[17557] in cryptography@c2.net mail archive
FWD: Cardholders Kept in Dark After Breach -- Washington Post
daemon@ATHENA.MIT.EDU (David Chessler)
Fri Jun 24 11:35:28 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 24 Jun 2005 01:05:22 -0400
To: cryptography@metzdowd.com
From: David Chessler <chessler@capaccess.org>
I had been planning to call my active credit card companies to determine=20
whether any had been compromised. This article caused me to start the=20
process this morning, calling American Express, my most active account.
After thanking me for carrying their card for 21 years, they refused to=20
tell me whether any of my three cards was among those compromised. They=20
tried to tell me that they have all sorts of "anti-fraud" procedures. Even=
=20
so, it was Master Card and not American Express that first uncovered the=20
problem, and there is no way I can reliably double check an account that=20
has dozens of charges a month, many of them posted in the name of parent=20
companies located at head offices in other cities, so that many of the=20
charges are not easily verified and must usually be taken on faith.
Accordingly, I told them to cancel all three cards and send me new ones.=20
They were not happy, but were unwilling to tell me whether the cards had=20
been compromised. Perhaps if they have the expense of replacing many=20
customers credit cards, some necessarily and many unnnecessarily, they will=
=20
start taking security and customer service more seriously.
When I get the new American Express cards I will call the second most=20
active card in my wallet, and so on down the list.
http://www.washingtonpost.com/wp-dyn/content/article/2005/06/22/AR2005062202=
037.html
http://www.washingtonpost.com/wp-dyn/content/article/2005/06/22/AR2005062202=
037_pf.html
washingtonpost.com
Cardholders Kept in Dark After Breach
Some Banks Decline to Tell Customers Whether Accounts Were Compromised
By Mike MusgroveWashington Post Staff WriterThursday, June 23, 2005; D05
Consumer advocates said credit card customers have been denied crucial=20
information in the wake of a recent data breach, as some major banks are=20
declining to tell cardholders whether their account may have been accessed=
=20
by hackers.
In a security lapse disclosed by MasterCard International Inc. last week,=20
40 million credit card and debit card numbers were exposed to an intruder=20
who gained access sometime last year through a credit-processing firm. An=20
interagency group of federal banking regulators has begun an investigation=
=20
into the incident.
Meanwhile, Internet security firm Secure Computing Corp. warned yesterday=20
that a fresh appearance of an old e-mail scam appears to come from=20
opportunistic fraudsters hoping to use fear about the recent data theft as=
=20
a way to trick MasterCard customers into giving up their account=
information.
Companies such as J.P. Morgan Chase & Co., Citigroup Inc., American Express=
=20
Co. and MBNA Corp. said that they are not automatically alerting their=20
customers that their information may have been exposed but that they are=20
more closely monitoring the accounts that may have been affected. The=20
policy was reported yesterday on CNetNews.com.
Such credit-card-issuing banks said MasterCard and Visa have shared with=20
them lists of account numbers that may have been compromised. Though such=20
accounts may earn heightened scrutiny from the banks that issued them,=20
customers may never know whether their account numbers were among those=20
stolen by hackers.
"Those accounts have been flagged, and we're watching them even more=20
closely than we otherwise would," said Jim Donahue, spokesman at MBNA. "If=
=20
we start to see an unusual rate of fraud [among the set of compromised=20
accounts], we would consider notifying those customers impacted -- but we=20
haven't seen that yet."
MasterCard said yesterday that it is up to banks that issue credit cards to=
=20
determine whether to contact cardholders.
Consumer watchdog groups decried such policies as bad for consumers.
"That sounds really bad to us," said Chanelle Hardy, legislative counsel at=
=20
Consumers Union, the nonprofit publisher of Consumer Reports magazine. "Any=
=20
time that any unauthorized person gets access to sensitive or personal=20
information, [the cardholder] should be notified," she said. "For a=20
consumer, it's the first line of defense. It's almost their only line of=20
defense."
The breach reported last week occurred at a processing center in Tucson=20
operated by CardSystems Solutions Inc. and may have been the largest such=20
theft. CardSystems did not return a call for comment yesterday.
The Federal Financial Institutions Examination Council has issued=20
guidelines for when a bank should disclose to its customers that account=20
information may have been stolen.
Michael L. Jackson, chairman of the FFIEC's information technology=20
subcommittee, said yesterday that it was too early in the investigation to=
=20
recommend one course or another.
There has not yet been any fraudulent activity associated with the stolen=20
credit card numbers, said Sharon Gamsin, vice president of communications=20
at MasterCard. If bogus charges do show up, customers often are not held=20
responsible but can spend years clearing their credit ratings if someone=20
steals their identity.
Within 24 hours of last week's news of the breach, a new version of an=20
Internet scam was circulating on the Web. In an e-mail forged to look as if=
=20
it had come from MasterCard, recipients were urged to log in to a=20
counterfeited MasterCard site and enter their account information.
That Web site had apparently been taken down yesterday afternoon. It was=20
registered in the name of Tucson resident Donald Cuppe, whose wife said in=
=20
an interview yesterday that the couple knew nothing about the site but had=
=20
received a call from their bank on Monday alerting them that their Visa=20
debit card number was stolen.
Washingtonpost.com staff writer Brian Krebs contributed to this report.
=A9 2005 The Washington Post Company
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-
*** FAIR USE NOTICE. This message contains copyrighted material the use of=
=20
which has not been specifically authorized by the copyright owner. This=20
Internet discussion group is making it available without profit to group=20
members who have expressed a prior interest in receiving the included=20
information in their efforts to advance the understanding of literary,=20
educational, political, and economic issues, for non-profit research and=20
educational purposes only. I believe that this constitutes a 'fair use' of=
=20
the copyrighted material as provided for in section 107 of the U.S.=20
Copyright Law. If you wish to use this copyrighted material for purposes of=
=20
your own that go beyond 'fair use,' you must obtain permission from the=20
copyright owner.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
---------------------------------
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
