“In separate non-public alerts sent late last week, Visa and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.” That’s what Brian Krebs, Krebs on Security, reports.
If the breaches took place between Jan. 21, 2012 and Feb. 25, 2012, it would be interesting to know when Visa and MasterCard found out about them. Sound too much like editorializing? Yes, you’re probably right. Anyway, if Visa and MasterCard knew for a while before going public, they probably had very good reasons – like not upsetting their cardholders or stockholders or the stock market.
Now Visa and MasterCard have gotten around to alerting the public to what’s being characterized as a massive breach involving some ten million compromised card holders.
Avivah Litan, vice president and distinguished analyst, at Gartner Group, says, “From what I hear, the breach involves a taxi and parking garage company in the New York City area” and she advises, “so if you’ve paid a NYC cab in the last few months with your credit or debit card – be sure to check your card statements for possible fraud.” Talk about being taken for a ride.
Krebs’ sources say that the bulk of the fraudulent activity appears to be centering around commercial credit and debit cards that are issued to businesses. He also says he’s heard that law enforcement officers believe the breach may be connected to Dominican street gangs in and around New York City.
A Visa statement said it was not at Visa, but at a third-party company where the actual breach occurred. “Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet.”
The Wall Street Journal reported that the third party Visa alluded to was Global Payments Inc., which processes credit and debit cards for banks and merchants.
Avivah Litan lays blame for the breach on knowledge-based authentication (KBA). While she cannot categorically state it as a certainty until all the evidence is in, she heard that, “the crime was perpetrated by a Central American gang that broke into the company’s system by answering the application’s knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently.” She added, “Isn’t that usually the case? So if that’s indeed what happened, we can expect the PCI [(Payment Card Industry)] assessors to say NO to KBA on administrative accounts. They need to say NO to many different types of authentication which are being successfully bypassed by determined crooks.”
Litan’s advice, after thirty years in IT, is, “A layered approach is always best, since you have to assume the bad guys will get through one or two or even three layers.”