back to article Visa and MasterCard warn of credit card data breach

Visa and MasterCard have been quietly informing banking partners that a third-party supplier has suffered a major breach of security that could let the attacker clone users' cards. According to Krebs on Security, the credit card companies are warning that between January 21 and February 25, a successful attack appears to have …

COMMENTS

This topic is closed for new posts.
  1. Topsy

    Victim?

    My UK Visa debit card was replaced in early Feb due to an unspecified "security threat". I was in the midst of moving home at the time. Despite many requests the bank could not give me any direct example of my account having been inappropriately accessed . Visa, who has supplied the original intel, wouldn't pass on the details it seemed.

    1. This post has been deleted by its author

    2. Geoff Campbell Silver badge
      Devil

      Re: Victim?

      Ah, interesting. I had a fraudulent transaction on my Visa Debit card in February of about a grand and a half - a purchase of foreign currency for collection. Got it sorted pretty swiftly, fortunately, but I wonder if it would have been so easy to reverse if the perp had had time to collect the cash?

      Of course, despite my providing details of the branch the cash had been ordered to be collected from, both the police and the bank were completely uninterested in letting the transaction go and nicking the perp. Too much paperwork, I guess.

      GJC

    3. Graham 32

      Re: Victim?

      "Despite many requests the bank could not give me any direct example of my account having been inappropriately accessed"

      That's probably because it hadn't been accessed. There is a difference between "security threat" and "security breach". And of course they won't give you details about the threat, that would be giving away details of a security hole that they haven't yet patched.

      A PITA it happened at all, but it is the correct response.

  2. Anonymous Coward
    Anonymous Coward

    Expect a perp walk soon

    They make prison cells for people who hack.

    1. Shades

      Re: Expect a perp walk soon

      Can't you think of anything new to say Morris, you're getting f*cking boring now!

      1. Anonymous Coward
        Anonymous Coward

        @Shades - Re: Expect a perp walk soon

        Morris? Oh, I didn't realise it was a real person. I thought it was a bot.

    2. Anonymous Coward
      FAIL

      Re: Expect a perp walk soon

      No perp walk. No one will investigate. Some government slacker with an 'Etch-A-Sketch' might twist a picture for ya. Agencies, corps and government are all busy counting their nose hairs and announcing the emphatic "no" response to every inquiry you'll make to resolve, react and/or proactively protect yourself from id theft. Short of hunting down the perps yourself. Forget it.

      The system is crashing call around us and crime knows it and takes full advantage of it. So, why pay your taxes when law enforcement doesn't give a hoot, where social security (US) says, "non, no, and no" to every practical solution you may request, and the revenue collectors (just a mutated form of the age-old extortion 'protection' racket you pay on your block so the gang up the street doesn't move in) wouldn't know how and doesn't respond to tens of thousands of fraudulently filed tax returns generating millions of dollars in refunds.

      Everything I say here is true and undisputed.

  3. This post has been deleted by its author

    1. Nick Kew
      Black Helicopters

      Anonymity

      If you have 'inside' information, what's the risk El Reg would disclose your identity to a potentially-hostile investigator? If it's sufficiently high value, that might be spooks armed with a Court Order.

      I hope your information is sufficiently low-sensitivity you won't be the next Gary McKinnon!

  4. Anonymous Coward
    FAIL

    Out of the ordinary

    If using the Esso garage a mile down the road sets off their alarm bells because the Shell station I usually use is out of diesel then they should be able to pick up bad transactions.

    Or they could do what Nat West did and let someone purchase a mobile phone in a city I had never been to while labelling me using said petrol station as "suspicious". [rolls eyes]

    1. This post has been deleted by its author

    2. jonathanb Silver badge

      Re: Out of the ordinary

      I guess the problem is that buying a mobile phone is something people do very infrequently, once every couple of years, or at most once a year if you are a fanboi who must have the latest fruity gadget; whereas buying diesel is something you do pretty regularly, and going to a petrol station one mile away from your usual is probably more unusual than going to one many miles away - if you are on a long trip and need to fill up to get back home.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: Out of the ordinary

        But buying said mobile phone in a city 200+ miles away when I have other normal transactions going on in my home town?

        1. Jess--

          Re: Out of the ordinary

          you may find that it was more a case of the other garage a mile down the road has been involved in a large number of suspicious transactions,

          I had a card done by a particular local garage (1st & only transaction on the card) within 8 hours the card & pin had been used in London (UK) Sydney (AUS) and Detroit (USA)

          1. MrT

            It'll be the outlet staff on the take...

