a bit more on 8 Million Credit Accounts Exposed FBI to Investigate Hacking of Database

[Dave Farber <dave () farber net>]

Washington Post
8 Million Credit Accounts Exposed
FBI to Investigate Hacking of Database
By Jonathan Krim
Wednesday, February 19, 2003; Page E01

A hacker broke into a computer database containing roughly 8 million Visa,
MasterCard and American Express credit card numbers earlier this month,
prompting an FBI investigation into one of the largest intrusions of its
kind.

All three card companies said that the potentially compromised numbers are
being closely monitored, and that so far there is no evidence that any have
been used for fraudulent purchases. The big three card issuers said the
intruder cracked the computer security of a firm that processes credit card
transactions for merchants, but they declined to name the company or provide
any other details.

The companies said they had turned the matter over to the FBI.

About 2.2 million of the affected numbers involved MasterCard customers.
"MasterCard's rules require that merchants securely encrypt cardholder
information, including card numbers, so that [unauthorized purchases] cannot
occur," the company said in a statement yesterday.

Visa, which accounted for 3.4 million of the numbers, sought to remind
customers that they would be automatically credited for any unauthorized
purchases, a policy followed by all three credit card companies.

But consumer fraud experts criticized the firms for not automatically
informing all consumers that their accounts might have been compromised.
Although credit card issuers generally do a good job of protecting against
fraudulent purchases, the experts said, such security breaches can lead to a
larger problem of identity theft that might not be apparent until months
later.

Although it can be difficult to gather additional personal data from a
credit card number alone, hackers bent on fraud are likely to try to use the
information to impersonate a cardholder, said James Vaules, a former FBI
agent and fraud consultant for the LexisNexis database company.

Dan Clements, who runs CardCops.com, a California consulting group and think
tank on credit card fraud, said it is up to the myriad of banks and other
vendors that issue credit cards to determine whether to inform their
customers. 

Clements said issuers generally don't do so unless they decide to give their
customers new cards and account numbers, which costs issuers about $25 per
account.

"The card holder is the last to know," Clements said, which hurts their
ability to protect themselves against identity theft.

Christine Elliott, a spokeswoman for American Express, confirmed that her
company has not informed its affected customers of the break-in. She
declined to disclose how many accounts were affected but said the number was
considerably lower than that of Visa and MasterCard.

"We would encourage our card members to call us if they have questions"
concerning their accounts, Elliott said.

Spokesmen for Visa and MasterCard declined to provide the names of the banks
that issued the affected cards and to discuss the identity theft question.

A spokeswoman for Citizens Bank in Philadelphia told CNN that her bank had
shut down 8,000 accounts as a precaution and was reissuing cards. The bank
did not return phone calls seeking comment.

------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/