March 30, 2012

VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.

Update, 4:32 p.m. ET: Atlanta-based processor Global Payments just confirmed that they discovered a breach in early March 2012. See their full statement and several other updates at the end of this story.

Original post:

In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.

Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.

It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.

If any readers have more information about the source, cause or true size of this breach, please contact me.

Update, 11:52 a.m. ET: VISA just issued the following statement in response to this story:

“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet.

Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.

It’s important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa’s zero liability fraud protection policy, which exceeds federal safeguards. As always, Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity. Additional consumer security tips are available at www.VisaSecuritySense.com.

Every business that handles payment card information is expected to protect the security and privacy of their customers’ financial information by adhering to the highest data protection standards. Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises.”

Update, 12:15 p.m. ET: The Wall Street Journal is reporting that the breached processor was Global Payments Inc., which processes credit and debit cards for banks and merchants. Prior to the publication of this blog post, I had heard this name from one source, but did not include it in my story because I could not get confirmation from a second source. Global Payments has not returned calls seeking comment. CNN is reporting that the company’s stock (GPN) fell 9 percent today before trading was halted on its shares.

Also am hearing that law enforcement investigators believe that this breach may be somehow connected to Dominican street gangs in and around New York City. This comes from two reliable sources.

Additionally, sources are reporting that the bulk of the fraudulent activity appears to be centering around commercial credit and debit cards (those issued to businesses). More updates as this story develops.

Update, 12:54 p.m. ET: Gartner fraud analyst Avivah Litan adds a bit more perspective to this story, saying the people she is talking to with knowledge of the situation say they are “seeing signs of the breach mushroom.”

Update, 4:34 p.m. ET: Atlanta based processor Global Payments just confirmed the breach via press release. It promised to release more details in a conference call with investors on Monday morning. Their full statement is below:

“Global Payments Inc. (NYSE: GPN), a leader in payment processing services, announced it identified and self-reported unauthorized access into a portion of its processing system.  In early March 2012, the company determined card data may have been accessed.  It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact.  The company is continuing its investigation into this matter.

“It is reassuring that our security processes detected an intrusion.  It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said Chairman and CEO Paul R. Garcia.

Global Payments will hold a conference call Monday, April 2, 2012 at 8:00 AM EDT.  Callers may access the conference call via the investor relations page of the Company’s Web site at www.globalpaymentsinc.com by clicking the “Webcast” button; or callers in North America may dial 1-888-895-3550 and callers outside North America may dial 1-706-758-8809.  The pass code is “GPN.”


105 thoughts on “MasterCard, VISA Warn of Processor Breach

  1. Tadas Petrauskas

    @Charles Lewis V

    This type of breach basically includes, Your Name, Credit Card Number, Expiration Date, and cvv2 (3 or 4 digits on the back) – All this in track1+2 format which can be written intro other card and used to make real-life purchases.

    There are basically 2 types of credit card thefts.
    1. Card is being obtained with track1+2 – It can be used to duplicate the card, and used to make purchases at the stores, walmart, bestbuy, etc..

    2. Name, Billing address, and credit card number, expiration and cvv is obtained. In this case card can only be used to make ONLINE purchases, there is no way fraudster would be able to replicate card so it can be used to pay for items in your local store.

    1. Online_Carder

      Now aren’t you the young einstein of dumps.

    2. Dan DeFelippi

      Nope, cvv’s are never stored in magnetic strip data. That’s the point, to have additional data available for verification.

      1. wally

        Unfortunately not necessarily correct.

        Take a look at the PCI-DSS specification – there’s a clearly marked area on the magnetic stripe intended to contain the CVV (CV2).

        We have issues with this where I work – programming to PCI/PA-DSS standards requires certain “thinking out-side of the box” moments.

        1. The Cardholder

          Sorry, but you are mistaken.

          Track 2 discretionary data may allow for a *different* CVV1 code, but the number printed on the back of the card is a cryptographic value that is computed for the card, but not stored on track 2.

          If you think about it, why would it be. It is a value read over the phone for remote transactions where the customer is not present–what use would this be on the magnetic strip?

          Even the Chewbacca defence won’t get you out of that one 🙂

    1. Online_Carder

      You are such a retard. Brian is the one using havij pro and sql map doing all the dumping of databases.

