more on go to china was Re: Cardholders Kept in Dark After Breach -- Washington Post

[David Farber <dave () farber net>]

Begin forwarded message:

From: Mark Blacknell <blacknell () gmail com>
Date: June 28, 2005 7:49:48 PM EDT
To: dave () farber net
Subject: For IP was Re: [IP] Cardholders Kept in Dark After Breach --  
Washington Post
Reply-To: mb () blacknell net


Dave,
    Apparently, Visa customers in China can count on more
conscientious service than I can, as illustrated in this (very
popular) Chinese blogger's recent entry:

"Yesterday morning, when I stepped out of my office around 11:50 AM, a
customer service representitive from the China Merchant Bank (my
favorite bank in China) called my mobile and asked if I have a credit
card ending with number xx. I confirmed. She told me the Visa
organization informed them that this card is at risk of credit card
fraud. I asked why, and the girl said they don't know th reason yet,
but what they can do is to give me a replacement of the card. She
asked me to destroy my current card and waiting for a new card.

Well. I said "it is good", wondering what happened with my card. Maybe
it was because I have been to the U.S. in April?

After lunch, I used my card - the card she talked about -
unconciousely, as I do everyday. The machine reports: Stolen card! It
is nice that the restaurant didn't call police and I handed in cash
quickly.

At that time, I know, they are serious.

The News

24 hours later, when I open my MSN, I saw a pop up in the news window
- that is the major change of MSN.com.cn launch in China. The news
said: 9000 Chinese card holders are affected. 3000+ visa holders were
affected, and I am honorablely be one of the 3000 card holders."

More at http://home.wangjianshuo.com/archives/ 
20050623_us_credit_card_fraud_infected_china_and_me.htm



Mark Blacknell, Esq.
Washington, DC, USA


On 6/24/05, David Farber <dave () farber net> wrote:

