Credit Card Security Breach
[Sorry, the video for this story has expired, but you can still read the transcript below. ]
RAY SUAREZ: This data theft, which involves Visa and MasterCard customers, follows a series of other cases involving significant losses of personal information. In February, Choicepoint, a credit and personal information vendor, informed 145,000 customers that criminals may have gained access to their names, addresses and Social Security numbers. Then Lexis-Nexis announced this spring that more than 300,000 people may have had their personal information stolen. Just two weeks ago, Citigroup announced that UPS lost a box of computer tapes containing personal information for 3.9 million individuals.
So what do we know about the latest case involving CardSystem Solutions? Can anything be done to make personal information safer in an era of electronic commerce?
To explore these questions, we turn to: Susan Crawford, a professor at Cardozo School of Law in New York City and a fellow at the Center for Democracy and Technology, and Evan Hendricks, editor of the Privacy Times, a Washington-based newsletter that covers the information world. He’s author of “Credit Scores and Credit Reports: How the System Really Works and What You Can Do.”
RAY SUAREZ: And, Evan Hendricks, what can you tell us? Do we know yet about how this breach was accomplished?
EVAN HENDRICKS: Well, we know limited information. We know that people doing this were actually getting credit card numbers for the purpose of doing fraud and identity theft. And we know they’re planting scripts on the insider codes that would be able to export the credit card numbers to their system. So we know these were thieves. They’re having the run of the place.
What’s disturbing is all the things that we don’t know. We know that the credit card processor was the weak link in the system. But we don’t know how long it was going on. We don’t know exactly how many cases of identity theft we have. And so this is going to put a tremendous burden on millions of consumers to start monitoring their own credit card statements and their credit reports.
RAY SUAREZ: When a pool of data like this has been broken into and messed around with, is there any way to know how many files were taken, how many things the thieves have seen?
EVAN HENDRICKS: If you set up your systems with security in mind so you have audit trails and other checks about how data is coming and going, and you have detection, then you can know those things much more quickly. But if security is just an afterthought, just the way you sprinkle parmesan cheese on your spaghetti rather than baking it into the sauce, then you’re not going to know — and then you have to do all this extra work to find out. And that’s what we’re doing right now. All of a sudden their systems were not set up with enough security in mind, and so they’re going in by hand trying to figure out what’s happened and they’re finding out they don’t really know.
RAY SUAREZ: Professor Crawford, where is CardSystems Solutions in the chain of events that starts with you putting down a charge plate at a retailer or restaurant and then maybe getting a bill in your mail slot several weeks later?
SUSAN CRAWFORD: Well, CardSystems has contractual relationships with both the merchants who then present the card to Card Systems for processing and then also on the other end with the credit card networks like the Visa or MasterCard network that clear the payment and get the charge paid for.
RAY SUAREZ: Well, banks are heavily involved in the credit card business. Is Card Systems Solutions and companies like it regulated the way a bank is?
SUSAN CRAWFORD: Not quite. And that’s an open question now for the legislative process. Financial institutions are clearly covered by the Gramm-Leach-Bliley Act and the security safeguard that the FTC requires of those covered institutions, but a vendor like CardSystems is subject to contractual relationships with Visa and MasterCard but not necessarily subject to the same security federal regime.
RAY SUAREZ: And when you see, depending on what day you’re reading the newspaper, different numbers being handed out by the companies as to the number of people affected, are they so far or for some time just educated guesses?
SUSAN CRAWFORD: I think that is the case, but think of it this way. If you’re one of the 68,000 people — that’s the most recent number of files that was actually hacked into by the hackers — if you’re one of those people, what do you do? As Evan suggests, the answer is you should be more aware of your credit reports and your monthly statements.
Be sure to open your monthly statements. But you as a consumer are protected by the Federal Credit Billing Act, which says you’ll never be liable for anything beyond the first $50 of an unauthorized charge. Also, all consumers by the end of the year will be able to get a copy of their credit report for free.
RAY SUAREZ: But let’s say something more than just your card number and your name has been taken. Doesn’t this kind of breach also open you to something more serious than the $50, that is, people being able to open new lines of credit under your name?
SUSAN CRAWFORD: Well, it is important to note that in this situation all that was breached was the card number and the identifying three-digit number. That’s only enough to open a duplicate or request a duplicate card — not to get a new account.
