Fraud Due to a Credit Card Breach

This sort of story is nothing new:

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

But it's rare that we see statistics about the actual risk of fraud:

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

And this is interesting:

"Visa and MasterCard have stipulated in their contracts with retailers that they will not divulge who the source is when a data breach occurs," Spitzer said. "We've been engaged in a dialogue for a couple years now about changing this rule.... Without knowing who the retailer is that caused the breach, it's hard for banks to conduct a good investigation on behalf of their consumers. And it's a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don't shop at that retailer."

Posted on March 21, 2008 at 6:39 AM • 28 Comments

Comments

Jd BertronMarch 21, 2008 7:32 AM

I just went through the same hassle with my bank. They won't tell me (can't tell me) who authorized a transaction for $0.00.
I thought Visa/MC *only* authenticated the transaction, not the buyer. But why be so secretive about the merchant's identity ?

hitoMarch 21, 2008 8:23 AM

Could this breach affect credit cards outside the US? Yesterday, I've been victim of credit card fraud after years of careful behavior, and there was no change in my habits on the last weeks.

the other AlanMarch 21, 2008 8:46 AM

We're a major retailer. I'm in I/T. We commonly refer to PCI as "pay cash instead".

LesMarch 21, 2008 9:39 AM

PCI-DSS is actually one of the only sane security standards out there: 12 easy rules explained in 16 pages, all of them commonsense for anyone with a basic notion of computer security.
What exactly is "intense" about encrypting credit card numbers, applying security patches, or having a firewall between payment applications and public networks?
If anything, the problem with PCI-DSS is that companies see it as a cure-all instead of the bare minimum that it is.

bobMarch 21, 2008 10:07 AM

This makes perfect sense.

After all who could be more thoroughly trusted to notify their customers of a security breach than the people who a) will suffer the most penalty in the form of lost sales from it, who is also b) the organization whose lax procedures caused the event in the first place.

I mean, other than the government of course.

Benjamin WrightMarch 21, 2008 10:37 AM

Bruce: The PCI was tacked onto the credit card system after the system was designed and widely implemented. The spirit behind PCI is that the system will work if only those lazy merchants will finally get around to expending great efforts to protect little secrets (i.e., names, numbers and addresses), that everyone uses over and over again. Further, the spirit of PCI says merchants are bad guys and privacy infringers if they fail to protect those secrets. In reality, it is maddeningly difficult (maybe utterly impractical) for real-world merchants (having in the aggregate millions of retail points of sale) to protect those little secrets, PCI or no PCI. Too much emphasis is placed on merchants protecting data. Loss of that data is not as important as spectacular announcements like Hannaford and TJX suggest. The discussion about credit card security -- and what does and does not constitute a "breach of security" needs to shift. http://hack-igations.blogspot.com/2007/09/... --Ben

jmrMarch 21, 2008 12:11 PM

Me, I'm not worried about credit card. My card is likely in the list of exposed card numbers. But, thankfully, the cost of a breach is an externality to me, so I don't care. If something bad happens to my credit, I'll just sue the credit reporting agencies to fix it and Hannaford's and my credit card company for my lost time; after all, they told me I was safe, right?

Technology already exists for customers to authenticate electronic transactions without divulging personal information to the merchant. It's the cost of updating those millions of point-of-sale devices, and the additional problem that the retailers WANT to know who you are (your name is on the credit card stripe, you know) so they can do their correlation that prevent new card technologies from being issued.

I imagine a world where I have a single small PIN-protected credit card with an LCD screen. I swipe my card through once, the amount appears on the LCD screen, I swipe it through again and that transaction gets authorized by the bank without the merchant ever having my personal information in their hands other than in encrypted form (to which only the bank has the key).

Blammo, now the encryption problem falls squarely on the shoulders of the bank and the merchants are free to be as insecure as they'd like to be.


Michael JankeMarch 21, 2008 2:20 PM

I've always wanted to know what fraction of stolen card numbers actually get used illegally.

They've reported about 2000 cases of fraud out of about 4 million stolen numbers. I'd assume that they have not discovered (yet) all cases of fraud, perhaps only half of them or less.

