VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.

In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.

Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.

It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised.

Brian Krebs is an expert on computer security with an international reputation. This is a breaking story and he’s still soliciting info about this security failure.



  1. Yaknow says:

    My bank tells me not to worry about on-line security breaches, there system is secure. I have no where to turn in the face of such horror. Where are those quantum computer severs!

    Parking garages, I knew you can’t trust them.

  2. jdwvu says:

    Why would you spend it all on parking in NYC? Smells like either a beta test/proof of concept or a ruse.

    • moss says:

      Could have been a ring working inside simple administration gig for the parking chain. The “transaction data” can be before the act of lifting card numbers, etc..

      Bloomberg is reporting a card processor in Atlanta has had trading halted this morning after a 13% share price drop followed by a 9% drop. (GPN)

      They don’t say whether they’re a possible source of the theft – or simply one of the first to report 50,000+ uses of the stolen cards.

      Will be a decent-sized mess by the time it all comes public.

      • deowll says:

        Actually they did say they did a spot check and hit 56,455 positives. That is more than enough to suggest that the problem is very serious with a lot more positives existing.

      • Glenn E. says:

        Is it just a bit unfair that they “halt trading” in something bottoming out, while letting other stocks crash to rock bottom? You wonder just who they’re protecting? The small time investors, or the big time investors (who hadn’t had time to all bail out)? Seems to me that a “free enterprise market” has a number of safety nets at the ready, that most of us can’t take advantage of.

  3. bobbo, the pragmatic existential evangelical anti-theist says:

    I went to Wells Fargo and asked a Bank Officer if I could set my account up so that cash could be withdrawn only by written check. I was told no.

    I know of several good people who lost all their savings and had bad electronic transfers that ran debt up on them. Banks said they weren’t responsible and for my friends to find the criminals involved.

    Now–I can imagine family members stealing checks and using credit cards without knowledge or permission of the parents==but there is precious little anyone can do to stop some middle man double proxy whatever.

    Given the money involed and the expertise of evil doers, how long until all the money is stolen?===you know, besides by the politicians and bankers themselves?

    Corzine: “I don’t know where the missing MF Global money is …” //// I do hope they checked his attache case before he left to go to the bathroom.

    • moss says:

      How do you fit an ACH transaction into a briefcase?

    • Wells Fargo and their cavalier attitude are part of the problem. CHANGE BANKS!

      • slotmouth says:

        Look up Reg E. It will protect you from ACH, debit/credit fraud, and even your own stupidity. As a banker for WF, I have personally submitted numerous Reg E claims for clients. The money is generally back in their account within 48 hrs as provisional credit, after that you have about 7 days to sign an affidavit stating that you did not engage in the transactions and voila you get your money back. A guy once claimed that strippers drugged him and made him spend $2000 at a club, one Reg E claim later money is back in the account. Claims are occasionally rejected because of implausibility or investigations revealed evidence to the contrary. After rejection you can opt for independent arbitration to settle the dispute. Also you can open an account at Wells that does not allow ACH, but you will have to jump through hoops.

        • bobbo, the pragmatic existential evangelical anti-theist says:

          Slotmouth: thank you. Thats good to know. even though, I still don’t want any “electronic withdrawals” from my accounts to begin with.

          I look to my BA

          • bobbo, the pragmatic existential evangelical anti-theist says:

            BANK to be a safe place to put my money, not a convenient place to do so.

            and btw–I am looking to transfer my account to the local Credit Union.

            Should we all?