  2. Marge Simpson

    To Krebs:

    Please remove the DOWN VOTE feature, people are burying useful comments! I’m certain if a comment is spam or crap YOU or whomever moderates may remove the message.

    If you look at Vigilant Citizen’s site comments on news articles, he/she has only a thumb up vote, and removes comments which contain no value or are of spam.

    Considering the normal # of comments on your site isn’t very high unless stories like this break, it would make sense to stop using the down vote because it is being abused.

    1. F-3000

      Might sound useless for someone, but I wish there was “neutral” option as well. For example, I both agree and disagree with your comment, Marge, but since there has no neutral option, I had to choose (disagree).

      While “Vigilant Citizen’s site comments” may be more considered on the moderating side, Krebs doesn’t use his time and concentration on considering whether a comment is useless or useful, he only reacts on comments he considers worth(/needy) of reaction. That’s just my notion regarding Krebs’ behavior towards the comments. Good point in Krebs’ way is, that people are allowed to voice their opinion, regardless how useless the comment is. Further good point is, that occasionally some script-kiddies gives us, readers, very good laughs, while their comments could be considered as pointless otherwise. Negative side is, that the comment section clutters with babble. But then, the articles are the main purpose and point here, not the comments – they’re good for extra info in most.

      Just some thoughts…

      1. Brian Krebs

        I’d like to observe that there is a “neutral” way to vote on a comment, and that is, quite simply, not to vote 🙂

        1. Silemess

          I do use that method of abstaining quite often. But it is nice sometimes to at least leave the feedback of “I acknowledge your comment, but I’m not swayed for (or against) your statement.” It lets people know that their comment is seen, and thus whether they need to make their case better or if it is simply a view point that’s set apart from the rest.

          I’m not entirely thrilled by the negative votes making it hard to read all comments. Hiding the comments that have been very negatively voted works fine. Then you can choose to show or not show. But the font fading makes it harder to read and find out if the person was just expressing an unpopular position, or if it really was just a junk comment.

  3. nitephlight

    i caught your article early on today, turns out i am in the direct damage path as i have been parking (and cabbing, ha) NYC pretty frequently the last half a year or so.

    nothing fishy yet, but +1 brian. fan for life

  4. heron

    I hope you get some new readers by breaking the story, BK.

  5. hallie

    My identy theift company as soon as a credit card in my name is actaivated contacts me to make sure that I was the one who applied for the card. This kind of service covers me and every member in my household.

  6. Joe Leikhim

    My Visa card (obtained through a credit union) was compromised Feb 14. I received an automated call the morning of Feb 15 from asking me for personal verification information about my CC. If this was Visa as I was to believe, it was stupid of them to contact me in that way, and equally stupid of me to provide verification. When I spoke to the operator who called about the fraud notification, I was told to call the VISA number on the card. The notification of fraud was apparently legit and upon investigation I found two transactions on my card 1) Transcertain, LLC $0.00 for “Address Verification Only and 2) Digital Star +44 $149.00 apparently for theater tickets over in the UK. The later was flagged as fraud.

    In the year prior, my wife and I have received several unsolicited calls about this credit card regarding an “award” for purchases made by my wife (who almost never uses the card). When asked, the callers cannot provide any details of the purchases leading to their call. The callers sound Indian and were apparently pumping for address information which we never provided them. The call back numbers seemed to be assigned to MagicJack accounts. It is my belief the perpetrators had the VISA card information for over a year and recently somehow utilized Transcertain LLC to fill in the needed personal information. Thanks to Google, I found that Transcertain has apparently leaked on the internet, some of their own internal data processing documents, pertaining to their secure transaction protocol.

    1. Monitoring

      in the monitoring community, Transcertain is known (among MANY others) as tester {where fraudsters test their cards},

      latest test in Dec/Jan/Feb were after previous genuine transactions at merchants with Support or Help in merchant name

    2. hornblower

      I got hit with the fake Digital Star charges twice. Lots of people complaining about them online. I wonder now if that fraud was part of this.

      1. Joe Leikhim

        I think it is connected since my fraud occurred in this time-frame. It is interesting to me because someone was trying to “social engineer” us for many months, calling first thing in the AM to talk about a charge my wife made and pump for address information.

