A rogue chink in credit card armor
Security is re-evaluated as a processing company says it should not have retained data.
By HELEN HUNTLEY
Published June 21, 2005
When you swipe your credit card at a discount store, you are putting your trust in a global electronic network that processes trillions of dollars in transactions every year.
When everything goes right, your purchase will be approved in less than a minute and you'll walk out of the store with the goods. That's possible because both the merchant and the bank that issued your credit card use processing companies that communicate electronically.
But failures can be spectacular.
On Friday, MasterCard reported a security breach at CardSystems Solutions, a credit card payment processing company. Thieves used a computer program to electronically snatch information on about 200,000 credit card accounts of all brands and were in a position to gather information on millions of other accounts.
John M. Perry, chief executive of CardSystems, acknowledged that the company should not have been retaining those records, the New York Times reported Monday. He said the data was in a file being stored for "research purposes" to determine why certain transactions had gone unauthorized or uncompleted.
"We should not have been doing that," Perry said. "That, however, has been remediated." As for the sensitive data, he added, "We no longer store it on files."
Security experts say there's a lot that could be done to improve security for financial and personal information. Not counting the CardSystems security lapse, nearly 60 breaches of personal financial information have been reported this year, with the potential to affect as many as 13.5-million people.
Sophisticated security systems are supposed to keep data safe while giving consumers access to speedy credit. Computers flag questionable transactions and check them against previous spending patterns and even against transactions occurring throughout a card network. Visa says its latest software can identify coordinated attacks on multiple accounts as they occur. The process works most of the time. Visa says fraud in its system is at an all-time low, 5 cents for every $100 worth of transactions, or .05 percent of the more than $3-trillion global Visa transactions every year.
Visa and MasterCard prohibit card processors from keeping cardholder information, such as names, account numbers, expiration dates and security codes.
"CardSystems provides services and is supposed to pass that information on to the banks and not keep it," MasterCard senior vice president Joshua Peirez told the New York Times. "They were keeping it."
MasterCard discovered the pattern of fraud that pointed to Tucson, Ariz.-based CardSystems. The FBI, which is investigating the breach, initially was concerned that 40-million accounts of all brands were potentially exposed. Investigators now say information on 200,000 was actually stolen.
The information taken is not enough for thieves to steal cardholders' identities. It did not include Social Security numbers or birth dates, information commonly required to open new credit accounts. However, it was plenty of information to allow the thieves to ring up charges on the stolen accounts. The security codes, which appear on the back of credit cards and are used by some retailers to verify transactions, made the information particularly valuable for thieves. So far only MasterCard has said its customers' cards were fraudulently used.
On Monday card processors who work for banks and credit unions were trying to assess the extent of the damage to their customers. Depending on transaction details, either the bank issuing the card or the merchant will be on the hook for fraudulent charges.
Consumers don't have to worry about having to pay the bills even if their card numbers were among those stolen. Under federal law, they are liable for no more than $50 in fraudulent transactions on any credit card.
Visa and MasterCard pledge zero liability on both credit cards and debit cards used with a signature. (Protection for debit cards used with a PIN number depends on when the fraud is reported and the issuing bank's policy.)
Consumers should review credit card statements for unauthorized charges, and if they find any, ask promptly for them to be removed. Calling the issuing bank and then following up in writing is a good idea. If someone has used a card without your permission, ask the bank for a new card and account number.
One of the most commonly proposed fixes to improve security for financial and personal information is data encryption. If it were used, someone hacking into a computer system could get the data but would not be able to read it.
"In today's world, this kind of information about consumers is as valuable as cash and it should be guarded like cash," said Anthony Caputo, chief executive of SafeNet, a company that provides encryption technology high-speed networks and data-security services for the Pentagon and the Homeland Security Department.
"The old ways of doing things just won't work anymore," he told the San Antonio Express-News .
As a result of the security lapses, dozens of state and federal laws have been proposed to address the issue. Sen. Charles Schumer, D-N.Y., has proposed creating an Office of Identity Theft under the auspices of the Federal Trade Commission.
The bureau would set minimum security standards for any entity handling sensitive personal data, including Social Security and driver's license numbers, medical information and credit and bank account information.
Failure to meet "reasonable standards," according to Schumer's proposal, could result in fines of up to $1,000 for each affected consumer.
--Information from the New York Times and the San Antonio Express-News was used in this report. Helen Huntley can be reached at email@example.com or 727 893-8230.
[Last modified June 21, 2005, 04:50:10]
[an error occurred while processing this directive]