June 18th, 2005
This is Bad, very very Bad
And the credit card associations know it is. While else whould you wait for the markets to close on a Friday to announce it? This is *not* another “oops, someone lost our back-up tapes” incident. This incident started when banks started to report an upswing in fraudulent transactions. The cyber criminal was already using the data stolen from CardSystems to process transactions before MasterCard’s security team tracked this down.
From the NY Times article that is the best coverage yet:
MasterCard said an unauthorized person was able to exploit the security vulnerability and gain access to CardSystems’ network, exposing cardholders’ names, account numbers and expiration dates as well as the security code, typically three or four digits also printed on the credit card.
The cost of recovering from this incident is going to be upwards of $400 Million, probably closer to $1 Billion based on my calculations. (It is often said that it cost $80 to replace a credit card. 40 million times 80 is?…. $3.2 Billion!)
If the cyber criminal is just a kid selling stolen identities he could be a millionair by now. If it is a well orchestrated effort with the right infrastructure in place they could be laundering $10’s of millions by now.
Harsh lessons learned from the soon to be unemployed staff responsible for the irresponsible security practices at CardSystems and the executives that will be testifying to Congress:
YOU DO NOT NEED TO STORE CREDIT CARD INFORMATION IF YOU ARE A MERCHANT OR TRANSACTION PROCESSOR. The entire system has been designed to avoid these incidents. If you are a merchant you pass the data off to your credit card processor who credits you with the money and give you a tracking number that you can store safely.
IF YOU STORE ANY PERSONALLY IDENTIFIABLE INFORMATION YOU MUST ENCRYPT IT! I feel like I am yelling into the wind here. I guess the FTC is going to take care of this one for us.
I am getting too worked up over this. Gotta go…
Richard Stiennon is an industry consultant. See his full profile and disclosure of his industry affiliations.