In this hypothetical case, using really rough numbers, 4000 fraud incidents on 4 million cards is a ratio of about one in a thousand.

Interesting.

ekzeptMarch 21, 2008 6:08 PM

A bank once contacted me saying my VISA card wasn't good any longer because of such a security breach. They refused to identify the merchant that was responsible. This happened at a very awkward time, as I was about to leave on holiday. With some fuss on my part, the bank did quickly roll over the card to a new one.

AnonymousMarch 21, 2008 6:16 PM

@Michael Janke:
> In this hypothetical case, using really rough numbers, 4000 fraud incidents on 4 million cards is a ratio of about one in a thousand.

I don't think that's the right statistic.

It would be more accurate to say that whoever stole this data, has been using card numbers at the rate of about 17 per day, and has enough to last a long time. That suggests a relatively small group is currently using the numbers and they have not been widely distributed.

Now that they know the breach has been detected, they are more likely to do mass sales of blocks of numbers to carders.

TerryMarch 22, 2008 6:55 AM

While I'm no contracts expert, it would seem that any contractual condition imposed about the identity of the source of a breach is not enforceable on the grounds of violation of public policy/public order, etc. Surely the banks are the victims of a crime as well as the individual cardholders and the retailers where the breach occurred. They should have a right to that information, should they not? I would hazard a guess that if a lawsuit was filed to recover damages as a result of the crime, Visa and Mastercard would be compelled to release this information.

Dom De VittoMarch 22, 2008 10:10 AM

Terry,
The end customer, and the banks are never at loss, as the issuer takes the hit - so they can't sue, and can't get this information.

In effect the card issuer is insuring the merchant against loss from bad press.

COSMarch 22, 2008 12:10 PM

A week ago today today, I did my usual grocery shopping at the local Hannaford, using my usual Discover card, and the card was refused. I went home, called Discover, and was told they had cancelled my card since there had been some suspicious activity on it. Had I done some recent purchases at a Walmart store? My answer was no, since I never use that card at Walmart. My aha moment came when the security breach at Hannaford was reported in the press several days later. In any event, I was pretty impressed by how the credit card company had handled the incident.

COSMarch 22, 2008 1:04 PM

A week ago today today, I did my usual grocery shopping at the local Hannaford, using my usual Discover card, and the card was refused. I went home, called Discover, and was told they had cancelled my card since there had been some suspicious activity on it. Had I done some recent purchases at a Walmart store? My answer was no, since I never use that card at Walmart. My aha moment came when the security breach at Hannaford was reported in the press several days later. In any event, I was pretty impressed by how the credit card company had handled the incident.

C The SoupMarch 23, 2008 11:22 AM

The problem with PCI (and what got Hannaford into trouble) was the vagueness of PCI as it relates to where the data must be encrypted. Hannaford does not employ terminal to processor encryption - some of it travels in plain text through their networks.

I work in IT Security for a national quick service restaurant concept, and we made sure that all credit information was encrypted when it was swiped, stays encrypted it's entire life to the processor, and we remove any copies of the card information when we receive authorization. (Depending on your processor, you may not be able to remove the information from the systems until you send the daily batch. )

I can't believe in this day and age that anyone who accepts credit information doesn't ask themselves if they are doing everything they can to protect the data. I hope many people are terminated at Hannaford's. Especially since I -was- a customer...

C The SoupMarch 23, 2008 10:53 PM

@ Jmr

Because the card holder doesn't see it as the "banks secrets", they see it as their own secret. If I don't do what I can to safeguard it, I'll loose their confidence (whether I should or not) and their business.

And for those of you who think it's the issuer, the bank, or the processor that takes the financial hit, you're wrong. The consumers pay for it indirectly through interest rates and fees. In addition, the merchant is charged fees as well, that are passed on to the consumer.

From a PR standpoint, the merchant takes the heat... that's why I make sure the data is safe, even if it's the "banks secret".

Jeremy DuffyMarch 24, 2008 6:17 AM

I'm surprised they haven't offered Fraud Alerts or Monitoring to their customers yet. That's rule #2 of data breaches after all: Make it appear that we're taking the initiative and hopefully prevent lawsuits by giving them something that doesn't help them at all, but appears to and that we probably get so cheap from the credit reporting companies that it's as if it cost us nothing...