            ... 4 years back a colleague noticed that staff (IIRC a couple of young Polish girls) at Primark in Leeds centre double-skimmed her card, once through the regular machine and again through a scanner under the counter whilst one ran a bit of interference about packing etc. She got back to the office about 40 minutes later, rang the bank to report it and cancel the card, to find it had already been hit. The bank took care of it and in that case the police did make a visit to the store.

    3. Stuart Castle Silver badge

      Re: Out of the ordinary

      Santander has an unusual definition of ordinary..

      I've used my card all over the country, and on the odd occasion in Las Vegas, Kos and Turkey (although these have been for the odd week, and not at all frequent).

      Once a year (since about 2005), I've been buying an annual Travelcard online. Same date every year..

      Guess which Santander declined.

      Yep, the annual travelcard. They had no trouble with me taking my card abroad without notifying them, but I make an annual transaction here, and that's a problem..

      1. Anonymous Coward
        Anonymous Coward

        Re: Out of the ordinary

        And how much does your annual travelcard cost? Even buying mine in person, at the counter, via chip and pin required a call to the bank.

        It's a weighting thing, certain transactions are marked as sufficiently suspicious that they are automatically refused, often that is because of the amount of money involved, other times it's because the site is suspect.

  5. Highlander

    How long have they held onto this knowlege?

    This happened as long ago as January and we're only now learning of it? what the hell!? Two months? They sat on this for 2 *months*.

    Good grief. Someone call the media, we need some outrage.

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: How long have they held onto this knowlege?

      Probably at the request of the police, while the hack was being investigated.

  6. Paul 70
    FAIL

    Track 1 and track 2!!!

    This looks like it is pretty fundamental in the manufacturing of the cards and the compromise would have happened at this point. Millions of T1&2 data released to the wild must be big news to them. And they are always going on about retailers getting PCI compliant - this kind of drives a truck through all this.

    Perhaps the time is getting near where the numbers on a credit card should not be the valuable bit of the credit card. Other methods to validate the cards must be made available to make the storage of the PAN completely irrelevant.

  7. Destroy All Monsters Silver badge
    Coat

    Global Payments Download.

    "She said that the attackers appear to have got through the existing knowledge based authentication questions used as security."

    Yeah. The entry was "Joshua".

    Mine's the one with old paper-based issues of Scientific American in the pockets.

    1. C 2
      Joke

      Re: Global Payments Download.

      Who's to say the password wasn't 'GUEST'.

    2. Annihilator
      Thumb Up

      Re: Global Payments Download.

      "Greetings Professor Falken... Shall we play a game?"

  8. Anonymous Coward
    Paris Hilton

    Anon Coward

    Sorry you felt the need to delete your posts. I realise why, but your posts were much more informative than anything in the main article.

    Paris, because there's a few things she'd probably like to erase from history/

  9. Anonymous Coward
    Anonymous Coward

    Only 10 million accounts?

    This should make some folks very unhappy. Who's gonna pay for this?

  10. Mike Echo

    Chip not affected?

    I assume this problem is only for those cards solely containing a magnetic strip, as opposed to having an embedded microchip as well.

    1. Anonymous Coward
      Anonymous Coward

      Re: Chip not affected?

      Nope.

      Chip cards fall back to the mag stripe in when a chip'n'pin reader isn't available.

      This is why the Tamil Tigers cloning cards from UK petrol stations got the cash out in the Far East.

      1. Anonymous Coward
        Anonymous Coward

        Re: Chip not affected?

        Some do fallback, some don't, it depends how they're configured. My bank (co-op) run a fairly sensible system where if I want to use the card out of the country, I call them and tell them before I go.

  11. Anonymous Coward
    Anonymous Coward

    Internal hack?

    1) Most places do 2 factor authentication. You would need the token and the password for the token, so just stealing the token is not very useful. And you still need a separate password for the actual DB.

    2)Track I is name stuff and PAN...Many POS devices only send track II. And internet trans would have neither track I or II. So not every tran would have Track I and II. But a debit/credit issuer would have both tracks in his DB, as he needs to issue cards with this info. Probably unlikely some external employee of a financial institution gathering this info from an external transaction history interface, as you would just get the track that was read by the POS device. Points again to internal.

    3) You would need to punch through internal firewalls, or have a specific IP and WINS address that allows you through to the data. Not everyone at Global Payments inc. can get at the data. Once again, you need an inside guy.

    4) If this data was encrypted (unlikely other than disk encryption for data at rest protection), you would need to be internal.

    5) if it is a stolen disk or tape, you need inside info to get it and know what is on it.

    6) Intrusion detection systems probably would have caught any external hacks. So either those alerts were ignored or bypassed. Once again, internal.

    That said, I'll probably be proved wrong.

    1. Anonymous Coward
      Anonymous Coward

      Re: Internal hack?

