Mastercard, Visa Confirm Credit Card Data Theft Described As 'Massive'

[george]

MasterCard, Visa confirm credit card data theft described as 'massive'

By Bob Sullivan

10 million accounts may be affected

Law enforcement officials are investigating what appears to be a massive theft of U.S. consumers' credit card data, MasterCard and Visa confirmed Friday. The computer security expert who first reported the theft said it might involve as many as 10 million accounts, making it one of the largest known credit card heists.

"MasterCard is currently investigating a potential account data compromise event of a U.S.-based entity and, as a result, we have alerted payment card issuers regarding certain MasterCard accounts that are potentially at risk," that association said in a statement. "Law enforcement has been notified of this matter and the incident is currently the subject of an ongoing forensic review by an independent data security organization."

Payment processor Global Payments said late Friday it was the target of the hack.

In a statement, the firm said it "identified and self-reported unauthorized access into a portion of its processing system." Earlier Friday, trading in Global Payments stock had been halted.

"In early March 2012, the company determined card data may have been accessed," the firm said. "It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact. The company is continuing its investigation into this matter."

Paymemt processors -- "middle men" that handles transactions between retailers and banks -- have long been a target of identity thieves because of the enormous amounts of data they control. In 2008, Princeton, N.J.,-based Heartland Systems was hacked, exposing tens of millions of credit card account numbers to theft.

The theft confirmed Friday was first reported by well-known computer security journalist Brian Krebs on his blog, KrebsonSecurity.com. He reported that hackers had access to the then-unknown processor's data from Jan. 21 through Feb. 25, and were able to siphon off enough data to easily create counterfeit cards. His sources called the leak "massive."

Visa, in a statement, also acknowledged the data theft but said its own systems were not hacked.

“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands," the firm said. “Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards."

Gartner security expert Avivah Litan said she's been told that the stolen data is already being used on the street by identity thieves.

"I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently," she said.

She's been told that investigators believe the data theft originated in New York City.

"From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you’ve paid a NYC cab in the last few months with your credit or debit card — be sure to check your card statements for possible fraud," Litan said in her blog post on the topic.

MasterCard said none of its computers were hacked as part of the incident.

"MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information," the association added in its statement. "If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.... It is important to note that MasterCard's own systems have not been compromised in any manner. "

-- MSNBC 2012-03-31

Source: http://redtape.msnbc...ibed-as-massive

[thaibeachlovers]

Ha- no more than what I've been saying for years.

Of course, the people that I speak to think I am wrong to believe that CCs are just an invitation to the crooks to steal your money, but "I TOLD THEM SO"!

[terryp]

do not believe this is only in the US , on Tuesday I received a call from my UK bank saying my Visa card had been compromised??? I have not used it in 2 months and that was for a Thai flight on thier website

[prefabs]

Oh Dear

[khastan]

I can confirm this problem is not confined to the USA. It would also appear that not only credit cards are affected but debit visa cards also. After trying to use my new unused visa debit card in a Thai cash machine with no success I received a call from my UK banks fraud department asking me if I had tried to use my new card, once I confirmed I had they then told me my card number was one of a batch that had been compromised and copied.

[h90]

Soon I'll get the orders again

I am John Smith from America currently in Ghana (Nigeria, Indonesia, etc)

My Visa 4xxx xxxx xxxx xxxx

Please send me 100 pcs of your most expensive product asap and if no stock just send me anything you have......

[puyaidon]

I believe my MasterCard from a local Thai bank has been compromised to the tune of over 99,000 baht due the the above situation. I knew about the charges while online before the monthly statement was delivered to my home.

I have intitiated two dispute forms with another soon to go out next week. I had only used the card two times in Jan. One in a major store here in Thailand and the other to a web site for hotel reservations here in Thailand. In March, I had four charges from New York City, London, and Miami. My account is paid off except for those four charges as of March.

Guess my local bank is not going to receive any more money until this thing is cleared up. They are definitely not getting the ten percent monthly minimum payment.

I can only be thankful that I caught it but how long it will take to clear up the matter depends on the bank. They are saying 120 days. That is four months of minimum payments according to their rules but not to mine for fraudulent charges.

Others should take note and watch their accounts.

[NanLaew]

Agoda didn't send confirmation for online booking late last night and THAI's online booking function looked disabled around the same time. Maybe they used the same payment clearing house? Anyone else having issues with those two sites?

Off to the airport to book direct anyway.

[bino]

do not believe this is only in the US , on Tuesday I received a call from my UK bank saying my Visa card had been compromised??? I have not used it in 2 months and that was for a Thai flight on thier website

The way I read it, an American payment gateway / processor has been compromised, so cards from any nation that have processed online transactions by them are affected, no just US based cards.

[RichardinBKK]

My job in the US was Risk Fraud Investigations for a major bank.

Here are the signs to look for, and easy watchdogs to employ.

(1) Stolen lists are tested first to see which are "live"..then the live list is sold.

