Card breaches shake faith in e-payments
In the past three months, all three of my payments cards -- one credit card and two debit cards -- have been compromised.
That means somewhere, in some database, various fraudsters have my name and enough card details to attempt a shopping spree anywhere in the world. The cards have all been replaced by the issuers and, luckily, I never discovered any fraudulent transactions.
The card breaches are particularly disturbing since I cover computer security. So what happened? I still have no clue. Investigating a card breach as a consumer, or a journalist, is a black hole.
Stealing card numbers isn't hard. A PC can be infected with a keystroke logger that records card details used during online transactions. Insecure databases at merchants can be hacked. ATM machines can be fitted with "skimmers" that record a card's magnetic strip information, which can be used to create a cloned card.
Point-of-sale devices can be modified to record card details. Unscrupulous employees can also steal information during merchant transactions. All of the methods can allow a hacker to eventually use the details and attempt an online transaction, known as card-not-present fraud.
It's impossible for me to trace where and when the card details were acquired. The only common element between the three cards is that I've used them all on my PC for e-commerce transactions at one time or another. But I'm pretty sure I've never been phished, and the various antivirus programs I've had on my PC have never detected malicious software.
Wachovia, my U.S. bank, sent me a new debit card unprompted about a month ago. I thought it was strange since I didn't request a card. I called the bank, and was told the card number had been compromised. Wachovia, though, included absolutely no notification with the new card saying that the old number had been compromised.
Although troves of card numbers are obtained by online thieves, banks will only reissue cards if there's a high fraud risk, said Avivah Litan, a card fraud expert at Gartner. It costs banks around US$20 to reissue a card, so less than 10 percent of the cards that are compromised are replaced, she said.
Upon hearing two of my cards had been compromised, Avivah said, "That is very, very unusual. You should be worried. I would be worried if this happened to me. I tend to be more paranoid than average."
This wasn't making me feel any better.
Wachovia spokeswoman Jennifer Darwin refused to give any information about the breach, such as where it happened and if a law enforcement agency is investigating.
Without information, it's impossible for me to follow up. I can't check in with the police. I can't check to see if a merchant is complying with data-breach disclosure laws that exist in many U.S. states. It's a dead end.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
security
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
