WTF?
" the card security code (CVC or CVV2) would be required to transact business.”"
Phew that's at least a hundred billion combinations.
What? It's only 3 digits long, but that's only.....Arrgggghhhh?
HSBC Turkey has confessed to a security breach exposing the details of 2.7m credit card accounts but the bank has made a decision not to reissue cards after deciding that the data exposed is not enough to make fraudulent transactions. The compromise – limited to the international bank's business in Turkey – exposed credit card …
Just because everything needed to complete fraudulent transactions were not stolen from one source does not mean that the remaining bits cannot be or have not been pulled from another source... or guessed. This appears to be a case of failing to get a basic security concept and then belligerently defending the mistake. Individual pieces of sensitive information can be assembled from a variety of sources. On their own, they may not do any harm, but together they can be used with great effect.
I would not look for any announcement on the actual outcome in terms of accounts hacked, but I am happy I do not count as one of their customers!
Surely it would be de rigeur for HSBC to replace the cards? How much would it cost? Isn't the bad publicity going to cost them more? For a few quid they could also produce a TV commercial saying how seriously they took security (apart from letting the data out of the door in the first place).
If you do a Traceroute on a HSBC account, regardless of country, you will find they all end up in New Jersey, USA. All the ATM's, via MUX systems, also end up in New Jersey.
If you e-mail any HSBC entity they, too, are routed through the HSBC 'e-mail washing machine'
So why does a major breach not suggest that other regions in the HSBC banking computers cannot be equally easily penetrated? This is NOT the first time.
Sounds like a lot of PR tosh is being applied.