more on go to china was Re: [IP] Cardholders Kept in Dark After Breach -- Washington Post
Begin forwarded message:
From: Mark Blacknell <blacknell@xxxxxxxxx>
Date: June 28, 2005 7:49:48 PM EDT
To: dave@xxxxxxxxxx
Subject: For IP was Re: [IP] Cardholders Kept in Dark After Breach --
Washington Post
Reply-To: mb@xxxxxxxxxxxxx
Dave,
Apparently, Visa customers in China can count on more
conscientious service than I can, as illustrated in this (very
popular) Chinese blogger's recent entry:
"Yesterday morning, when I stepped out of my office around 11:50 AM, a
customer service representitive from the China Merchant Bank (my
favorite bank in China) called my mobile and asked if I have a credit
card ending with number xx. I confirmed. She told me the Visa
organization informed them that this card is at risk of credit card
fraud. I asked why, and the girl said they don't know th reason yet,
but what they can do is to give me a replacement of the card. She
asked me to destroy my current card and waiting for a new card.
Well. I said "it is good", wondering what happened with my card. Maybe
it was because I have been to the U.S. in April?
After lunch, I used my card - the card she talked about -
unconciousely, as I do everyday. The machine reports: Stolen card! It
is nice that the restaurant didn't call police and I handed in cash
quickly.
At that time, I know, they are serious.
The News
24 hours later, when I open my MSN, I saw a pop up in the news window
- that is the major change of MSN.com.cn launch in China. The news
said: 9000 Chinese card holders are affected. 3000+ visa holders were
affected, and I am honorablely be one of the 3000 card holders."
More at http://home.wangjianshuo.com/archives/
20050623_us_credit_card_fraud_infected_china_and_me.htm
Mark Blacknell, Esq.
Washington, DC, USA
On 6/24/05, David Farber <dave@xxxxxxxxxx> wrote:
Time for a new law nationwide. djf
Begin forwarded message:
From: David Chessler <chessler@xxxxxxxxxxxxx>
Date: June 24, 2005 1:05:22 AM EDT
To: cryptography@xxxxxxxxxxxx
Subject: FWD: Cardholders Kept in Dark After Breach -- Washington Post
I had been planning to call my active credit card companies to
determine whether any had been compromised. This article caused me to
start the process this morning, calling American Express, my most
active account.
After thanking me for carrying their card for 21 years, they refused
to tell me whether any of my three cards was among those compromised.
They tried to tell me that they have all sorts of "anti-fraud"
procedures. Even so, it was Master Card and not American Express that
first uncovered the problem, and there is no way I can reliably
double check an account that has dozens of charges a month, many of
them posted in the name of parent companies located at head offices
in other cities, so that many of the charges are not easily verified
and must usually be taken on faith.
Accordingly, I told them to cancel all three cards and send me new
ones. They were not happy, but were unwilling to tell me whether the
cards had been compromised. Perhaps if they have the expense of
replacing many customers credit cards, some necessarily and many
unnnecessarily, they will start taking security and customer service
more seriously.
When I get the new American Express cards I will call the second most
active card in my wallet, and so on down the list.
http://www.washingtonpost.com/wp-dyn/content/article/2005/06/22/
AR2005062202037.html
http://www.washingtonpost.com/wp-dyn/content/article/2005/06/22/
AR2005062202037_pf.html
washingtonpost.com
Cardholders Kept in Dark After Breach
Some Banks Decline to Tell Customers Whether Accounts Were Compromised
By Mike MusgroveWashington Post Staff WriterThursday, June 23,
2005; D05
Consumer advocates said credit card customers have been denied
crucial information in the wake of a recent data breach, as some
major banks are declining to tell cardholders whether their account
may have been accessed by hackers.
In a security lapse disclosed by MasterCard International Inc. last
week, 40 million credit card and debit card numbers were exposed to
an intruder who gained access sometime last year through a credit-
processing firm. An interagency group of federal banking regulators
has begun an investigation into the incident.
Meanwhile, Internet security firm Secure Computing Corp. warned
yesterday that a fresh appearance of an old e-mail scam appears to
come from opportunistic fraudsters hoping to use fear about the
recent data theft as a way to trick MasterCard customers into giving
up their account information.
Companies such as J.P. Morgan Chase & Co., Citigroup Inc., American
Express Co. and MBNA Corp. said that they are not automatically
alerting their customers that their information may have been exposed
but that they are more closely monitoring the accounts that may have
been affected. The policy was reported yesterday on CNetNews.com.
Such credit-card-issuing banks said MasterCard and Visa have shared
with them lists of account numbers that may have been compromised.
Though such accounts may earn heightened scrutiny from the banks that
issued them, customers may never know whether their account numbers
were among those stolen by hackers.
"Those accounts have been flagged, and we're watching them even more
closely than we otherwise would," said Jim Donahue, spokesman at
MBNA. "If we start to see an unusual rate of fraud [among the set of
compromised accounts], we would consider notifying those customers
impacted -- but we haven't seen that yet."
MasterCard said yesterday that it is up to banks that issue credit
cards to determine whether to contact cardholders.
Consumer watchdog groups decried such policies as bad for consumers.
"That sounds really bad to us," said Chanelle Hardy, legislative
counsel at Consumers Union, the nonprofit publisher of Consumer
Reports magazine. "Any time that any unauthorized person gets access
to sensitive or personal information, [the cardholder] should be
notified," she said. "For a consumer, it's the first line of defense.
It's almost their only line of defense."
The breach reported last week occurred at a processing center in
Tucson operated by CardSystems Solutions Inc. and may have been the
largest such theft. CardSystems did not return a call for comment
yesterday.
The Federal Financial Institutions Examination Council has issued
guidelines for when a bank should disclose to its customers that
account information may have been stolen.
Michael L. Jackson, chairman of the FFIEC's information technology
subcommittee, said yesterday that it was too early in the
investigation to recommend one course or another.
There has not yet been any fraudulent activity associated with the
stolen credit card numbers, said Sharon Gamsin, vice president of
communications at MasterCard. If bogus charges do show up, customers
often are not held responsible but can spend years clearing their
credit ratings if someone steals their identity.
Within 24 hours of last week's news of the breach, a new version of
an Internet scam was circulating on the Web. In an e-mail forged to
look as if it had come from MasterCard, recipients were urged to log
in to a counterfeited MasterCard site and enter their account
information.
That Web site had apparently been taken down yesterday afternoon. It
was registered in the name of Tucson resident Donald Cuppe, whose
wife said in an interview yesterday that the couple knew nothing
about the site but had received a call from their bank on Monday
alerting them that their Visa debit card number was stolen.
Washingtonpost.com staff writer Brian Krebs contributed to this
report.
(c) 2005 The Washington Post Company
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted
material as provided for in section 107 of the U.S. Copyright Law. If
you wish to use this copyrighted material for purposes of your own
that go beyond 'fair use,' you must obtain permission from the
copyright owner.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
---------------------------------
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo@xxxxxxxxxxxx
-------------------------------------
You are subscribed as ip@xxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-
people/
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/