Now, it is true that with more information, like Social Security number and address, much more can happen, and that’s where we get into the real question of identity theft, which isn’t raised by this recent MasterCard issue.
RAY SUAREZ: Evan Hendricks.
EVAN HENDRICKS: Well, the trouble is in this case they got the name and address and the credit card number and the three digit code. And that information can be leveraged in to getting more information because you can find brokers that will still sell your Social Security number because it’s not illegal right now. So this kind of information can lead to identity theft.
That’s why the methamphetamine users are hitting mailboxes just to grab mail. If they don’t do identity thefts themselves, they’ll sell the information to a fence. We have — fences dealing in this now.
And so if you look at the numbers here, which you mentioned, is like — you know, when the “Do Not Call” list first started about 50 million Americans immediately signed up to show they cared about their privacy. Now we total these numbers and we’re finding close to 50 million Americans have been exposed to these sort of security breaches. And to me it’s screaming out for a stronger national policy.
Susan was correctly pointing out that we have one law for the banks, the Gramm-Leach-Bliley Law, but when the ChoicePoint thing hit we realized they’re not covered by federal law. This thing hits and we go, “oh, the credit card process is not covered by federal law.” And so we see the weakness of this sort of sector-by-sector approach that we’ve had because we’re in an age of convergence. Consumers don’t care. They want their information protected. And that’s why we have to go much more comprehensive in protecting it.
RAY SUAREZ: Well, let me make a distinction here because Visa USA announced that 22 million files had been compromised. MasterCard said 13.9 million of its customers, but then announced that a much smaller subset in the tens of thousands were really in trouble. What’s the difference between those numbers? What happened different to that tens of thousands of people compared to the 13.9 million who are compromised?
EVAN HENDRICKS: As I understand it, the 68,000 or so were the ones that they actually were able to trace where the numbers were exported out of their system maybe by these sort of key logger programs, as a way of transmitting information from your system to another system. So I think that’s what that means.
But they also saw that the intrusion basically they’re into the whole file. So they don’t know what other information they could have taken. They just aren’t able to trace what other information was actually taken. Could it all have been downloaded or snapshot in a way so they could be available later? They just don’t know.
RAY SUAREZ: Professor Crawford, when companies hold this kind of information, are they required to encrypt it, that is, hold it in a code that can’t easily be read by outsiders?
SUSAN CRAWFORD: Well, there are a couple of answers to that question. They’re not required by any explicit federal law, no. But Visa’s relationship with these vendors made clear, I would guess in its contract, that any processor had to encrypt data and keep adequate safeguards in place. It’s very clear here that this processor breached those promises to Visa.
So before we jump into talking about widespread, wide-ranging legislation, I think we need to take a step back here. Credit card fraud is at an all-time low in the United States. In fact, credit card companies are very good at detecting fraud. And MasterCard was able to catch this anomaly very quickly.
RAY SUAREZ: Evan Hendricks, do you agree with that conclusion, that this is not a time for more laws on how these are done?
EVAN HENDRICKS: No, I think that’s ridiculous considering the scope of this problem, is that — look what’s happened here. The last person that’s being thought about is the individual whose information is really being compromised. And the credit card might be down and he might be protected under the Fair Credit Billing Act.
The real damage from all this is identity theft when they do start making charges in your name and it comes up on your credit report. Then you have to go through the misery of trying to clean up the credit report.
We need to put a stronger duty on organizations so if they want to have the benefit of trafficking in our personal information, they got to take the responsibility to protect it. And, look, in this situation, no one’s going to the individuals that information is being compromised and really doing anything for them. Just saying, “I’m sorry.”
RAY SUAREZ: A quick response, professor.
SUSAN CRAWFORD: Well, I think it’s important to note that the consumer here has a lot of arms in its possession. In fact, I’ll make a deal with Evan. We should extend the Gramm-Leach-Bliley Act to cover any entity that’s dealing with sensitive financial information.
EVAN HENDRICKS: I love making deals. Let’s have a deal where you can always get access to your record no matter who’s holding it.
RAY SUAREZ: Okay.
SUSAN CRAWFORD: I’d go well…
RAY SUAREZ: We almost settled this whole thing tonight. Guests, thanks a lot for being with us.
SUSAN CRAWFORD: Thanks so much for having me.