      Most likely an issuer, but, if it is, then it would have to be one that is issuing millions a month, as they would not be storing the track1 and 2 data, unless specifically requested to by the banks. They can only store the data for a max of 30 days, perfering it to be deleted after personalisation. if they were not deleting it, they were either breaking mastercard and visa rules, or had another service provided to the banks that needed it, which would allow them to keep it if it was encrypted.

  12. JDX Gold badge

    Is this me?

    My MBNA Visa card suddenly stopped working only yesterday and when I contacted them it was due to "VISA warned us you had a transaction with a suspected compromised merchant in the last year". Is that likely to be the same thing and they didn't want to tell me the true story? Or an unrelated coincidence - it happens from time to time?

  13. amanfromMars 1 Silver badge

    As useless as a chocolate teapot ...... or a case for compensation re fraudulent claim?

    "It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customers," said chairman and CEO Paul R. Garcia in an email.

    And very revealing that they cannot prevent an intrusion. Does the security software supplier only promise to detect, sometime after the fact, and not prevent and protect against intrusions?

  14. Pascal Monett Silver badge

    "It is reassuring that our security processes detected an intrusion"

    Yeah, just like a fireman could say "it was useful that we saw the smoke - it helped alert us to the fact that there was a fire".

    Come on, guys, an intrusion detection system would have given the alert in time for sysadmins to actually do something about it.

    What we have here is most probably forensic deductions from the analysis of access data. That's not what I call an "intrusion detection system", merely good sysadmins digging through the mounds of data on the trail of the perps.

    If the hackers had inside help for their access, which is what seems to be rather commonly accepted, then they didn't trip any of the wires that the so-called "intrusion detection system" would have flagged.

    On the other hand, kudos to the keyboard sleuths that found the trail and followed it. That is no mean feat - especially in a banking environment that is just about as complex as it can get.

  15. zen1

    ahem.. anybody remember Heartland Processing?

    A large scale assault like this doesn't simply happen without serious intelligence of the innerworkings of the target. As in the case of Heartland Processing, after all of the process improvements supposedly implemented by the PCI, and based on all the crap I've personally witnessed in small and midsized data thefts, it's always fairly well organized externally and includes one or more people on the inside willing to sell out. Cheaply...

    Here's a novel thought: Screen your people, institute penalities on personnel and management if there are data breeches and ffs encrypt the snot out of everything on the INSIDE!

    Also, I'd seriously crack down on the companies that develop POS terminals and their associated systems. Here's another freebie idea, why not just do away with the third party processors all together? Card is issued by a bank and that bank interacts directly with the card companies.

    This kind of shit, in my opinion, is completely avoidable and is inexcusable.

    Also, while we're at it, why not just institute more severe penalties on financial institutions that are lax with their security as well as the individuals and the organizations they work for, that are convicted.

  16. Boris S.

    Time to hold all accountable

    The 3rd party processor and the hackers should all go to prison and pay for the costs associate with this hack.

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to hold all accountable

      You forgot to include everyone involved in their PCI audits.

  17. Anonymous Coward
    Anonymous Coward

    Fresh meat on the way Bubba!

    Somebody is gonna get an arse reeeming.

  18. Anonymous Coward
    Anonymous Coward

    PCI-DSS

    I found totally inappropriate vendor software doing horrible things, but it was wrapped up in an "application protocol" and unless you know what its doing, you can keep your PCI compliance simply by outsourcing stuff and "working with the vendor."

    My rule is: only text goes in and out and it all gets verified by a network device as well as at the destination.

    I've seen banks put in automated remote access protocol flows from web-frontend to database systems. Weirdly, banks are often not PCI compliant.

    Most of the anti-fraud tech these days is behavioural, PCI is a great starting place for security but its limited to infrastructures and data-flows. It doesn't look at odd things happening with the data.

    1. Anonymous Coward
      Anonymous Coward

      Re: PCI-DSS

      Banks dont need to be compliant with anything, as its 'their' own money they are playing with.

      Take some of these new instant issuance systems that are coming out, there are various tiers with automation, the cheap tier on one companies that i will not name, requires the operator to manually enter the card details, details that are supposed to be protected, and then it will just issue the new card for them.

      1. Anonymous Coward
        Anonymous Coward

        Re: PCI-DSS

        Banks do need to be compliant, because they get large fines from the PCI if they're not.

        The PCI are mainly payment processors, who aren't only banks, indeed many aren't banks at all.

  19. Anonymous Coward
    Anonymous Coward

    Down rated to 1.5 M cards hacked

    I'll bet people feel better now knowing that instead of ten million cards being stolen, only 1.5 million got taken.

This topic is closed for new posts.