Visa looks into Eastern European security breach

Filed Under: Data loss, Featured, Vulnerability

VisaVisa is investigating a potential security breach that may have compromised payment cards of Eastern Europeans.

Although Visa hasn't disclosed which countries were hit, the Romanian state-owned CEC Bank has blocked and reissued 17,000 cards on suspicion that they had been compromised.

CEC Bank said in a statement that "a number" of cards issued by banks both in Romania and abroad might have been compromised via an international database.

CEC Bank security breach statement

Here's an excerpt from the statement, translated into English from Romanian by

The bank has been informed that a number of cards issued by banks in Romania and abroad have been potentially compromised through an international database. CEC Bank has decided to block the cards and reissue a new card and PIN, at no cost, for a number of cards in its portfolio

This attack did not target CEC Bank's cards alone and was not due to any bank vulnerability. Our clients' money is safe.

Visa pinned the problem on a European payment processor and issued this statement:

Visa Europe has been informed of a potential data security breach at a European processor and an investigation is underway. We are working closely with our member banks to ensure cardholders are protected.

In his report on this incident, v3's Phil Muncaster pointed to a warning earlier this month from Trend Micro regarding a basic design flaw in some implementations of the 3D Secure protocol - aka "Verified by Visa" and "MasterCard SecureCode" - that could allow crooks to conduct ID fraud on some Visa cards.

The potential security hole in 3DS is a result in a weakness in the password reset process of some system versions, Trend Micro's Rik Ferguson explained the flaw on his CounterMeasures blog:

If you are making a purchase through a merchant that is subscribed to the program, you will be redirected, during the payment phase, to a 3DS verification page. On this page you confirm the details of the transaction, enter your password and hey presto, the transaction is complete. So far so good, the merchant never sees my password, no transaction with that merchant can be completed without it and I’m protected, but...

He then goes on to describe the password reset link, finding that three of four pieces of information used to verify identity - cardholder name, expiration date and signature panel code - are all contained in the card itself, either embossed or printed and contained in the magnetic stripe data.

Verified by Visa password reminder

The fourth piece of information, cardholder date of birth, would be drop-dead easy to track down, he says:

Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.

The Eastern Europe breach and the 3DS flaw are spelling one headache-y month for Visa so far. Yikes, now all the company needs is for the EU to contemplate carving away at its profits with big fines for privacy breaches or something like that.

But wait, that's exactly what the EU is mulling!

The way the Financial Times reads it, the proposed rule, slated to be introduced in January, will impact social media most sharply, serving as a significant tool to boost the EU's powers when it comes to combating data protection breaches.

But it will be interesting to see what happens (if in fact the rule doesn't get watered down to pointlessness, that is) in cases such as credit card payment breaches like the one Visa is now investigating, if it turns out that Visa or its payment processor was treating customer data with anything less than kid gloves.

, , , , ,

You might like

One Response to Visa looks into Eastern European security breach

  1. Considering the amount of credit card payments done over the net, the services that would be naturally most trusted, have made it the most difficult with these Verified by Visa and MasterCard processes, making simple purchases a pain and impossible if waiting for new list of one time use numbers from bank.

    Also in newspaper payments it has been interesting that to pay some 1-10 euros to large newspaper, it is troublesome, because needs to be done each time separately. Then again to some other services it is good enough to log the information once, and then to make purchases of 30-170euros with single click after login to service account.

    Looks like some companies understand customer needs better, than others, and understand trust as the key to business existing or not.

    The only way is to make it easy to make payments, and to keep customers safe with practices and background systems. Not relying on customer entering and reentering same information time and time again. That approach exposes customer to more troubles and possibilites of breach of confidentiality than what it gives to security.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.