[ISN] MasterCard Says 40 Million Files Are Put at Risk

InfoSec News isn at c4i.org
Mon Jun 20 02:29:52 EDT 2005

Forwarded from: jpippin <jpippin at nc.rr.com>


June 18, 2005

MasterCard International reported yesterday that more than 40 million
credit card accounts of all brands might have been exposed to fraud
through a computer security breach at a payment processing company,
perhaps the largest case of stolen consumer data to date.

MasterCard said its analysts and law enforcement officials had
identified a pattern of fraudulent charges that were traced to an
intrusion at CardSystems Solutions of Tucson, Ariz., which processes
more than $15 billion in payments for small to midsize merchants and
financial institutions each year.

About 13.9 million MasterCard accounts were compromised as well as
those of unspecified numbers of Visa, American Express and Discover
customers. The accounts affected included credit cards and certain
kinds of debit cards.

The F.B.I. said it was investigating.

Sharon Gamsin, a MasterCard spokeswoman, said an infiltrator had
managed to place a computer code or script on the CardSystems network
that made it possible to extract information. She would not elaborate
on how long the breach might have lasted, on when the inquiry began or
on whether any infiltrators had been identified. She did say that the
breach occurred this year.

Deborah McCarley, a spokeswoman for the F.B.I. field office in
Phoenix, said that her agency was trying to establish the scope of the
breach and that "the investigation is just beginning."

MasterCard said its investigation found that CardSystems, in violation
of MasterCard's rules, was storing cardholders' account numbers and
security codes on its own computer systems. That information,
MasterCard said, was supposed to be transferred to the bank handling
the merchants' transactions but not retained by CardSystems.

Bill Reeves, a Card Systems spokesman, said last night that "there is
quite a bit of transactional data that goes back and forth," but he
declined to say whether the company was inappropriately storing
consumer data, as MasterCard indicated.

CardSystems said it identified a potential security problem on May 22
or May 23 and contacted the F.B.I., then the Visa and MasterCard
associations. It said steps were taken immediately to ensure all
systems were secure. "Our goal is to cooperate fully with the F.B.I.,"
it said.

According to MasterCard, an unauthorized person was able to exploit
the security vulnerability and gain access to CardSystems' network,
exposing cardholders' name, account numbers and expiration dates as
well as the security code, typically three or four digits also printed
on the credit card.

"The processing companies are hubs for millions of payment records,"
said Chris Hoofnagle, senior counsel for the Electronic Privacy
Information Center, a digital rights group based in Washington. "It is
the juiciest target for an individual who wants account numbers. It is
a honeypot for identity thieves." He suggested that customers monitor
their bills for unauthorized charges and consider asking their card
issuer for a new account number.

MasterCard said other personal data that might contribute to identity
theft, like Social Security numbers and dates of birth, was not stored
on its cards and therefore not at risk. And it said credit card
holders would not be liable for any fraudulent charges to their

It said specific advice to cardholders as to precautions or recourse
would have to come from the banks issuing the cards.

Officials at major card issuers like Citigroup said they had been
notified of the breach only recently - in some cases as late as
yesterday - and were still assessing the scope of the problem.

Janis Tarter, a spokeswoman for Citigroup's credit card division, said
her company would notify customers likely to be at risk and more
closely monitor any accounts that might have been affected. A Chase
Card spokesman said his company was taking similar steps.

MasterCard said the investigation began when it was notified by
several banks that they had detected atypical levels of fraudulent
charges. In turn, MasterCard began monitoring information from those
accounts for common purchasing points. Using complex data-analysis
systems and the assistance of an outside forensics firm, it was able
to home in on an unspecified bank receiving spending data from

"When we started to dig into it, working with the bank and working
with their systems, we detected it couldn't be them and basically
triangulated at the process and arrived at CardSystems Solutions,"
said John Brady, MasterCard's head of merchant risk services. He said
CardSystems was "no longer storing the sensitive data."

Although 40 million credit card accounts were said to have been put at
risk, it is not clear whether data on all of those accounts, or only
some, was actually stolen. Nor would MasterCard and investigators
detail the number of individuals affected or dollar amounts involved
in any of the fraud detected.

The breach represents by far the largest in a relentless string of
recent security failures at financial institutions, data aggregators,
media companies and other organizations that compile, store and
transmit consumer data.

Just last week, the financial giant Citigroup announced that nearly
four million consumer records, stored on magnetic computer tapes, had
been lost during a routine shipment by United Parcel Service to a
credit reporting agency. Those tapes were not encrypted and they have
not yet been found.

The growing concern over many of these breaches has been that
information like Social Security numbers, names, addresses and dates
of birth can be used to open new lines of credit, secure loans and
otherwise engage in identity theft.

But the account numbers exposed in the most recent incident are the
real lingua franca of cybercriminals, who either use them to purchase
stolen goods, secure cash advances or sell the numbers in bulk at
underground sites on the Internet.

Three of the most notorious online sites engaged in credit-card fraud
and peddling, known as ShadowCrew, DarkProfits and CarderPlanet, were
taken down in an extensive investigation by the F.B.I., known as
Operation Firewall.

But other sites - typically based in Russia and other parts of the
former Soviet Union - continue to thrive, and "dumps" of credit-card
numbers are routinely advertised, bought and sold.

It is far from clear where the CardSystems data was being siphoned to,
but Mark Rasch, the former head of computer crime investigations for
the Justice Department and now senior vice president of Solutionary, a
security company that has several payment processing outfits as
clients, said the breach appeared to be particularly savvy.

"We've seen data security breaches involving computer viruses and
worms," Mr. Rasch said, "but not typically at a processor. What's
unique about this is that it appears to be a very targeted attack,
which makes it sound very clever and insidious."

More information about the ISN mailing list