(2) To test an account, a small sum is tried $1.29, $3.25...etc....and logged as "bank fee' or something that looks normal

(3) Shortly thereafter...presto...you just "bought" a bar of gold.

For years i have done the following..and it works.

Go to your on line banking.

Go to the "Alert" settings.

Set all alerts...both deposit and withdrawal to the smallest sum possible.

Every transaction that equals or exceeds that sum will be sent as an e mail alert.

It is easy to check e mail from anywhere...but quit foolish to check your bank statement from a public computer or smart phone.

Most of us here use cash most of the time, so the alerts are rare, and not bothersome.

ANY transaction you see and do not recognize must be acted on immediately. (They can deposit to test it too..)

Get the phone number of your bank, call it, and ask them is this is the number to call to report a potential fraud issue. You do not have time to figure this out later...be ready. (It should be on the back of your card)

Write an e mail with "Letter to Mom" ...or some other easy to remember tag...as the subject line and send it to yourself...so you can do a search for it when you need it. Include in the body of the e mail that phone number, your card number, issuing bank and CVV (the number on the back) Do not present card info in the correct order, or just remember that every time you see "3' it is actually "5' etc.

"Dear Mom, I was happy to send you $3,765 and the deposit of $2,343. I am concerned about the six thousand one hundred a twelve we gave Jeff. I loaned him $3,678 783 days ago and have not heard a word since."

That way, if you need to call, you have all your info. (Never write your PIN...anywhere...ever!) Like on the back of your bank book. ...Swear to god, a buddy of mine discovered his GF had done that. LOL.

If you have Skype, make that number a contact.

The second you see a transaction you do not know, drop everything and call...They get paid to service your account, and any call concerning fraud should be a "pleasure' for them to handle.

I also worked for a large processor in the US, up until now the largest CC hack in history...so know how bad this can get.

Edited April 1, 2012 by RichardinBKK

[anterian]

I have been aware of this risk for years, every year I have to tell Mastercard not to keep raising my credit limit, they increase this automatically if you don't stop them. Same with my Visa card, I keep a minimal amount in the account it applies to. With Internet banking it is easy and fast to transfer funds from a non card account when needed,

[senor123]

Was just leaving to catch a return flight to Oz from Swampybum airport on the 24th of March this year. Got a call from my bank at 4:30 am (8:30am Oz time) asking if I was in the USA. Someone had done a 1k $US cash advance on my MasterCard. I had also used it to book an hotel with Agoda and a flight with Thai.

[RichardinBKK]

One more point....

I have a "Father" / "Son" account setup.

The father account holds 99% of my Thai funds. It has never been used to purchase...anything...ever.

Since I am on line anyway to book flights or make purchases...it is a two minute operation to transfer funds to the "Son"...my daily walking around card that only has about 30,000 baht / max in it at a time, and make on line transaction through it.

To negotiate a fraud case even from the US, where you can sit in front of a bank officer is a ring of hell. I never want to know how hard it would be in Thailand, at a local branch office.

You do know the branches are not connected..yes? There is no central data center, unless you go on line and link the accounts.

[swerver]

Part of the problem is the garbage these financial institutions keep in their system.

I know of an Investment Firm in which the investment account was closed (Totally Emptied) 18-years ago and during this 18-years the guy who did have that account 18-years ago is still receiving a Statement of Accounts each and every month. In the beginning the guy informed the Investment Co. that the account is EMPTY and stop sending statements. NO ACTION. Next the guy sends correspondence including the empty account statements to the CEO of the Investment Co. NO Action.

Another guy I know had a MasterCard with Citi. The card had very little use due to the high foreign exchange rate to US $ in which the Credit Card account was maintained by the bank.

The bank terminated the account and the card holder paid the last Statement. For the past seven years the bank keeps sending statements on an account that has been terminated by them, and paid.

This has been reported from the bottom to the top of the bank but the monthly statement of a non existing credit card keep coming.

The financial outfits are like the Thai Tourist Authority all they are after is chasing numbers and the bigger the numbers the better.

[RichardinBKK]

Part of the problem is the garbage these financial institutions keep in their system.

I know of an Investment Firm in which the investment account was closed (Totally Emptied) 18-years ago and during this 18-years the guy who did have that account 18-years ago is still receiving a Statement of Accounts each and every month. In the beginning the guy informed the Investment Co. that the account is EMPTY and stop sending statements. NO ACTION. Next the guy sends correspondence including the empty account statements to the CEO of the Investment Co. NO Action.

Another guy I know had a MasterCard with Citi. The card had very little use due to the high foreign exchange rate to US $ in which the Credit Card account was maintained by the bank.

The bank terminated the account and the card holder paid the last Statement. For the past seven years the bank keeps sending statements on an account that has been terminated by them, and paid.

This has been reported from the bottom to the top of the bank but the monthly statement of a non existing credit card keep coming.

The financial outfits are like the Thai Tourist Authority all they are after is chasing numbers and the bigger the numbers the better.

