
MasterCard, Visa Warn of Processor Breach - wglb
http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29
======
brandonb
My startup works on fraud detection, and it's amazing to see how sophisticated
criminals get when there are such large sums of money involved. The black
market for stolen credit card numbers is a real market with division of labor:
some people hack in to processors to steal the numbers, others resell those
credit card numbers, others write scripts to create fake accounts for a
particular site, others integrate all of those tools to actually execute the
fraud, etc.

Just in the past couple of months, we've seen online criminals try to:

* Run money laundering schemes by posting fake items for sale on a marketplace, and "purchasing" their own item using a stolen credit card.

* Create fake accounts from different browsers to get tons of free machine resources, which they then use for more nefarious purposes.

* Rent a bot net to run a distributed fraud ring from many different machines, in a way that's almost undetectable.

* fool SMS verification by setting up a Twilio server to make it look like they have a U.S. phone number.

You can imagine how fun it must be to outsmart them. :-)

By the way, if any of you are running online stores or marketplaces, and
seeing a sudden spike of fraud or chargebacks from this breach, feel free to
ping me (brandon@siftscience.com). We may be able to help.

~~~
mahyarm
How did you detect that it was a money laundering scheme in the first place !?

~~~
brandonb
I'd love to say but then it'd be obvious to any fraudsters out there. :-(

------
thinkcomp
The Senate Banking Committee held hearings yesterday on mobile payments.
Unfortunately they're totally unaware that it's possible to initiate a mobile
financial transaction that doesn't make use of a credit card or cell phone
carrier's billing system, and that it's basically impossible for startups to
compete with the card networks (possibly by offering new anti-fraud
technology, for example) when the cost of regulatory compliance nationwide is
$20 million. So we'll probably keep on seeing a lot of stories like this
one...

~~~
tptacek
That suggests a regulatory cost of under 0.0001% of the dollar volume of a
large credit card processor. Given the high cost of securing transaction
processors and the regularity with which these companies --- all of whom pay
millions to staff security teams --- manage to cough up customer data to
transactions, I'd suggest the problem is in the _other_ direction: it may not
cost _enough_ to be a transaction processor.

~~~
thinkcomp
Based on our history, Thomas, I believe this represents the kind of behavior
that reduces the quality of debate on-line or off.

To argue that $20 million is a small amount relative to Visa's total
transaction volume, and consequently too little (!) as an arbitrary barrier to
entry for startup companies, is puzzling. I don't know of any license fees
that are calculated based on what the largest market participant could afford
to pay as a percentage of revenue.

~~~
tptacek
I don't understand this argument. We're commenting on a thread where lax
regulation of a payment processor appears to have resulting in a breach that
disclosed 10 million credit cards. I'm not sure how that story admits to a
pivot about _over_ -regulation of payment processing.

Different people have different value schemes. For instance, personal liberty
is far more important to me than airport security. But in my value scheme,
which I _think_ is probably widely shared, the safety of consumer financial
data is more important than whether it costs $500,000 or $20,000,000 to
operate a payment processor at scale.

(I don't, for what it's worth, really believe that all new market entrants to
payment processing have to pay 8 figure sums to launch).

 _Also: in case anyone's wondering, I've never worked for or with Greenspan,
or even met him in person. I assume the history he's referring to is on HN._

~~~
thinkcomp
Everyone is entitled to their value scheme. Unfortunately, the regulatory
requirements here have nothing to do with data security; they are imposed to
nominally insure the security of funds. I think it is possible that where you
see a pure regulatory failure, I see a technological failure that is being
exacerbated by regulation.

~~~
tptacek
I'd be interested in hearing how regulation is impeding data security. From my
vantage point, we have the opposite problem; for instance, credit card
processing as an industry has opted for self-regulation, and the resulting PCI
standard is ineffective and provides cover for a cottage industry of
superficial and inadequate testing.

Just to set the stage here, though: you're someone who wants it to be cheaper
and easier to start payment processors, and I'm someone who gets paid to find
vulnerabilities in complicated applications. Before you write a lot of
paragraphs, know that I'm going to drive into specifics, and that I'm decently
familiar with data security issues at transaction processors.

------
kylebrown
Supposedly (or so I heard), UnionPay in China doesn't provide fraud
protection/reimbursement to users (irreversible). Ditto for Alipay, where a
large portion of transactions are done using escrow.

China is said to be a "cash society". Quite interesting that (if I heard
correctly) their biggest credit/debit card and online payment companies don't
offer any protection to users - the biggest challenge payment processors face
in the U.S.

------
dfc
_"But affected banks are now starting to analyze transaction data on the
compromised cards, in hopes of finding a common point of purchase."_

If they know the processor was compromised what is the point of finding a
common point of purchase? Is the common point of purchase where the criminals
are extracting the money?

~~~
rogerbinns
> what is the point of finding a common point of purchase

So they know who to notify. It isn't every US card holder that is at risk, so
they want to know who is. The Gartner article says this:

> From what I hear, the breach involves a taxi and parking garage company in
> the New York City area so if you’ve paid a NYC cab in the last few months
> with your credit or debit card – be sure to check your card statements for
> possible fraud.

~~~
dfc
I thought the processor was breached?

~~~
rogerbinns
The current gossip is that it was an administrative account for the parking
garage/taxi at the processor.

~~~
dfc
Thanks. I guess when I read that the processor was compromised I guess I
assumed it was at Ring0 (couldn't resist). It never occured to me that it was
within a client's account at the processor.

------
clicks
Lots more discussions and explanations over at Reddit:
[http://www.reddit.com/r/netsec/comments/rkudd/mastercard_vis...](http://www.reddit.com/r/netsec/comments/rkudd/mastercard_visa_warn_of_processor_breach/)

~~~
groby_b
Some discussion, yes. I'm still curious how the author ties this to "Dominican
street gangs" - that seemed a rather surprising finishing note.

~~~
obituary_latte
[http://blogs.gartner.com/avivah-litan/2012/03/30/new-
credit-...](http://blogs.gartner.com/avivah-litan/2012/03/30/new-credit-card-
data-breach-revealed/)

I think this blog post might have something to do with it. In it, she mentions
that "she heard" that the breach had to do with taxi's and/or a parking garage
in NYC.

------
fudged
I have a Visa card, and I haven't been notified. CNET said that Visa customers
were notified, but I have no idea what sort of scope this notification was.

~~~
dfc
Why do you assume your visa was one of the cards that is compromised?

------
wglb
The article has been edited to note that the payment processor is Global
Payments.

------
DiabloD3
This would have never happened on Bitcoin.

~~~
wmf
Indeed; Bitcoin has entirely _different_ problems.

