How to terrrorize the American financial system simply leave it alone. So Europe must be safe and sound no issues there at the moment.
Perhaps Google is looking to exploit this situation.
Posted by Jim at June 18, 2005 10:18 AMWhat "cunning tricks" for securing your identity do you have in mind?
Posted by MarkM at June 18, 2005 10:59 AMIf your identity goes bad, just get another one. :^)
This case will be interesting. Very interesting.
@Jim: Not sure about Europe. Consider http://www.niscc.gov.uk/niscc/docs/br-20050616-00494.html
Posted by Chris Walsh at June 18, 2005 11:18 AMYes, CardSystems Solutions, Inc., will soon announce a new identity ...
Posted by Iang at June 18, 2005 12:02 PMI'm sure there are comparable breaches in Europe. After all, the technology is quite similar, and so are the threats. It's just that in the applicable regulative framework, the preferred business decision is one against disclosure.
Given the extent of the problem, disclosure about to become meaningless anyway. What exactly does it mean when your credit card data has been *potentially* compromised? What should you do?
Posted by Florian Weimer at June 18, 2005 04:44 PMWhat protects your charges is not the number. It was previously knowledge of the number. Now what protects your charges ON AN ESTABLISHED ACCOUNT is the predictability of human behavior. You may have never realized that you do not shop on Tuesday or on Thursday before 4pm. You may not have noticed that you purchase all your hardware between 9 -10 on weekday mornings off the web. Mastercard and Visa are now depending almost entirely on evaluation of charges realtime to detect fraud.
Don't confuse the use of established accounts with some history, which are currently protected only to the degree that your behavior is predictable, with creation of new false accounts.
And of course the information is in the hands of criminals. Do you think they are too clueless to purcahse large scale databases sold by businesses, data brokers and governments? The difference between stolen account numbers and those purchased through legitimate fronts is that at least the stolen ones are property ONLY of the criminals that took it, as opposed to any criminal with the minimal initiative to set up an account at a CRA or data broker.
The data are all compromised. So, what does that mean to profit of card companies? It makes switching card companies more risky to the user, and established accounts more valuable to the company.
The credit card companies are handling the risk. It is the shifting of risk on the consumer, the new egregious bankruptcy laws, and the value/risk allocation of instant credit that is the problem. And x million more card numbers "lost" won't alter that fundamental problem.
-Jean
Posted by L Jean Camp at June 20, 2005 02:38 PM@Jean:
Of course the bad guys have the CC#s. The Honeynet people (as but one example) have conclusively proven that, and you are right that it isn't news as long as the fraud-detection systems keep the TTL of a stolen CC# sufficiently small.
The interesting thing about this case, to me, is that CardSystems seems to have made a very poor risk decision. They seem to have deployed known (or should have known) insecure box(es), and then deliberately gone against the advice of one of their largest sources of revenue (MC and Visa) and stored what should have been volatile data on it/them for troubleshooting purposes. I won't mention the legal risk. This, it seems to me, is a dumb thing to have done, even if the CC #s (or ones which are just as good) are available for $5 apiece via IRC. To me, the fact that a firm which should be totally on top of this sort of risk would do something so foolhardy is a noteworthy point for anyone who is looking to build systems that need to incorporate this kind of human element.
Posted by Chris Walsh at June 20, 2005 03:40 PMJean,
so if you are correct (and I don't doubt it) the next thing that we will see is *histories* being traded as phishers seek to optimise their extraction strategies.
Perhaps then we'll see an open source project for managing and improving shadow credit histories...
Sounds more and more like the phishers are just intelligence agencies with a more refined profit motive than the traditional ones.
Posted by Iang at June 24, 2005 06:31 AMJean,
so if you are correct (and I don't doubt it) the next thing that we will see is *histories* being traded as phishers seek to optimise their extraction strategies.
Perhaps then we'll see an open source project for managing and improving shadow credit histories...
Sounds more and more like the phishers are just intelligence agencies with a more refined profit motive than the traditional ones.
Posted by Iang at June 24, 2005 11:32 AM