30
Mar 12

MasterCard, VISA Warn of Processor Breach

facebooktwittergoogle_plusredditpinterestlinkedinmail

VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.

Update, 4:32 p.m. ET: Atlanta-based processor Global Payments just confirmed that they discovered a breach in early March 2012. See their full statement and several other updates at the end of this story.

Original post:

In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.

Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.

It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.

If any readers have more information about the source, cause or true size of this breach, please contact me.

Update, 11:52 a.m. ET: VISA just issued the following statement in response to this story:

“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet.

Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.

It’s important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa’s zero liability fraud protection policy, which exceeds federal safeguards. As always, Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity. Additional consumer security tips are available at www.VisaSecuritySense.com.

Every business that handles payment card information is expected to protect the security and privacy of their customers’ financial information by adhering to the highest data protection standards. Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises.”

Update, 12:15 p.m. ET: The Wall Street Journal is reporting that the breached processor was Global Payments Inc., which processes credit and debit cards for banks and merchants. Prior to the publication of this blog post, I had heard this name from one source, but did not include it in my story because I could not get confirmation from a second source. Global Payments has not returned calls seeking comment. CNN is reporting that the company’s stock (GPN) fell 9 percent today before trading was halted on its shares.

Also am hearing that law enforcement investigators believe that this breach may be somehow connected to Dominican street gangs in and around New York City. This comes from two reliable sources.

Additionally, sources are reporting that the bulk of the fraudulent activity appears to be centering around commercial credit and debit cards (those issued to businesses). More updates as this story develops.

Update, 12:54 p.m. ET: Gartner fraud analyst Avivah Litan adds a bit more perspective to this story, saying the people she is talking to with knowledge of the situation say they are “seeing signs of the breach mushroom.”

Update, 4:34 p.m. ET: Atlanta based processor Global Payments just confirmed the breach via press release. It promised to release more details in a conference call with investors on Monday morning. Their full statement is below:

“Global Payments Inc. (NYSE: GPN), a leader in payment processing services, announced it identified and self-reported unauthorized access into a portion of its processing system.  In early March 2012, the company determined card data may have been accessed.  It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact.  The company is continuing its investigation into this matter.

“It is reassuring that our security processes detected an intrusion.  It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said Chairman and CEO Paul R. Garcia.

Global Payments will hold a conference call Monday, April 2, 2012 at 8:00 AM EDT.  Callers may access the conference call via the investor relations page of the Company’s Web site at www.globalpaymentsinc.com by clicking the “Webcast” button; or callers in North America may dial 1-888-895-3550 and callers outside North America may dial 1-706-758-8809.  The pass code is “GPN.”

Tags: , , , ,

105 comments

  1. Yep, massive is not an overstatement… and given the validity of John S’s link and connections prompts questions about why M&V were still using them without far greater supervision.
    This story’s going to get bigger me thinks…

    • I cannot say whether this one is massive or not,

      but what I’m (almost;) sure there’s no connection between John S’s link and this breach – you can see his OOPS below :)

  2. As Rick Perry says, OOPS.

    Thanks Anon, emv

  3. Brian, NICE JOB (as usual), scooping everyone else on this. One wonders when Visa/MC were going to tell the public? Or were they just quietly going to notify only those affected, not letting on that their card processors may have a problem!

    • Both my Bank of America credit card and credit union debit card were affected by similar breach a couple years ago. When I asked the card services manager at my credit union what entity had been breached, she repeatedly refused to answer my question, stating that the information was protected by a confidentiality agreement.

    • Visa/MC notified the banks whose job it is to notify their customers. I’m sure V/MC see lots of security issues and forward them on to the card issuer. I’m more disappointed that we haven’t heard anything from Global Processing yet (that I know of).

      • Not sure how to edit on here….

        Looks like Global Payments has admited to the breach, I’m sure there is more info to come…

  4. Somewhere at the processor are security peeons saying “I told you so”.

  5. Hahaha.. it was only last week that I was reading about the company having the most secure system outside the US government to protect $22 billion worth of assets!

  6. Graham Sutherland

    This is precisely why companies like this need to stop giving ludicrous managerial bonuses, and instead roll that cash into security investment. It’s now going to cost them (and, by extension, the consumer) an order of magnitude more to fix this mess.

    • This is precisely why companies like this need to stop giving ludicrous managerial bonuses, and instead roll that cash into security investment.

      Which, hopefully, will involve bringing “air gaps” and dedicated network links separate from the Internet back into vogue.

      I still believe Marcus Ranum had it right when he commented that in the future you’ll have two computers on your desk – one connected to the Internet, the other used for real work.

      • Um, if you don’t already then you’re just asking for trouble.

        As in… Here’s your sign.

