- Visa and Mastercard in process of contacting effected customers
- Breach blamed on third-party processor
- Data likely collected from New York taxi company
- Security experts believe data is already being used
- Customers urged to check their online statements
Credit behemoths Visa and Mastercard were scrambling yesterday to track down the third party processor that stole credit card data from as many as ten million customers.
The stolen data has now been linked to a New York City taxicab or parking-garage company, which has access to millions of credit card numbers.
Experts are now imploring anyone who has ridden in a New York taxi or parked in a garage within the metropolitan area to check their credit card statements or contact their financial institution.
According to Avivah Litan, a security analyst at Gartner Research, thieves have been stockpiling the information for months.
'From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you’ve paid a NYC cab in the last few months with your credit or debit card — be sure to check your card statements for possible fraud,’ she said yesterday.
'Those transactions are aggregated' and sent to a server, Ms Litan said. 'It has a lot of hops along the way' before the card information reaches a processor.
She believes the data is already being used on the street by identity thieves.
Avivah Litan |
Brian Krebs |
She wrote on her blog: 'I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently.
She also said that unverified reports point to a 'Central American gang that broke into the company's system by answering the application's knowledge-based authentication questions correctly.
'Looks like the hackers took over an administrative account that was not protected sufficiently.’
According to blog Krebs on Security, which first reported the embarrassing security breach, the stolen data can be used to create duplicate cards.
The U.S. Secret Service is now investigating a major cyber intrusion at an Atlanta-based payment processor that could expose millions of MasterCard, Visa, American Express and Discover cardholders to fraudulent charges.
Processor Global Payments Inc said on Friday it had found 'unauthorized access' into its system early in March and notified law enforcement and financial institutions.
Payment network operators MasterCard Inc, Visa Inc , American Express Co and Discover Financial Services confirmed they were affected, along with banks and other franchises that issue cards bearing their logos.
'If you've paid a NYC cab in the last few months with your credit or debit card, be sure to check your card statements for possible fraud.'
-Avivah Litan
A spokesman for the Secret Service said the agency is leading investigations into the case but declined to give any details.
The companies notified U.S. banks of a potential security breach, and they are now going through the process of pinpointing the affected accounts before contacting customers involved.
Customers are urged to check their accounts online or contact their financial institution regarding any concerns they have.
Visa have already provided the issuing banks with the affected account numbers and assured customers they would not be responsible for fraudulent purchases.
The companies, which are the two largest global credit card processors, said the issue stemmed from a third-party vendor, reportedly Global Payments, and not their own internal systems.
Atlanta-based company Global Payments are being named as the third party processor where the breach occurred.
Following the news, shares of the company were halted after dropping more than 9.1 per cent.
Global Payments said it had 'identified and self-reported unauthorized access into a portion of its processing system' and had determined in early March that the intruders might have gained access to credit-card data.
Though millions of U.S. cardholders could be affected, it does not necessarily mean their cards were used fraudulently but that the cardholder's information was accessed.
Mastercard said in a statement: 'MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information.
'If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.'
Visa also released a statement saying their customers were victims of data theft, but said its own systems were not hacked.
'Visa Inc is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands.
'Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.'
The companies' statements came after the blog Krebs on Security reported that MasterCard and Visa Inc have been alerting banks across the U.S. about a 'massive' breach that may affect more than ten million cardholders.
He told Technology Live: 'Law enforcement asked everyone to keep it quiet so as not to disturb investigations.
'I'm hearing now from two sources that investigators suspect Dominican street gangs may be involved and that the fraud is focusing mostly on commercial credit and debit card accounts.'
Thousands of U.S. banks that issue credit and debit cards receive daily alerts regarding breaches through a system referred to as CAMS, said Thomas McCrohan, an analyst with Janney Capital Markets.
Once a person swipes a card to pay, the transaction then is sent through a chain of processing.
The Visa-Mastercard breach is the first major instance this year of consumer information put at risk by technological flaws or hacking.
CREDIT CARDS AT RISK
Once a person swipes their credit card to pay, the transaction then is sent through a chain of processing.
First they are aggregated and sent to a server before the card information reaches a processor for authorization.
The processor then sends the authorization request to the bank who check the details (if it is a legitimate account and if there is enough money to cover charge) and then confirm the authorization back to the processor.
The current breach is believed to have occurred at the central aggregation point where card information is calculated.
Read more: http://www.dailymail.co.uk/news/article-2123214/New-York-City-taxi-firm-parking-garage-massive-credit-card-data-theft-affected-10MILLION-people.html#ixzz1qi4IVBhY