> Time for a new law nationwide. djf
>
> Begin forwarded message:
>
> From: David Chessler <chessler () capaccess org>
> Date: June 24, 2005 1:05:22 AM EDT
> To: cryptography () metzdowd com
> Subject: FWD: Cardholders Kept in Dark After Breach -- Washington Post
>
>
> I had been planning to call my active credit card companies to
> determine whether any had been compromised. This article caused me to
> start the process this morning, calling American Express, my most
> active account.
>
> After thanking me for carrying their card for 21 years, they refused
> to tell me whether any of my three cards was among those compromised.
> They tried to tell me that they have all sorts of "anti-fraud"
> procedures. Even so, it was Master Card and not American Express that
> first uncovered the problem, and there is no way I can reliably
> double check an account that has dozens of charges a month, many of
> them posted in the name of parent companies located at head offices
> in other cities, so that many of the charges are not easily verified
> and must usually be taken on faith.
>
> Accordingly, I told them to cancel all three cards and send me new
> ones. They were not happy, but were unwilling to tell me whether the
> cards had been compromised. Perhaps if they have the expense of
> replacing many customers credit cards, some necessarily and many
> unnnecessarily, they will start taking security and customer service
> more seriously.
>
> When I get the new American Express cards I will call the second most
> active card in my wallet, and so on down the list.
>
>
> http://www.washingtonpost.com/wp-dyn/content/article/2005/06/22/
> AR2005062202037.html
> http://www.washingtonpost.com/wp-dyn/content/article/2005/06/22/
> AR2005062202037_pf.html
>
>
> washingtonpost.com
> Cardholders Kept in Dark After Breach
> Some Banks Decline to Tell Customers Whether Accounts Were Compromised
>
> By Mike MusgroveWashington Post Staff WriterThursday, June 23,  
> 2005; D05
>
> Consumer advocates said credit card customers have been denied
> crucial information in the wake of a recent data breach, as some
> major banks are declining to tell cardholders whether their account
> may have been accessed by hackers.
>
> In a security lapse disclosed by MasterCard International Inc. last
> week, 40 million credit card and debit card numbers were exposed to
> an intruder who gained access sometime last year through a credit-
> processing firm. An interagency group of federal banking regulators
> has begun an investigation into the incident.
>
> Meanwhile, Internet security firm Secure Computing Corp. warned
> yesterday that a fresh appearance of an old e-mail scam appears to
> come from opportunistic fraudsters hoping to use fear about the
> recent data theft as a way to trick MasterCard customers into giving
> up their account information.
>
> Companies such as J.P. Morgan Chase & Co., Citigroup Inc., American
> Express Co. and MBNA Corp. said that they are not automatically
> alerting their customers that their information may have been exposed
> but that they are more closely monitoring the accounts that may have
> been affected. The policy was reported yesterday on CNetNews.com.
>
> Such credit-card-issuing banks said MasterCard and Visa have shared
> with them lists of account numbers that may have been compromised.
> Though such accounts may earn heightened scrutiny from the banks that
> issued them, customers may never know whether their account numbers
> were among those stolen by hackers.
>
> "Those accounts have been flagged, and we're watching them even more
> closely than we otherwise would," said Jim Donahue, spokesman at
> MBNA. "If we start to see an unusual rate of fraud [among the set of
> compromised accounts], we would consider notifying those customers
> impacted -- but we haven't seen that yet."
>
> MasterCard said yesterday that it is up to banks that issue credit
> cards to determine whether to contact cardholders.
>
> Consumer watchdog groups decried such policies as bad for consumers.
>
> "That sounds really bad to us," said Chanelle Hardy, legislative
> counsel at Consumers Union, the nonprofit publisher of Consumer
> Reports magazine. "Any time that any unauthorized person gets access
> to sensitive or personal information, [the cardholder] should be
> notified," she said. "For a consumer, it's the first line of defense.
> It's almost their only line of defense."
>
> The breach reported last week occurred at a processing center in
> Tucson operated by CardSystems Solutions Inc. and may have been the
> largest such theft. CardSystems did not return a call for comment
> yesterday.
>
> The Federal Financial Institutions Examination Council has issued
> guidelines for when a bank should disclose to its customers that
> account information may have been stolen.
>
> Michael L. Jackson, chairman of the FFIEC's information technology
> subcommittee, said yesterday that it was too early in the
> investigation to recommend one course or another.
>
> There has not yet been any fraudulent activity associated with the
> stolen credit card numbers, said Sharon Gamsin, vice president of
> communications at MasterCard. If bogus charges do show up, customers
> often are not held responsible but can spend years clearing their
> credit ratings if someone steals their identity.
>
> Within 24 hours of last week's news of the breach, a new version of
> an Internet scam was circulating on the Web. In an e-mail forged to
> look as if it had come from MasterCard, recipients were urged to log
> in to a counterfeited MasterCard site and enter their account
> information.
>
> That Web site had apparently been taken down yesterday afternoon. It
> was registered in the name of Tucson resident Donald Cuppe, whose
> wife said in an interview yesterday that the couple knew nothing
> about the site but had received a call from their bank on Monday
> alerting them that their Visa debit card number was stolen.
>
> Washingtonpost.com staff writer Brian Krebs contributed to this  
> report.
>
> (c) 2005 The Washington Post Company
>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> =-=-=-=-=-=-=-
>
> *** FAIR USE NOTICE. This message contains copyrighted material the
> use of which has not been specifically authorized by the copyright
> owner. This Internet discussion group is making it available without
> profit to group members who have expressed a prior interest in
> receiving the included information in their efforts to advance the
> understanding of literary, educational, political, and economic
> issues, for non-profit research and educational purposes only. I
> believe that this constitutes a 'fair use' of the copyrighted
> material as provided for in section 107 of the U.S. Copyright Law. If
> you wish to use this copyrighted material for purposes of your own
> that go beyond 'fair use,' you must obtain permission from the
> copyright owner.
>
> For more information go to:
> http://www.law.cornell.edu/uscode/17/107.shtml
>
> ---------------------------------
>
>
>
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo () metzdowd com
>
>
> -------------------------------------
> You are subscribed as ip () blacknell net
> To manage your subscription, go to
>   http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting- 
> people/


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/