          • slotmouth says:

            It depends on the credit union, some offer good rates and some do not. Additionally CU’s often charge a monthly fee, but that is often paid for by the interest earned depending on the balances you keep. There is are two CU’s in my area one that offers 1% on deposits with a $1 per month fee and one that offers .01% under 25k .05% after that. Breakeven on the the CU at 1% occurs around $1200 balance and it scales pretty nicely for those with higher balances. Of the big banks, WF and US bank are probably the best. I like that WF opposed the bailout calling it asonine; I also like that they were one of the first to support gay rights. I am not trying to right a commercial for WF as it certainly is a victim of big bank bureaucracy and has terrible branch turnover rates. However, security is much better than at a CU. For example, I was getting charged fees on a CU out of state that would not allow me to close over the phone (there was only about $500 there). I eventually took a trip to that state and went to close my account. I sat down with the banker and he asked for my social. I gave it to him and told him to close my account. He came back with a check for $500 and I walked out without showing an Id of any sort. That would never happen at WF because the system will not allow you to perform any withdrawal without entering ID information or entering a PIN.

    • CrankyGeeksFan says:

      Just decline a plastic card being issued for your account if possible. Tie it only to paper checks .

      If you must get a card, get one WITHOUT the Visa or Mastercard symbols printed on them – in other words an old-style ATM card and only use that card at ATMs.

      The technology in the cards must be updated. Tracks 1 & 2 information was stolen. The info will probably be used to make fake cards. Tracks 1 and 2 – it sounds like magnetic tape storage which is what it is.

  4. MartinJJ says:

    Yeah. Those New York street gangs are a real pain in the ass with their computers in the parking garages. Oh wait. Are they talking about Wallstreet bankers here?

  5. NewfornatSux says:

    There has been a massive breakin of the Social Security Administration, where hackers took the Social Security data, filed false tax returns, and had refunds deposited into closed bank accounts.

  6. sirfelix says:

    The story says: “total of 56,455 member VISA and MasterCard accounts were compromised.”
    Why does your blog post say “10 Million”?

    Does John need the ad income?

  7. Anonymous says:

    Oh sure! And now some group of MORONS is talking about using CELL PHONES instead of CREDIT CARDS?!

    ARE YOU F***G KIDDING ME?!

  8. AdmFubar says:

    all credit transaction are not secure
    use only cash!

  9. Gildersleeve says:

    Funny, how we so heavily distrust electronic voting but casually put our hard earned money into the bankstas borg complex. Like so many things happening today, history will look at us and say “what were they thinking?”

    • NewfornatSux says:

      Not comparable, as secret ballot is important. You get a receipt from a bank with how much money you’ve deposited.

  10. deowll says:

    Actually a few things could be changed that would end a staggering amount of credit fraud/ID theft. All credit reports should require a match on the age and home address of the person asking for it.It should also require a photo of the person’s thumb print sent by the asker after they take the print if they are going to extend credit by creating a credit/debit account, etc. and a photo of the person sent by the asker after they take the picture if they are going to extend credit by creating a credit/debit account.

    Most ID thefts are of children.

    The number pads for ATM machines should allow at least 10 digits/ letters/ signs.

  11. Glenn E. says:

    Sometimes I wonder if these breaches aren’t how the CIA gets some of its black ops funding. Just wait for it to happen, then ride the coattails of the real thieves, and pick up some untraceable cash to do their business with. Meanwhile, they’re NOT doing much to prevent these breaches, are they? Which is why I wonder if they’re counting on them? And maybe even allowing them.

  12. One of the most useful tips that I got from a friend was to install a restaurant camera. He recommended a webcam software called GotoCamera This is how it works – Set up a webcam near to your cash counter or any part of your restaurant which you wish to monitor, download the GotoCamera software. The set-up instructions are pretty simple and easy to follow. The best part is that you can access it from your smart phone so that you can remotely monitor your camera’s recordings when you are away from your restaurant.

  13. setagl says:

    Could LulzSec have pulled off their AFD op. a couple of days early?
    Naa, couldn’t be. D.O.P.E. (Dept. of Political Enforcement (new name for D.O.J. (names should match character don’t you think))) thinks LulzSec’s promise was just bluster.
    setagl


0

Bad Behavior has blocked 5642 access attempts in the last 7 days.