Forwarded from: jpippin <jpippin@private> http://www.nytimes.com/2005/06/18/business/18cards.html By ERIC DASH and TOM ZELLER Jr. June 18, 2005 MasterCard International reported yesterday that more than 40 million credit card accounts of all brands might have been exposed to fraud through a computer security breach at a payment processing company, perhaps the largest case of stolen consumer data to date. MasterCard said its analysts and law enforcement officials had identified a pattern of fraudulent charges that were traced to an intrusion at CardSystems Solutions of Tucson, Ariz., which processes more than $15 billion in payments for small to midsize merchants and financial institutions each year. About 13.9 million MasterCard accounts were compromised as well as those of unspecified numbers of Visa, American Express and Discover customers. The accounts affected included credit cards and certain kinds of debit cards. The F.B.I. said it was investigating. Sharon Gamsin, a MasterCard spokeswoman, said an infiltrator had managed to place a computer code or script on the CardSystems network that made it possible to extract information. She would not elaborate on how long the breach might have lasted, on when the inquiry began or on whether any infiltrators had been identified. She did say that the breach occurred this year. Deborah McCarley, a spokeswoman for the F.B.I. field office in Phoenix, said that her agency was trying to establish the scope of the breach and that "the investigation is just beginning." MasterCard said its investigation found that CardSystems, in violation of MasterCard's rules, was storing cardholders' account numbers and security codes on its own computer systems. That information, MasterCard said, was supposed to be transferred to the bank handling the merchants' transactions but not retained by CardSystems. Bill Reeves, a Card Systems spokesman, said last night that "there is quite a bit of transactional data that goes back and forth," but he declined to say whether the company was inappropriately storing consumer data, as MasterCard indicated. CardSystems said it identified a potential security problem on May 22 or May 23 and contacted the F.B.I., then the Visa and MasterCard associations. It said steps were taken immediately to ensure all systems were secure. "Our goal is to cooperate fully with the F.B.I.," it said. According to MasterCard, an unauthorized person was able to exploit the security vulnerability and gain access to CardSystems' network, exposing cardholders' name, account numbers and expiration dates as well as the security code, typically three or four digits also printed on the credit card. "The processing companies are hubs for millions of payment records," said Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center, a digital rights group based in Washington. "It is the juiciest target for an individual who wants account numbers. It is a honeypot for identity thieves." He suggested that customers monitor their bills for unauthorized charges and consider asking their card issuer for a new account number. MasterCard said other personal data that might contribute to identity theft, like Social Security numbers and dates of birth, was not stored on its cards and therefore not at risk. And it said credit card holders would not be liable for any fraudulent charges to their accounts. It said specific advice to cardholders as to precautions or recourse would have to come from the banks issuing the cards. Officials at major card issuers like Citigroup said they had been notified of the breach only recently - in some cases as late as yesterday - and were still assessing the scope of the problem. Janis Tarter, a spokeswoman for Citigroup's credit card division, said her company would notify customers likely to be at risk and more closely monitor any accounts that might have been affected. A Chase Card spokesman said his company was taking similar steps. MasterCard said the investigation began when it was notified by several banks that they had detected atypical levels of fraudulent charges. In turn, MasterCard began monitoring information from those accounts for common purchasing points. Using complex data-analysis systems and the assistance of an outside forensics firm, it was able to home in on an unspecified bank receiving spending data from merchants. "When we started to dig into it, working with the bank and working with their systems, we detected it couldn't be them and basically triangulated at the process and arrived at CardSystems Solutions," said John Brady, MasterCard's head of merchant risk services. He said CardSystems was "no longer storing the sensitive data." Although 40 million credit card accounts were said to have been put at risk, it is not clear whether data on all of those accounts, or only some, was actually stolen. Nor would MasterCard and investigators detail the number of individuals affected or dollar amounts involved in any of the fraud detected. The breach represents by far the largest in a relentless string of recent security failures at financial institutions, data aggregators, media companies and other organizations that compile, store and transmit consumer data. Just last week, the financial giant Citigroup announced that nearly four million consumer records, stored on magnetic computer tapes, had been lost during a routine shipment by United Parcel Service to a credit reporting agency. Those tapes were not encrypted and they have not yet been found. The growing concern over many of these breaches has been that information like Social Security numbers, names, addresses and dates of birth can be used to open new lines of credit, secure loans and otherwise engage in identity theft. But the account numbers exposed in the most recent incident are the real lingua franca of cybercriminals, who either use them to purchase stolen goods, secure cash advances or sell the numbers in bulk at underground sites on the Internet. Three of the most notorious online sites engaged in credit-card fraud and peddling, known as ShadowCrew, DarkProfits and CarderPlanet, were taken down in an extensive investigation by the F.B.I., known as Operation Firewall. But other sites - typically based in Russia and other parts of the former Soviet Union - continue to thrive, and "dumps" of credit-card numbers are routinely advertised, bought and sold. It is far from clear where the CardSystems data was being siphoned to, but Mark Rasch, the former head of computer crime investigations for the Justice Department and now senior vice president of Solutionary, a security company that has several payment processing outfits as clients, said the breach appeared to be particularly savvy. "We've seen data security breaches involving computer viruses and worms," Mr. Rasch said, "but not typically at a processor. What's unique about this is that it appears to be a very targeted attack, which makes it sound very clever and insidious." _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Sun Jun 19 2005 - 23:42:03 PDT