June 18, 2005

USA credit system is totally compromised, security-wise

I wondered when we'd see this. Tao points to news that 40 million card data units have been breached:

MasterCard International reported today that it is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud, of which approximately 13.9 million are MasterCard-branded cards.

MasterCard International's team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data."

This AP story mentions "the security breach involves a computer virus that captured customer data for the purpose of fraud" and MasterCard "did not know how a virus-like computer script that captured customer data got into CardSystems' network, which MasterCard said was infiltrated by an unauthorized individual."

At this point, Americans may as well get used to the fact that their entire data set is probably in the hands of criminals. (Up until this one broke, the running totals showed about 5 million.)

In my humble opinion, the credit system of the United States of America is totally compromised, security wise. Given the size of the infrastructure, the complexity, the amount of money being made, the existing mess of laws, and the hidden assumptions, it will take decades to clean it up.

No amount of government intervention is going to make you safer, and will probably make things more dangerous for you. Companies have no interest in your security, only in your continuing payments. Get used to it. About all I can suggest is that each and every American learn how the credit system works; take your own steps to secure your identity - there are some cunning tricks. You are on your own, for the foreseeable future.

Also see Emergent Chaos for likely more pervasive coverage. Slashdot has a rash of jokes:

there are some numbers hackers can't steal

for everything else there's MasterCard

(Accepted all over, even if it's not yours.)

And then there's:

Interest rate: 20%

Annual Fee: $40

Randomly being declined because the machine is on the fritz: $1-$1000 purchase down the drain.

Being the target of fraud through no fault of your own: Priceless.

Posted by iang at June 18, 2005 08:55 AM | TrackBack
Comments

How to terrrorize the American financial system simply leave it alone. So Europe must be safe and sound no issues there at the moment.

Perhaps Google is looking to exploit this situation.

Posted by: Jim at June 18, 2005 10:18 AM

What "cunning tricks" for securing your identity do you have in mind?

Posted by: MarkM at June 18, 2005 10:59 AM

If your identity goes bad, just get another one. :^)


This case will be interesting. Very interesting.

@Jim: Not sure about Europe. Consider http://www.niscc.gov.uk/niscc/docs/br-20050616-00494.html

Posted by: Chris Walsh at June 18, 2005 11:18 AM

Yes, CardSystems Solutions, Inc., will soon announce a new identity ...

Posted by: Iang at June 18, 2005 12:02 PM

I'm sure there are comparable breaches in Europe. After all, the technology is quite similar, and so are the threats. It's just that in the applicable regulative framework, the preferred business decision is one against disclosure.

Given the extent of the problem, disclosure about to become meaningless anyway. What exactly does it mean when your credit card data has been *potentially* compromised? What should you do?

Posted by: Florian Weimer at June 18, 2005 04:44 PM

What protects your charges is not the number. It was previously knowledge of the number. Now what protects your charges ON AN ESTABLISHED ACCOUNT is the predictability of human behavior. You may have never realized that you do not shop on Tuesday or on Thursday before 4pm. You may not have noticed that you purchase all your hardware between 9 -10 on weekday mornings off the web. Mastercard and Visa are now depending almost entirely on evaluation of charges realtime to detect fraud.

Don't confuse the use of established accounts with some history, which are currently protected only to the degree that your behavior is predictable, with creation of new false accounts.

And of course the information is in the hands of criminals. Do you think they are too clueless to purcahse large scale databases sold by businesses, data brokers and governments? The difference between stolen account numbers and those purchased through legitimate fronts is that at least the stolen ones are property ONLY of the criminals that took it, as opposed to any criminal with the minimal initiative to set up an account at a CRA or data broker.

The data are all compromised. So, what does that mean to profit of card companies? It makes switching card companies more risky to the user, and established accounts more valuable to the company.

The credit card companies are handling the risk. It is the shifting of risk on the consumer, the new egregious bankruptcy laws, and the value/risk allocation of instant credit that is the problem. And x million more card numbers "lost" won't alter that fundamental problem.

-Jean

Posted by: L Jean Camp at June 20, 2005 02:38 PM

@Jean:

Of course the bad guys have the CC#s. The Honeynet people (as but one example) have conclusively proven that, and you are right that it isn't news as long as the fraud-detection systems keep the TTL of a stolen CC# sufficiently small.

The interesting thing about this case, to me, is that CardSystems seems to have made a very poor risk decision. They seem to have deployed known (or should have known) insecure box(es), and then deliberately gone against the advice of one of their largest sources of revenue (MC and Visa) and stored what should have been volatile data on it/them for troubleshooting purposes. I won't mention the legal risk. This, it seems to me, is a dumb thing to have done, even if the CC #s (or ones which are just as good) are available for $5 apiece via IRC. To me, the fact that a firm which should be totally on top of this sort of risk would do something so foolhardy is a noteworthy point for anyone who is looking to build systems that need to incorporate this kind of human element.

Posted by: Chris Walsh at June 20, 2005 03:40 PM

Jean,

so if you are correct (and I don't doubt it) the next thing that we will see is *histories* being traded as phishers seek to optimise their extraction strategies.

Perhaps then we'll see an open source project for managing and improving shadow credit histories...

Sounds more and more like the phishers are just intelligence agencies with a more refined profit motive than the traditional ones.

Posted by: Iang at June 24, 2005 06:31 AM

Jean,

so if you are correct (and I don't doubt it) the next thing that we will see is *histories* being traded as phishers seek to optimise their extraction strategies.

Perhaps then we'll see an open source project for managing and improving shadow credit histories...

Sounds more and more like the phishers are just intelligence agencies with a more refined profit motive than the traditional ones.

Posted by: Iang at June 24, 2005 11:32 AM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.