Yeah, long rule I know. Rule #1 is shorter: Hide the breach if we can...

Weblover1March 24, 2008 4:57 PM

PCI like other regulations sets the minimum standard that should be met, but that is still far from being enough.

NielsMarch 25, 2008 4:01 AM

PCI compliancy standard is made to prevent against getting hacked. At this it is at best a best practises guideline about how to deal with sensitive cardholder data.

It is however never intended to prevent fraud. Fraud is something that in the end cannot truely be prevented. You can only be prepared for it and deal with it appropiatly. This latter pasrt IS part of PCI compliancy.

I think the guidelines in PCI could be a lot more precise though. Many guidelines state things like:
"Do you have virusscanning on all your machine?" If you answer with yes you are good. However the same guideline doesnt say if it actually has to scan, what you should do if it finds a lot of virusses etc, in those aspects PCI is very much a guideline set that is thought up behind a desk rather then by an IT department.

Niels

SueApril 10, 2008 8:10 PM

I just received a new credit card and account number from Discover in the mail. The letter that was sent with the 'new' card indicated that they were upgrading to a 'new' system and that my existing account would be closed and that my activity was transferred to the new account. I was very suspicious, because changing my account number is a pretty big deal. So I called Discover to find out that there was some security breach by 'some' merchants -- but that is all they would tell me. The letter did not mention any security breach at all. My husband and I have other 'Discover' cards and none of them were impacted. I'd like to know why Discover lied about the reason that they closed my account.

Sue

JLApril 22, 2008 12:20 PM

I travel around the world and am working on making my company's systems PCI compliant. It is maddening to use your CC in another country and see your number in plain text on the receipt. This is not isolated. It is the norm in Russia, Malaysia, and other countries. I wonder when processors will require merchants in other countries to at least mask the CC number?

Frustrated in PAMay 8, 2008 10:28 AM

Just received a "your account may have been compromised" letter from my credit card issuer. They will be issuing a new card and number. Fine. HOWEVER, I still wanted to know where the breach occurred so that I don't use my new card and number at the same place that caused the problem. Called my card issuer and was transferred around several times. No dice. This needs to be fixed otherwise this problem could occurr again. Why are they protecting the guilty party?

chrisMay 11, 2008 7:27 AM

I had 2 attempts on May 10, 2008 to charge ~ $1200 each on two of my cards at Walmart.com. My card companies detected suspicious activity and contacted me, the charges did not go through. One of the cards, Discover, I use all the time. The other is a MasterCard that I have as a backup and rarely use. Last Christmas I tried to use my Discover card at Walmart.com to purchase a gift card for my sister and it wouldn't go through. I used my MasterCard instead. That was the last charge that I put on that MasterCard. I have a suspicion that Walmart may have had a, or another, security breach.

ScottMay 27, 2008 11:11 AM

I didn't know how easy it was to breach this info. I could not use my Discover Card over the weekend so I called them. They informed me that a whole slew of charges, including a $3000 charge, had gone through my account. I rarely use this card on the Internet so it didn't make any sense. Your article makes it more clear. It could have been one of the stores I shop at. This kind of makes you want to throw the plastic out and use cash!

Eric Womble August 7, 2008 11:01 AM

Credit Card theft is nothing new but ask yourself what are you doing to help decrease the risk. Next time you go out to your local bar, restaurant, or store ask the owner or GM if they are PCI compliant. Basically do the have a managed firewall protecting the network POS, ATM or Kiosk machines. If not do not use your credit card or even walk out and reply, "sorry but you not protecting my best interest well go else where." You may think it unrealistic but ask yourself how easy it is for a bot program to steal your data and wipe your account. Thanks to the media cyber theft will jump another 20% due to the fact they showed them how to do and how profitable it is. Truth be told majority of cyber theft will never be caught because most grab your data, wipe you account and our never seen again. Educate your local merchants and protect your best interests.

MoeJanuary 20, 2009 3:50 PM

Okay so who pays the fees since I need my card! This is unreal. Will the goverment ever get any control on these credit card companies?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..