  7. Wow, no wonder I had 2 cards replaced last week. 2 weeks ago I was contacted by BofA stating they received a notice and were issuing a new card and number. No fraudulent activity had occurred. Then last week I got a call from HBSC about activity on that card. My card was being used to buy electronics from online retailers like Buy.com and Newegg but HBSC froze the account after the first purchase. They also sent me out a new card and I was able to call Newegg and they stopped the shipment (not that I would have been liable anyway) so the crook got nothing.

    2 out of 3 cards for me so far. We’ll see if I get a call from CITI.

    • Why are people still banking with the TARP banks? I realize that CUs also could have this problem, but no one should continue to willingly do business with predatory zombie bailed-out TBTF banks. I’m fighting CHASE right now over $200+ of “mistaken” fees that they charged me. This is par for the course as these institutions try to recapitalize on the backs of taxpayers and customers.

      • This has nothing to do with Banks. This is a PCI DSS breach from a CC processor. Global is one of 3 major processors in this country that process CC transactions. The others are:
        Chase Paymenttech
        First Data

        The fact that track1 and track2 data were captured is indicative of what could ONLY be captured at the processor level. Given that PCI DSS has been out for nearly 10 years now, all level merchants, including banks should be compliant. Most banks just give out the VISA or MC branded cards. VISA, MC, Discover and others make up the SCC which is a liability watchdog for the PCI DSS. In this case, the breach occurred at the processor level. Who cares what type of bank issued the cards, it wouldn’t have mattered if the merchant who swiped it was processing via Global comm.

        Thanks

        • Bah, SSC

        • Even being 100% PCI DSS compliant is going to stop a breach if your falling down in other areas. PCI DSS is one lacking standard if that is the guide you follow for your business’s entire security posture.

          • Sure thing. I agree, but it is a ‘liability’ baseline. They basically get you started in the RIGHT direction to protecting card data that is Stored, Processed, and Transmitted.

            • That is a good point, they do indeed at least point you in the right direction. And I should clarify as well that I agreed with the overall point in your earlier post.

              I just felt it worth clarifying that the breach is not of PCI DSS itself, which is easy to breach. The breach is with a payment processor who should have been following PCI, or may indeed have been following PCI.

              Either way it will definitely be interesting to see the PCI compliance status they held.

              • Global Payment is fully compliant but as we all know, being compliant does not always mean operating safely. All it takes is a little sloppiness, a bad employee, or a weak link in the network somewhere. Meeting PCI DSS compliance is a benchmark. Operating securely is a way of life

          • As another PCI-DSS person, I’m willing to bet that this was done with someone on the inside. The mention that there could have been Dominican street gangs involved in the breach itsself doesn’t seem very likely but they could be a potential ‘buyer’ of some of the info. Only a team of security professionals could really pull something like this off.

        • Regardless… This # of transactions means it was a Level 1 merchant and should have had the strictest PCI DSS requirements implemented.

          If the breach was “to live data” on the system itself, the data should have been encrypted. That means an individual either broke the encryption algorithm (highly unlikely) or it was an inside job.

          The breach could have also been due to lost or stolen backup tapes. And even if this was the case, the data still should have been encrypted, otherwise the data could have been read, copied, sold etc.

          I keep saying “should have been encrypted” because that’s what the PCI DSS regulation dictates, although I’m sure not all companies comply.

          Interesting note: Normally when these types of stories are broken or announced, the company breached will state if the data was encrypted or not. Yet this story makes no mention of this. Very odd!

          • Without knowing exactly what happened and not really understanding the whole “Card Processing” process, I’m going to speculate a little bit. Even if the date is encrypted, it has to be decrypted at some point for the software/gateway to know which direction to forward the authorization data. One of the articles I read suggested that an admin level account was compromised somewhere. I’m curious what kind of access that would give them, whether live data as it goes through the gateway or if they were able to put some sort of sniffer on the gateway somehow. Also, information or a link on how the whole process works would be beneficial, including the encrypting/decrypting of the data/partial data to know how the transactions are authorized.

        • You are off base Steve. Track 1 and Track 2 data has to be captured by an application before it is passed to the processor. It could very well be that the application was improperly storing the data and/or that the application has been compromised and was forwarding the data as it was swiped to a 3rd party. PCI has been around for years but many 3rd party application providers have been very slow to obtain compliance.

          I think that it is very irresponsible for writers to be commenting on the size of the breach and who may/may not be at fault in the absence of any announcements at this time.

          • Hi Frank, yes, I know this… I have such an application. However, they have the track data (whether hand keyed or swiped). Are you suggesting that the track data was stolen from the header on 50,000 + devices that just happen to use global payments as their processor?

            Global will authorize the track data once it is decrypted and process it. It will then just send a response back to the merchant. You know this. How am I way off base???

            The data is end to end encrypted, and is obviously saved at the processor’s end (since we are talking about Global payments being hacked and that track1 and track2 data was collected).