The problem with the system is that the term "PCI Compliant" (look it up) means they are all using condoms...and each has a tiny hole in it. They are 99.9% protected, until the last millisecond of the transaction cycle, where the Credit card Companies refuse to agree to have a standardized encrypted hand over. That's right, each has their own "last key."

That last key, where much profit resides (Example...If First Data changed the "last key" from proprietary to universal... their customers could easily change processors and still use their equipment.) is where the hackers get in. Time and time again.

Anyway, judging from the "Non-response" on TV...no one much cares.

Have a good day...

[thaibeachlovers]

My job in the US was Risk Fraud Investigations for a major bank.

Here are the signs to look for, and easy watchdogs to employ.

(1) Stolen lists are tested first to see which are "live"..then the live list is sold.

(2) To test an account, a small sum is tried $1.29, $3.25...etc....and logged as "bank fee' or something that looks normal

(3) Shortly thereafter...presto...you just "bought" a bar of gold.

For years i have done the following..and it works.

Go to your on line banking.

Go to the "Alert" settings.

Set all alerts...both deposit and withdrawal to the smallest sum possible.

Every transaction that equals or exceeds that sum will be sent as an e mail alert.

It is easy to check e mail from anywhere...but quit foolish to check your bank statement from a public computer or smart phone.

Most of us here use cash most of the time, so the alerts are rare, and not bothersome.

ANY transaction you see and do not recognize must be acted on immediately. (They can deposit to test it too..)

Get the phone number of your bank, call it, and ask them is this is the number to call to report a potential fraud issue. You do not have time to figure this out later...be ready. (It should be on the back of your card)

Write an e mail with "Letter to Mom" ...or some other easy to remember tag...as the subject line and send it to yourself...so you can do a search for it when you need it. Include in the body of the e mail that phone number, your card number, issuing bank and CVV (the number on the back) Do not present card info in the correct order, or just remember that every time you see "3' it is actually "5' etc.

"Dear Mom, I was happy to send you $3,765 and the deposit of $2,343. I am concerned about the six thousand one hundred a twelve we gave Jeff. I loaned him $3,678 783 days ago and have not heard a word since."

That way, if you need to call, you have all your info. (Never write your PIN...anywhere...ever!) Like on the back of your bank book. ...Swear to god, a buddy of mine discovered his GF had done that. LOL.

If you have Skype, make that number a contact.

The second you see a transaction you do not know, drop everything and call...They get paid to service your account, and any call concerning fraud should be a "pleasure' for them to handle.

I also worked for a large processor in the US, up until now the largest CC hack in history...so know how bad this can get.

<Never write your PIN...anywhere...ever!>

I used to really enjoy going to my bank and when they asked me to use my card I would just tell them that I couldn't because I couldn't remember my pin number, and it was THEIR rules not to write it down! If I had to use my card, I could've just used a machine, and they could all have been sacked, so I felt justified in making them do their job!

[thaibeachlovers]

Part of the problem is the garbage these financial institutions keep in their system.

I know of an Investment Firm in which the investment account was closed (Totally Emptied) 18-years ago and during this 18-years the guy who did have that account 18-years ago is still receiving a Statement of Accounts each and every month. In the beginning the guy informed the Investment Co. that the account is EMPTY and stop sending statements. NO ACTION. Next the guy sends correspondence including the empty account statements to the CEO of the Investment Co. NO Action.

Another guy I know had a MasterCard with Citi. The card had very little use due to the high foreign exchange rate to US $ in which the Credit Card account was maintained by the bank.

The bank terminated the account and the card holder paid the last Statement. For the past seven years the bank keeps sending statements on an account that has been terminated by them, and paid.

This has been reported from the bottom to the top of the bank but the monthly statement of a non existing credit card keep coming.

The financial outfits are like the Thai Tourist Authority all they are after is chasing numbers and the bigger the numbers the better.

The problem with the system is that the term "PCI Compliant" (look it up) means they are all using condoms...and each has a tiny hole in it. They are 99.9% protected, until the last millisecond of the transaction cycle, where the Credit card Companies refuse to agree to have a standardized encrypted hand over. That's right, each has their own "last key."

That last key, where much profit resides (Example...If First Data changed the "last key" from proprietary to universal... their customers could easily change processors and still use their equipment.) is where the hackers get in. Time and time again.

Anyway, judging from the "Non-response" on TV...no one much cares.

Have a good day...

I certainly don't care. Haven't got one of those plastic invitations to hackers to steal all my money. I just laugh whenever I hear another hacking story.

I fully expect more such tales to be reported over the coming years.

The real crunch will come when they do away with cash altogether and force people to use some sort of electronic device instead. That's when the crims will become very rich, and everyone else very poor.

[Tatsujin]

I certainly don't care. Haven't got one of those plastic invitations to hackers to steal all my money. I just laugh whenever I hear another hacking story.

I fully expect more such tales to be reported over the coming years.

Sure you don't care? You don't have any debit or credit cards at all?

[xray]

Thanks to RichardinBKK for the very good information in post numbers 10 and 13 of this thread !