The NY Times reported today that "MasterCard Says 40 Million Files Are Put at Risk" (free registration required);. MasterCard said its analysts and law enforcement officials had identified a pattern of fraudulent charges that were traced to an intrusion at CardSystems Solutions of Tucson, Ariz., which processes more than $15 billion in payments for small to midsize merchants and financial institutions each year.

On and off for the last month one or more people (apparently coming from IP addresses in The Netherlands) have been using our online web store to test stolen credit card numbers in an attempt to find out which ones are still active. Chances are those stolen credit card accounts came from this security breach.
Other Highlights from the NYT Article:

• CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems.
• American Express and Discover accounts were also compromised.
• Visa said in a statement that it had been aware of the data breach but kept quiet at the request of the authorities.
• MasterCard said an unauthorized person was able to exploit the security vulnerability and gain access to CardSystems’ network, exposing cardholders’ names, account numbers and expiration dates as well as the security code, typically three or four digits also printed on the credit card.

Note that the 3-4 digit security codes are NEVER supposed to be stored. This completely defeats the purpose of the codes, namely that if you have access to that CVV code, you’re olding the card in your hand.

CardSystems web site is located at www.cardsystems.com. I think it’s time for someone to initiate a class action suit against CardSystems. While I don’t know yet whether any of my personal accounts have been compromised due to this breach, I have lost many hours and been charged transaction processing fees resulting from sales being sent through my web store using those stolen credit card numbers.

You should order a credit report once a year and carefully review the report for accounts you didn’t open or other suspicious activity. You can get a merged credit report from the big three reporting agencies from Order a 3-BUREAU CREDIT REPORT from CreditReporting.com.

[updates on this article at: CardSystems (finally!) complying with visa/mc rules]

This entry was posted on Saturday, June 18th, 2005 at 9:41 am and is filed under In The News, CCAuthorize. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. | Permalink