      • This seems to have hit B2B cards, which CUs aren’t very strong in. And while it seems to have hit GP, he also mentioned some focus on parking businesses in NYC. this may have started as a POS intrusion.

        But GP has a lot of ‘splainin to do, Lucy.

  8. PSCU may have been the company that called me to verify some overseas charges I had made back in February. I chatted with the guy a little and told me he was with a company hired my my CU to molnitor transactions. One might be wise to check with his or her financial institution(s) to see what protection they offer. Personally I like dealing with the locals; I give the megabanks a big “A” for AVOID.

  9. For all the folks saying ‘use a small bank’, have you read Krebs regularly ? Generally, the small banks use poorer security practices and will cough up your money faster and easier than big banks.

    • Wow! I hope that isn’t still true. I just switched from a mega-big to a small town one. I love how I needed to go through the Patriot Act Requirements to open my new account. I wish they would upgrade their security practices, but I guess most of them believe they have their non-business clients covered by FDIC.

      • Not all small banks are created equal. Some are offering a few extra options and features that give you better security. Always best to check out who you are using, no matter what size the company is.

    • I used to work for a small town bank. All of our data was processed by a back-end processor and everything was transmitted to them encrypted live over Point-to-Point MPLS circuits. None of the customer date was hosted locally. Even though the back-end processing was hosted remotely, we still prided ourselves on offering the Hometown service.

      I do still have to laugh sometimes when I see small bank websites, as I recognize the cookie-cutter site that is more than likely hosted by the same back-end processor.

    • George, you may read Krebs regularly but I don’t think you read my post, because the word “small” never appeared in it. But since you appear to bee such an avid fan I would hope you support this fine blog with your monetary contributions.

  10. Well from the update with the statement from Visa it’s clear all Visa cares about is protecting its ‘brand’. I read it as – ‘Hey it wasn’t us. We won’t tell you who it was because they might then sue us. Everything is fine keep using your card because we make money every time you do.’

  11. I’ve not read what the attack method was. Do you think it was yet another SQL Injection attack or is this one more likely an insider?

    • Unless we know how, there is no reason to speculate.

      I would find it difficult if they were storing track1 and track2 data in unencrypted data stores. This would be reprehensible, and the punitive damages levied by the SSC would be in the hundreds of millions. If the data was encrypted then this is just a case of hackers figuring out the VERY complex encryption algorithm, and somehow gaining access to the transact log files.

  12. Well the WSJ article says “50,000″ cards yet this article and others quote tens of millions of card #s…seems like a pretty big difference…

    • Spalind — That information was in my story.

      “It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.”

      I don’t think anyone has a clear idea how many cards may have been compromised. That 55k number is just a snapshot of what one fraud fighter that works with some credit unions saw and reported.

      • Any way (besides asking my CU directly, in case they refuse to answer) to know if my CU was on that list supplied by PSCU?

        Thanks

      • I bet you are the person stealing all the dumps Brian. Padawan

  13. The unfortunate part about information security is that the human factor will always remain within the equation.

    The majority of companies will spend significant time and resources to establish preventive and detective security controls.

    But corrective controls are just as equally important. If implemented appropriately, the damage from such incidents can be minimized.

    • Well, that is what the minimum PCI DSS is for. It outlines the minimum levels of security that a merchant or a service provider (shopping cart api) should be at to avoid the common breach. Identifying the risk and getting everything “Out of Scope” is the key for every merchant.

      The SSC figures that if you are AT LEAST at this level of security then you should be ok. Also, as the QSA determine during audits, they will determine whether you are actually following these requirements. Basically it comes down to liability, and the ability to CYA!

      You can read more about he PCI DSS Here:
      https://www.pcisecuritystandards.org/

    • Yes, but the most important human factor in minimizing the long-term effect of incidents like this, is whether or not the consumer is reviewing their statement each month and making sure that they made the purchases that appear there.

      Once again, we are forced to include the human factor in our security and remediation processes. What we really need is better humans.

  14. Why is this issue being reported in such a strange manner?
    There are 2 orders of magnitude difference in the reported numbers of cards compromised.
    Visa’s report sounds childish and defensive, and is basically useless.
    Everyone is in some kind of silent panic.

    Now everyone will be calling their banks, and it may only be 25,000 people that are affected. What is really going on?

    Also – what the heck do New York parking garages have to do with anything?
    -Kludge

    • Just a thought, this is important because it appears to have hit a major processor, and indeed if the report is true that it centered on parking garages, it may include a POS system – lots of industries get focused on single POS solutions, and if these get breached or exploited, that industry pretty much gets exposed if the problem isn’t fixed quickly.

      So we could see another of these incidents, maybe focused on Los Angeles garages instead, or airport garages, and so on. though I expect the holes are already plugged. Generally it seems that these reports become public after the vulnerability is fixed, to avoid confirming to the intruders that they have a free pas for the time being. Misguided, maybe?

