MasterCard and Visa payment processor compromised, up to 10 million cards stolen

Filed Under: Data loss, Featured

Card Terminal photo courtesy of ShutterstockBrian Krebs is reporting that MasterCard and Visa are warning member-banks of a payment processor breach that may impact more than 10,000,000 credit cards.

It is important to note that MasterCard and Visa's own networks were not involved in the attack, it appears to be related to payment processor Global Payments.

Reuters is reporting that Global Payments stock was suspended for trading after falling more than 9% on the Nasdaq stock exchange.

Krebs reported that one of the financial institutions he spoke with had to cancel 56,455 credit cards, of which fraud was detected on 876, or 1.5%.

There is much speculation about the source of the breach as many are reporting that the majority of the fraud is occurring in the greater New York City area, yet cards are being cancelled around the country.

What is a payment processor? Payment processors provide merchants (stores) with access to payment brokering networks like MasterCard, Visa, American Express and Discover. The terminal that processes your card sends the details of the transaction to the payment processor to facilitate the purchase.

It is being reported that the attackers got "full Track 1 and Track 2 data". This is very bad as it would allow for the attackers to fully produce cards including the CVV/CCV code you often need to enter for online transactions.

Strangely, law enforcement contacts told Krebs they believe the breach is related to a Dominican gang in New York and primarily targeted corporate credit and debit cards.

Card statement image courtesy of ShutterstockFortunately consumers don't need to worry too much. Card issuing banks (Bank of America, Chase, etc.) are cancelling cards that are involved in the theft and card holders will not be held responsible for any fraudulent activity.

I wouldn't cancel my card or ask for a new one, but it would certainly be prudent to keep a close eye on your statements to be sure nothing suspicious shows up.

As we find out more details on how this heist came about, we will post information here. From the sound of it the card information sounds like it may not have been encrypted or they wouldn't need to cancel so many cards.

Credit card processing terminal image and card statement image courtesy of Shutterstock.

, , , , , , ,

You might like

11 Responses to MasterCard and Visa payment processor compromised, up to 10 million cards stolen

  1. Chris in NC · 943 days ago

    Not encrypted?!? *facepalm*

    • I had the same reaction. How does that even occur at this level any more? It is criminal negligence.

    • Michael · 942 days ago

      Of course not. How could multiple users read/write/modify a database in real time if the database is encrypted? Even if that was possible, how would the provider keep the decryption key secure while distributing it to so many readers?
      Encryption would only work for an archived database.

    • Cazsev · 941 days ago

      I have been a victim. Over $ 300 on two illegal transactions at RIte Aid in the Bronx. Chase cancelled my card today - which encouraged me to check my account!! They were not forthcoming in warning me of what had happened. Luckily I had read the news

  2. Mike Williams · 943 days ago

    I've always been suspicious of credit cards since the information you, as a consumer, have to give to the merchant in order to perform the transaction is enough to make unlimited transactions with that card. "Black box" payment processors are a little better, but that doesn't fix the weakness in the system. It just moves the security hole a little further away. We are supposed to take on faith that the little black boxes can be trusted with our credit card information. Faith is for religion, not commerce!

  3. Larry · 941 days ago

    Here's how incidents like this get blown out of all proportion. Last week it was "10 Million" track 1 and 2, now Global Payments is saying < 1.5 Million and track 2 data only. Still bad however you slice it but rushing to judgement and using terms like "massive" will just lead to more FUD.

  4. riggarob · 941 days ago

    With cloulds, CC's, google+, et al, the only thing left is cash, but for how much longer ??!! The drug/arms dealers have it right, but what happen when cash goes away. I'll take 2#'s of coke, a couple of AK 47's and a few m-60 grenades. Oh, and I'll pay w/paypal.

  5. hugh.r · 940 days ago

    But merchants can be affected. The card holders and banks do not worry. They take their time in finding the stolen cards and then claim back from the merchant who has already sent off the goods. The merchant has no recoarse whatsoever even if the merchant employs 3ds. 3DS is not mandatory meaning that anyone can use an unsecured card to make a purchase.

  6. Ivy · 917 days ago

    I recenlty receive an e-mail alert that said "Irregular Activity" - from Bank of America. I immediatly checked my account and there was a $100.00 check card transaction from Rite Aid in Maryland (I am from Texas). I called the Fraud Department right away to notify them that it was fraudalent. They took care of me. I am not liable from any fraudulent transactions.They said that it was a "Compromised Merchant". Since this was a check card transaction most likely they made a duplicate of my debit card. They tryied to do a second transaction for $50.00 but it was declined. BOA froze the account the moment the system detected that "irregular activity". My debit card was closed and I will be getting a new one. If you guys have a "ALERT SYSTEM" through your bank I highly recommmend you set it up to your mobile and e-mail.

  7. Bea · 770 days ago

    I was alerted by email from CHASE that someone withdrew $500.00 from my account using a debit machine. I had my card with me and no one knows my pin #. I was told that I needed to wait until it was posted to file a claim. Although CHASE did refund the money the rep refused to tell me how this can happen and how to protect myself from it happening again. My husband had someone use his card and pin two months ago and he also had his card and I don't even know his pin #. Although CHASE refunded that money too, we are quite concerned and will be reasearching how to prevent this type of thing in the future. Using cash might be a pain, but I think it might be more secure in the end.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.