        Usually the charges on this card are related to business, so if she made the charge, it was a long time back or for office supplies, etc. Perhaps on-line.

        It would nice to see a who-what-when-where report of this fraud to see how it occurred.

  7. Phoenix

    Wow. The Dialymail.co.uk even has Brian’s picture!

  8. Online_Carder

    I would like to thank you all for having credit cards… It has been pleasure stealing from you guys for three years running now. I would like to thank Brian for all the free advertising also. Thanks bro

  9. Jay

    Anyone finding out that is impacting Australian MC and VisaCard holders?

  10. syed

    have to follow more instructions to avoid this type of frauds.now a days any thing possible in online-have to follow updated tips/instructions.
    thanks for info on frauds of visa/mastero cards

  11. Goo Toor

    Cant believe there is no standardized system and protocols for financial transactions, which are secure.

  12. Henry A. Turner, Attorney at Law

    GLOBAL PAYMENTS, INC. DATA BREACH CLASS ACTION LAWSUIT

    If you are a victim of the Global Payments data breach, you may be entitled to compensation. The Global Payments hack has placed an estimated 50,000 consumers at the risk of loss of their personal and private information, including their credit card information. If you were impacted by this security failure, we want to hear from you.
    We plan to bring a class action lawsuit on behalf of victims of the Global Payments data breach who sustained injuries because of this hack. We believe the Global Payments data breach class action lawsuit plaintiffs are entitled to, among other things, monetary compensation for the data loss, and credit monitoring. To find out if you are eligible to join the pending Global Payments data breach class action lawsuit, we urge you to contact us today.

    LEGAL HELP FOR VICTIMS OF THE GLOBAL PAYMENTS DATA BREACH

    If your personal data was compromised by the Global Payments hack, you may have valuable legal rights. To discuss joining our pending Global Payments data breach class action lawsuit, please
    e-mail us at hturner@tloffices.com.

    TURNER LAW OFFICES, LLC
    Decatur, Georgia 30030

    Notice: The purpose of this posting is to identify select issues that may be of interest to readers. Under Georgia’s Code of Professional Responsibility, portions of this communication may constitute attorney advertising.

  13. rtex

    this could be huge also maybe linx to 2 data cartriges ibm of child support div, they would no dought contain mother father children ssn banks address ex complete history more than enough to breach banks obtain credit cards loans ex, and the fedx driver they fell out of truck doors allways closed after deliverys may watch drivers bank acounts for payoff and each time driver cashes 100 notes, or truck was breached, maybe going out on a limb but fact is family support has all data for all people in there system

  14. AJ

    ” “It is reassuring that our security processes detected an intrusion. It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said Chairman and CEO Paul R. Garcia. ”

    Can you believe this? Reassuring that it was detected? No, excuse me, reassuring would have been if the breach was prevented in the first place.

    1. Dave

      Companies who say they haven’t been hacked generally lack the processes to detect that they have been hacked. No company is 100% secure and believing so will set yourself up for failure.

  15. Morten

    Got a call from VISA fraud prevention about a $300+ charge in Mexico tonight. Claims the card was swiped there, despite it being in my hands in the US.

    Went searching and came here. Sounds like the track 2 data matches the claim of it being swiped, if they can reproduce a card from that?

    Global Payments also have an updated alert on the issue today: http://www.globalpaymentsinc.com/DataProtection.html

  16. InpolMan

    Sorry guys but I don’t get what Brian’s great success is ? He recited from the warnings that VISA and MC issued to the worldwide processor community … great journalism, way to go …

    1. Chris Novak

      Brian broke this as a STORY to businesses and consumers, in particular to warn end users. The initial breach had occurred WEEKS ago. Visa/MC warnings issued to processors don’t warn consumers directly. And while credit card users may be protected from fraudulent charges, DEBIT card users (also processed by Global Payments and others) don’t have the same protection.

  17. Jason

    If they knew the numbers were hacked, it would appear to be a common sense approach to freeze all stolen accounts and prevent a massive pandemic spending spree by criminals. Most likely, it is a larger criminal network than people comprehend.
    Someone had a damn good time in the Florida panhandle spending my money while I was in Michigan wishing I was spending it in Florida!

  18. Keith Rennie

    We need a breach of contract lawyer to handle our matter.

Comments are closed.