FWD: Cardholders Kept in Dark After Breach -- Washington Post

David Chessler chessler at capaccess.org
Fri Jun 24 01:05:22 EDT 2005 

I had been planning to call my active credit card companies to determine 
whether any had been compromised. This article caused me to start the 
process this morning, calling American Express, my most active account.

After thanking me for carrying their card for 21 years, they refused to 
tell me whether any of my three cards was among those compromised. They 
tried to tell me that they have all sorts of "anti-fraud" procedures. Even 
so, it was Master Card and not American Express that first uncovered the 
problem, and there is no way I can reliably double check an account that 
has dozens of charges a month, many of them posted in the name of parent 
companies located at head offices in other cities, so that many of the 
charges are not easily verified and must usually be taken on faith.

Accordingly, I told them to cancel all three cards and send me new ones. 
They were not happy, but were unwilling to tell me whether the cards had 
been compromised. Perhaps if they have the expense of replacing many 
customers credit cards, some necessarily and many unnnecessarily, they will 
start taking security and customer service more seriously.

When I get the new American Express cards I will call the second most 
active card in my wallet, and so on down the list.


http://www.washingtonpost.com/wp-dyn/content/article/2005/06/22/AR2005062202037.html
http://www.washingtonpost.com/wp-dyn/content/article/2005/06/22/AR2005062202037_pf.html


washingtonpost.com
Cardholders Kept in Dark After Breach
Some Banks Decline to Tell Customers Whether Accounts Were Compromised

By Mike MusgroveWashington Post Staff WriterThursday, June 23, 2005; D05

Consumer advocates said credit card customers have been denied crucial 
information in the wake of a recent data breach, as some major banks are 
declining to tell cardholders whether their account may have been accessed 
by hackers.

In a security lapse disclosed by MasterCard International Inc. last week, 
40 million credit card and debit card numbers were exposed to an intruder 
who gained access sometime last year through a credit-processing firm. An 
interagency group of federal banking regulators has begun an investigation 
into the incident.

Meanwhile, Internet security firm Secure Computing Corp. warned yesterday 
that a fresh appearance of an old e-mail scam appears to come from 
opportunistic fraudsters hoping to use fear about the recent data theft as 
a way to trick MasterCard customers into giving up their account information.

Companies such as J.P. Morgan Chase & Co., Citigroup Inc., American Express 
Co. and MBNA Corp. said that they are not automatically alerting their 
customers that their information may have been exposed but that they are 
more closely monitoring the accounts that may have been affected. The 
policy was reported yesterday on CNetNews.com.

Such credit-card-issuing banks said MasterCard and Visa have shared with 
them lists of account numbers that may have been compromised. Though such 
accounts may earn heightened scrutiny from the banks that issued them, 
customers may never know whether their account numbers were among those 
stolen by hackers.

"Those accounts have been flagged, and we're watching them even more 
closely than we otherwise would," said Jim Donahue, spokesman at MBNA. "If 
we start to see an unusual rate of fraud [among the set of compromised 
accounts], we would consider notifying those customers impacted -- but we 
haven't seen that yet."

MasterCard said yesterday that it is up to banks that issue credit cards to 
determine whether to contact cardholders.

Consumer watchdog groups decried such policies as bad for consumers.

"That sounds really bad to us," said Chanelle Hardy, legislative counsel at 
Consumers Union, the nonprofit publisher of Consumer Reports magazine. "Any 
time that any unauthorized person gets access to sensitive or personal 
information, [the cardholder] should be notified," she said. "For a 
consumer, it's the first line of defense. It's almost their only line of 
defense."

The breach reported last week occurred at a processing center in Tucson 
operated by CardSystems Solutions Inc. and may have been the largest such 
theft. CardSystems did not return a call for comment yesterday.

The Federal Financial Institutions Examination Council has issued 
guidelines for when a bank should disclose to its customers that account 
information may have been stolen.

Michael L. Jackson, chairman of the FFIEC's information technology 
subcommittee, said yesterday that it was too early in the investigation to 
recommend one course or another.

There has not yet been any fraudulent activity associated with the stolen 
credit card numbers, said Sharon Gamsin, vice president of communications 
at MasterCard. If bogus charges do show up, customers often are not held 
responsible but can spend years clearing their credit ratings if someone 
steals their identity.

Within 24 hours of last week's news of the breach, a new version of an 
Internet scam was circulating on the Web. In an e-mail forged to look as if 
it had come from MasterCard, recipients were urged to log in to a 
counterfeited MasterCard site and enter their account information.

That Web site had apparently been taken down yesterday afternoon. It was 
registered in the name of Tucson resident Donald Cuppe, whose wife said in 
an interview yesterday that the couple knew nothing about the site but had 
received a call from their bank on Monday alerting them that their Visa 
debit card number was stolen.

Washingtonpost.com staff writer Brian Krebs contributed to this report.

© 2005 The Washington Post Company




-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

*** FAIR USE NOTICE. This message contains copyrighted material the use of 
which has not been specifically authorized by the copyright owner. This 
Internet discussion group is making it available without profit to group 
members who have expressed a prior interest in receiving the included 
information in their efforts to advance the understanding of literary, 
educational, political, and economic issues, for non-profit research and 
educational purposes only. I believe that this constitutes a 'fair use' of 
the copyrighted material as provided for in section 107 of the U.S. 
Copyright Law. If you wish to use this copyrighted material for purposes of 
your own that go beyond 'fair use,' you must obtain permission from the 
copyright owner.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml

---------------------------------






---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list