Shostack + Friends Blog Archive


CardSystem Solutions, 40,000,000 CC, hacker

The New York Times (and probably everyone else) is reporting that “MasterCard Says 40 Million Files Are Put at Risk.”

MasterCard said its investigation found that CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the bank handling the merchants’ transactions but not retained by CardSystems.

CardSystems, being a bank, has not yet gotten the message that the rules have changed, and there’s no message on their homepage.

You and I have no way to protect ourselves from this. Shredding your statements doesn’t make a difference. You can’t ask a store clerk “Who’s your credit card acquirer?” (Well, you can, and they are unable to tell you. They know, at best, “swipe and check signature.” They have no idea what happens behind that.)

Congress needs to step in to regulate these industries who take these risks with our personal information, where we can’t protect ourselves, negotiate, or even know that the company exists.

[Update: Bob Sullivan has an analysis at “40 million credit cards exposed,” and Slashdot has a story with a roundup in the summary. Chris Walsh covers my back with the irony and sarcasm at “Prepare for the onslaught of “priceless” jokes. Richard Bejtlich has some insightful comments in “Cardsystems Solutions Intrusion Exposes 40m CC, including catching this quote from Mastercard’s press release about GLBA, the fancy new bank “privacy” law:

Currently, GLBA only applies to financial institutions providing services to consumers, including MasterCard. MasterCard urges Congress to extend that application to also include any entity, such as third party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers.”

And with that, I’m going to be paying attention to the most excellent practical attacks on prox cards talk here at REcon, and missing some additional blog posts on this.]

6 comments on "CardSystem Solutions, 40,000,000 CC, hacker"

  • DM says:

    Coming soon from a card holding company near you….

  • USA credit system is totally compromised, security-wise

    I wondered when we’d see this. Tao points to news that 40 million card data units have been breached: MasterCard International reported today that it is notifying its member financial institutions of a breach of payment card data, which potentially…

  • Pete says:

    “Congress needs to step in to regulate these industries who take these risks with our personal information, where we can’t protect ourselves, negotiate, or even know that the company exists.”
    I agree. They should limit the amount lost to any individual to at maximum $50 or perhaps $0. Then, they should make all credit cards voluntary instead of the mandatory system we currently have…. hmmm. In any case, they should do something to increase the fees for everyone well past the “overhead” we currently share with these incidents.
    This is all great use of Congress’ time, given the 100 TRILLION times a consumer willingly hands their credit card over to some unknown clerk at a retail store – a much greater risk to any individual consumer, in my opinion, than these silly FUD headlines that seem to have caught everyone’s fancy.

  • I’m sticking with Adam on this one. Some instances, it’s fair to say caveat emptor (in Europe, where fraud rates are much higher, the card never leaves your presence). The credit card industry is as much a utility as cable in terms of infrastructure functionality. I fail to see how knee-jerk anti-regulation snark is going to prevent fees (which are, as was pointed out, voluntary) from ballooning as the cap grows.
    Regulation is needed to provide mechanisms for downstream due diligence. It’s clearly not there now.

  • John Kelsey says:

    This sure looks like an externality to me. I run a business in a way that works well for me, but imposes costs on you that I get to ignore. That seems like one of the classic good arguments for regulation of some kind, though that sure doesn’t tell you how to do the regulation to make things better.

  • Bob says:

    Who the heck said this was done by a hacker. More like a theft not a hacker. A hacker is a computer programmer, software developer, or the like.

Comments are closed.