods, but I'd imagine that there is still a level of distributed low-level (i.e. not buying boats and plasma TVs) fraud that would disrupt the system in some critical way.

Re:Reset the Debt (1)

MrP- (45616) | more than 9 years ago | (#12850522)

or you could still buy boats/plasma tvs, just distribute it over several cards instead of just one

maybe have 1000 cards transfer a small amount of money to a paypal account or something

its possible and scary.. especially when you're a mastercard holder as i am, sigh

I guess I put a decimal in the wrong place. (0)

Anonymous Coward | more than 9 years ago | (#12850511)

It's always some mundane detail.

The only way (4, Insightful)

BCW2 (168187) | more than 9 years ago | (#12850527)

To end this kind of thing is to make the companies handling records financialy responsible for any problems. Triple the amount in damages to each misused account. They won't do anything until it affect the P&L severely. It's the only thing big corporations understand.

hacker? (1)

SQLz (564901) | more than 9 years ago | (#12850551)

Unlike many of the past high profile cases this one involves a hacker rather than lost packages.

Wouldn't that be a 'cracker' not a hacker?

they're welcome to my cc number... (1)

advocate_one (662832) | more than 9 years ago | (#12850553)

they'll have fun trying to use it... there's zero credit left at the moment... if they like, they could always put some back on it first...

Re:they're welcome to my cc number... (1)

merlin_jim (302773) | more than 9 years ago | (#12850608)

they'll have fun trying to use it... there's zero credit left at the moment... if they like, they could always put some back on it first...

Actually, that's fairly common... let's say I get your card and it's got a five grand limit on it but only a grand is left...

I can take my thousand bucks and run OR I can pay off four grand, call the credit company, and get "my" limit increased (FYI on a full payoff most companies will gladly increase your limit)... then instead of a grand I've got six grand (assuming they double the limit) to go with...

I know a friend this happened to. VISA sent him a form with checkboxes for each transaction, to indicate which ones fradulent transactions.

The checkbox next to the payoff was not chcked when he sent it back.

Where Do You Want To Go Today (0)

Anonymous Coward | more than 9 years ago | (#12850555)

How many more times does American business have to get ass-raped before they wake up and smell teh coffee - WINDOWS IS FUCKING INSECURE YOU GODDAMN DINOSAURS!!!!!

Cost of doing business (0)

Anonymous Coward | more than 9 years ago | (#12850557)

I.e., pass the cost to the consumer. Of course there are any number of simple technological and business procedural solutions, but since the route of least resistance is through the consumer, that's how the credit card companies are going to do business.

Good thing I have online banking! (2, Interesting)

MtViewGuy (197597) | more than 9 years ago | (#12850580)

That way, I can closely monitor all my bank's account activity to make sure somebody isn't trying to hack into my accounts to steal my money. That was how I was able to find out somebody did an inside job identity theft of my checking account and they stomped out that fraud (and got the "perp" pretty quickly).

However, before you do online banking, I would recommend you have both antivirus and firewall programs active and run anti-spyware programs at least once a day to keep out keystroke loggers.

Huff (0)

Anonymous Coward | more than 9 years ago | (#12850581)

Well, I just call in once a year to mastercard and tell them I lost the card. Then they issue you a new card with a new number.

The irony is, they will not issue 40 million new cards because it costs them about $5-10 a card.

I might have to call in twice this year.

Better to be safe than sorry ... particularly with the new bankrpucy laws.

Is their an option not to use the internet? Sadly, sometimes I wish there could be.

cardsystems.com/careers.html (3, Informative)

St. Arbirix (218306) | more than 9 years ago | (#12850585)

It's worth mentioning that they're hiring people with VMS and WindowsNT experience. Small wonder the malicious code got in there.

WTF!! (-1, Offtopic)

macaulay805 (823467) | more than 9 years ago | (#12850594)

WTF: I submitted this yesterday, and got rejected!!

Security Breach at CardSystems Solutions Friday June 17, @02:25PM Rejected

Re:WTF!! (0, Offtopic)

macaulay805 (823467) | more than 9 years ago | (#12850615)

On a side note, I'm starting to get the feeling that the story mods reject almost any submitted story by default, then the other mods look at the story, re-word it, then post the story to front page news claiming an article for them.

Bizarrest claim yet! (1)

thesp (307649) | more than 9 years ago | (#12850623)

from Mastercard's Newsroom | Global Press Releases "Upon receiving notice from MasterCard, banks are able to take the appropriate steps to protect their cardholders from potential fraud. No highly sensitive information, such as social security numbers or dates of birth or the like, are stored on MasterCard cards. "
No idea how Mastercard could think that account details aren't classed as highly sensitive information - perhaps this is the reason for the lax security!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...