  15. Brian,

    There’s no Common Point of Purchase (CPP), if the breach was at a credit card processor level. This technique is used to identify the problem at merchant level.

  16. Brian, you’re becoming more of an authority. See http://www.reuters.com/article/2012/03/30/us-mastercard-breach-idUSBRE82T0VD20120330.
    Keep up the good work.

  17. This doesn’t surprise me as my wife, my mother and my sister in law have all had card numbers used fraudulently in the last couple of weeks and we had been scratching our heads looking for any commonality between the 3.

    I told them there must have been some sort of data breach because none of their cards were physically missing, yet their information was being used for fraudulent charges. They may think it affected folks at a parking garage in NYC, but we are all in California and I can’t help but think these cards were part of this issue.

  18. Over the past 2 months people in Alexandria, La have been having bogus card transactions too. The banks have looked into the issue and traced the cards to a grocery store and a restaurant here. I wonder if they both use this processor. Both locations use card readers so the card owner keeps possession of the card the entire time. The fraudulent purchases were reported around the US and some overseas. I have a friend that had both of his cards and one of his wife’s cards compromised.

  19. Two things seem to have happened here.

    1. The thieves impersonated a large customer to gain their administrative access. The fault here lies in how customers are given access to a network, and the ability to compromise any large customer is pretty scary. Would love to see some honest answers on preventing this.

    2. The data that was taken was encrypted under PCI, so these folks must have had a decrypt capability.

    Since the thieves didn’t start using these numbers until very recently, actual losses may be limited. The cost will lie in changing those 10 million numbers.

    Looking forward to views of security experts here. I’m just a reporter who covered this just now at Seeking Alpha — http://seekingalpha.com/article/468861-massive-breach-puts-spotlight-on-credit-card-processor-risks

  20. Charles Lewis V

    I don’t really understand everything that was said here, but my VISA Card through Chase Bank was compromised with fraudulent charges as of yesterday. My card’s location is in Indiana but it’s location of fraudulent use has not been tracked down yet. As a side note: the fraudulent transactions both appeared as POS DEBIT (insert Company name here) while processing. One transaction was used to purchase Minecraft and the others are currently unknown as there is not enough information according to Chase. I noticed the fraudulent charges myself and have never been notified by the bank. Anyway just my two cents to add to some speculation as to the breach’s size and complexity.

    • Charles Lewis V

      sorry for the second post, but the breached information included my 4 digit number on the back of the card.

  21. My MasterCard was used Fraudlently recently even though it was not stolen. Had to get a new card # this month due to the fraudulent charges.

  22. Why are they wasting time looking for a common point of purchase when they know it was the processor that had the breach? A common point of purchase would matter if they were looking for somebody with a skimmer but how’s that going to locate a processor breach?

    If Dominican street gangs truly are involved, I’d be looking for an evil insider. All they’d have to do is connect a Pwn Plug.

  23. If we used Chip & Pin cards, would we be safe from the possibility of someone counterfeiting our cards with this stolen info?

    • Actually this is just another method that the merchant accepts the card info. This is the case of card information being stolen from the end of the line processor.

      Even if you had incredible encryption on your card and account, it wouldn’t matter as this was decrypted and stored on the processor’s database.

      It would be up to them to stop this, or the entire process of processing would have to be redesigned.

    • Yes, you would be a magnitude safer.

      Track stored on Chip is different than Track on Magstripe (and also CVV/CVC has different value), so it is not possible to ‘skim’ data from chipcard and then use it for creation of counterfeit magstripe card, nor it is possible to ‘copy’ chip itself. However, this would require that card acceptor has POS with chip reader. This is how here in Europe (plus other part of the world) it works, safer. Of course, card-not-present purchases (internet, phone orders…) are different story, not going into details now.
      My personal 2cents: all should get rid of magstripe usage and go chip (EMV) – yes, I’m aware of academic and potential problems-but still, I wrote earlier, it is magnitude safer.

  24. I wonder how many VISA and MASTERCARD systems run WINDOWS.

    Pathetic.

  25. “VISA and MasterCard are alerting banks across the country… ”

    Which country is that ? I was redirected to this site from a UK web site. It’s meaningless.

  26. There is really NO possible way to gather 10 million cards by sniffing, even Gonzalez was never able to gather that many dumps(t1+t2), and he did have his sniffer running on networks for YEARS.

    If 10 millions have been breached, there is only one reasonable explanation – data was being kept in plain text, not encrypted.

    PCI Compliance requires for data to be ENCRYPTED, even just for regular small time eCommerce store.

    • You really have no idea what you are talking about and should refrain from commenting, especially in caps.

      A decent-sized payment processor will see billions of transactions a year. If you 0wn a system inside a processor that is in the authorization flow you could easily capture millions of cards with full track data in a couple of days.