Sethhaniel 15:06 21 Jun 2005

Millions of credit cards plundered by hackers
By Will Knight

More than 40 million credit card customers are at risk of fraud after hackers pilfered data from a US company that processes online transactions.

CardSystems Solutions, a payment processing firm based in Arizona, US, has also admitted to backing up thousands of records - contrary to proper procedure - potentially giving hackers easy access during the network intrusion.

The breach was identified by Mastercard, which commissioned an independent investigation at CardSystems Solutions, following an unusually high number of fraudulent transactions.

The investigation was carried out in May 2005 by computer forensics experts who discovered a rogue computer program installed on the company's network and found evidence that more than 40 million sets of credit card details may be been stolen by cyber-intruders. Several tens of thousands of cards are at particular risk, as there is clear evidence they were copied from the system.

On Friday, 17 June, Mastercard issued a statement warning that 13.9 million of its customers are among those affected. And a statement issued on the same day by CardSystems Solutions emphasises the severity of the break in. "We understand and fully appreciate the seriousness of the situation," the statement reads. "Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this matter."

But CardSystems has also admitted to mismanaging thousands of card records which were subsequently stolen. John Perry, chief executive of CardSystems Solutions, told The New York Times that more than 200,000 stolen records had been backed up on its systems for "research purposes", contrary to proper procedure.

Mastercard and Visa prohibit payment processing companies from retaining card information after a transaction has been completed. "We should not have been doing that," Perry says. "That, however, has been remediated."

Investigators first step will be to trawl through logs to try and identify the network addresses of the computer used to break into the network, says Neil Barrett, a computer security expert with UK company Information Risk Management.

However, he adds that such information can be fairly easily disguised in order to frustrate the efforts of investigators. Another approach is to watch for fraudulent transactions involving stolen information, and then attempt to trace this back to the culprits of the break-in.

Peter Sommer, a computer security expert at the London School of Economics, also in the UK, says the incident merely highlights the dangers of mishandling sensitive customer data. "There's nothing new about this risk, and the end user can do nothing," Sommer told New Scientist . "Most security breaches happen simply because hackers are persistent. And, if you are holding important information like this, you can't afford a single breach."

Barrett also admits that such a crime seems inevitable, given the number of transactions occurring online everyday. "It's criminal business as usual, I'm afraid," he says.

  spuds 15:18 21 Jun 2005

There was a programme on BBC 2 recently, and the programme gave some alarming facts about fraud, hacking and the like.It is surprising the amount of 24/7 observations that are going on from little inderground bunkers, that are keeping watch on unusual internet activities.Scary in the least.

  ventanas 16:25 21 Jun 2005

Does this only affect American cardholders, or is it worldwide? Would like to know as I have a Mastercard.

  wiz-king 18:03 21 Jun 2005

It will affect any card that has been used to make a payment to any firm that uses CardSystems Solutions to process its payments. Could be anywhere but I would think mainly in the States, but if they handle cards for someone like Ebay then it would be world wide. Your card supplier is probably on the phone to them at a high level to discuss liability, so at least the lawyers will get rich. You should not suffer more than a slight delay for a card replacement if you are affected as it is no fault of yours.

  GANDALF <|:-)> 18:12 21 Jun 2005

I fail to see any cause for panic. The company will rectify this quickly and any losses will be repaid quickly.


  jan-boy 22:44 21 Jun 2005

The old wise wizard has spoken again. :)

  ventanas 08:27 22 Jun 2005

"so at least the lawyers will get rich." That's good news then, I was wandering where my next holiday was coming from. No intention of panicking, as fully aware of the situation regards misuse. Just curious.

  Sethhaniel 08:58 22 Jun 2005

"It is surprising the amount of 24/7 observations that are going on from little inderground bunkers, that are keeping watch on unusual internet activities.Scary in the least."
Recommend a good read 'Digital Fortress' by Dan Brown (author of best selling 'The Davinci Code')
which has the main topic of Hackers & back door/insider jobs) which, like your findings , shows that there are there like vultures ready to po8unce at the first weakness.

  LastChip 10:14 22 Jun 2005

of three high profile data losses in the USA in the past couple of months.

Another bank "lost" backup tapes via UPS and it took weeks to discover the loss!

A University "lost" a laptop with thousands of student details including the equivalent of our National Insurance numbers. In this case the question has to be; Why was such sensitive information UNENCRYPTED on a laptop?

You may think you are safe, but you better wake up, because some organisations are just not taking data protection seriously. I've been accused on occasions of paranoia over security, but it's all coming home to roost.

  Aspman 13:58 22 Jun 2005

What isn't being said is that this has happened loads of times over the last 20 years.

The shock is that mastercard have come out and admitted it.

  Sethhaniel 11:32 23 Jun 2005

LONDON (AFP) - A newspaper reporter was able to buy the personal details of 1,000 British bank customers from a telephone call centre in India, throwing doubt on the security of such offshore outposts, a report said.

The Sun newspaper said its journalist had paid a computer expert in New Delhi 5,000 dollars (4,100 euros) to obtain account numbers, bank card details, secret passwords and other information.

The 24-year-old IT worker told the paper he had obtained the information from a network of contacts inside call centres used by British banks, which have mushroomed in India over recent years.

Check your credit details here

According to the report, the man formerly trained call centre staff, and said he was also able to get information on US banking clients.

Among the information he sold was details from credit and debit cards such as expiry dates and security numbers, which could be fraudulently used to make purchases.

City of London (LSE: CIN.L - news) police, the force which takes in the financial centre of the British capital, said late Wednesday it had launched an investigation after being handed information by a newspaper.

"All the financial institutions identified have been fully informed of the situation," a police spokeswoman said.

"At this stage we are not fully aware of the breadth of what we are going to be investigating. We have been handed information and it is being reviewed."

In an editorial column, the Sun called the story "a scandal".

British banks "will want guarantees from the Indian government that the full rigour of the law will be used against the crooks", it added.

Thousands of jobs have been lost in Britain over recent years as banks and other companies such as insurance firms moved call centres handling customer enquiry and sales calls to India.

The country is popular among British firms due to the generally good level of English spoken and the far lower wages earned by Indian staff.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Xiaomi Mi Mix 2 review

What went wrong at the Designs of the Year 2017

iPhone X news: Release date, price, new features & specs

Comment regarder des séries et talk-shows américains en France ?