As details unfold about a massive security
crack that exposed more than 40 million credit card accounts, security experts, legislators and corporate IT
administrators are jockeying about ways to plug leaky data problems.
The data breach at CardSystems Solutions, the latest in a growing list of data leaks involving scams and absent-minded workers, is believed to be the largest to date. It happened when intruders exploited software security vulnerabilities, MasterCard
International spokeswoman Jessica Antle told internetnews.com.
In addition to an FBI criminal investigation into the case, the Federal Financial Institutions Examination Council (FFIEC), a group composed of five federal banking regulators, has launched an probe into the CardSystems Solutions incident.
A spokesperson for the FFIEC said the investigation is expected to last two weeks.
Nearly 70,000 MasterCard account numbers were especially at risk because
they were kept in a file exported from CardSystems’ database, Antle said.
MasterCard’s security team discovered abnormal usage patterns on certain
cards after fraud monitoring systems received picked up on the clues.
CardSystems said in a statement that it alerted the FBI to the possibility of a security hole in May.
“We understand and fully appreciate the seriousness of the situation. Our
goal is to cooperate fully with the FBI to complete the investigation and
ensure that we do nothing that might compromise the investigation.”
The probe also found that the Atlanta-based payment processor did not
meet MasterCard’s security regulations. CardSystems should not have held
onto MasterCard’s records, and later compounded the problem by storing the
transaction data in unencrypted form, Antle said.
The FBI declined to comment on the investigation.
John Pescatore, a vice president and research fellow at Gartner, said
tighter security measures must be a priority in the fight against data loss and identity fraud.
“It is very clear there are more targeted attacks going after financial
information,” he said. “These attacks are happening more and more because
the institutions have been getting away sloppy with sloppy security
practices for a long time.
“It is important to note that these companies are not following standard
practices. There are plenty of known ways to protect this data.
It is security 101.”
The make-up of hackers now focusing on financial intuitions such as
MasterCard are more likely to be part of organized crime syndicates in
Eastern Europe and Asia then teenagers hacking for sport, if recent history is any indication.
Thieves who take part in swiping legally obtained credit card account
numbers, also known as “carders,” often operate international members-only Web sites with names like carderplanet.com, shadowcrew.com detailing these exploits.
In October 2004 The U.S. Secret Service busted up such a ring and made arrests in eight states and worked with local law enforcement in six countries stemming from the investigation of
these bulletin boards that were the focal point of talk about identity theft
schemes. Among the crews pinched were carderplanet.com and shadowcrew.com.
The investigation was a joint operation of the Secret Service, the U.S. Department of Justice, foreign law
enforcement agencies and investigators from the financial services industry.
Avivah Litan, an analyst at Gartner, said Visa and MasterCard
both have sound security policies and rules in place. But they are not
doing enough to ensure credit card processors are doing the same.
“This wouldn’t have happened if CardSystems was obeying the association
rules. It’s not necessarily just CardSystems problem. It’s really Visa and MasterCard’s problem because they put out these rules but they don’t enforce them,” she said.
According to Litan, the card associations don’t make it clear what the penalties are and don’t audit compliance.
“It’s meaningless, in a sense, to have a good program on paper if it doesn’t translate into implementation,” she added. “All these breaches are
exacting a steep toll on consumer confidence and trust, and something’s got
The headlines haven’t slowed since data broker ChoicePoint’s admission in February that it was duped into turning customer data over to thieves.
Next came Bank of America’sdata loss, then
LexisNexis’s own admission that it lost some customer data, as well as several educational institutions including the University
of California at Berkeley, Boston College and Harvard University.
Congress is keen to address the issue. Several bills are building momentum for a national law requiring data breach disclosure by companies who lose their customer’s data. As it stands now, only California has a law in place requiring such measures though other states are pursuing similar legislation.
Dianne Feinstein, a California Democrat, is pushing a bill to fine
companies up to $50,000 a day for every day they don’t notify customers about data breaches. Most companies, however, are behind a national disclosure law. Indeed, the savvy ones are scrambling to get ahead of the law by notifying customers before any law tells them to.
But Gartner’s Litan doesn’t expect Congress to advance anything with much teeth behind it.
“Most companies respond to sticks and regulation and if you don’t put
penalties in place then they’re not going to pay any attention to it, that’s
really the bottom line; because if you look at what drives compliance and
security spending, it’s regulations,” Litan said. “I expect [Congress] to
ratchet up the noise but don’t expect them to do anything meaningful because
the financial services lobby is too strong.”
A May 2005 survey of 8,200 consumers conducted by Lightspeed Research
showed that over 80 percent of respondents felt threatened by online
identity theft and online fraud.
The survey also indicated that 80 percent of respondents would have more
trust in their account provider — and greater confidence in transacting
online — if their provider offered a hardware-based strong authentication
In addition, 44.5 percent of those surveyed said they would be more
likely to switch account providers if a competitor offered hardware-based
The sentiment has analysts bracing for a “solution revolution” from companies that specialize in identity management.
Take the new product launched by credit information management company
Intersections. Called Privacy Protect, the service will keep tabs on credit information as well as public information like DMV, criminal, and mortgage and real estate records. In addition to tracking a person’s credit information, such as who makes queries against it, it tracks how other unique information, which can be used for fraudulent activities, is accessed.
is another company rolling out new security features. The software security company now offers their online banking customers RSA SecurID two-factor authentication technology in order to deliver a more secure online user experience.
“We can’t underestimate the impact of people’s concerns,” John Worrall,
vice president of
worldwide marketing at RSA Security, said. “They are recognizing that the
data loss problem is getting worse.”
RSA clients include America Online
, Banco de
Credito e Inversiones (Chile), Credit Suisse, E*TRADE Financial and
Volkswagen Bank in offering consumer identity protection based on RSA
SecurID two-factor authentication technology.
Gartner’s Pescatore said the credit card industry would be wise to jump ahead of the problem too. “They left this open for legislation by not cleaning up their industry themselves.”
Jim Wagner contributed to this report