“Massive” breach may affect more than 10 million credit card holders
Credit cards compromised between January 21, 2012 and February 25, 2012
MasterCard said it notified law enforcement officials in the U.S. and has hired an independent data-security organization to review the possible breach. A U.S. Secret Service spokesman said the agency was investigating, but declined to give any specifics about the breach.
Visa blamed a third company for the error. The credit card company said it provided banks with affected customers’ account numbers and emphasized that customers are not responsible for fraudulent purchases.
The companies’ statements came after online media outlets reported that MasterCard and Visa have been alerting banks across the U.S. about a “massive” breach that may affect more than 10 million credit card holders. The report said accounts were compromised between January 21, 2012 and February 25, 2012.
Credit card companies generally protect customers against fraudulent transactions, and Visa said specifically Friday that its U.S. customers were not at risk. Both Visa and MasterCard said their own systems had not been compromised.
How it works?
Once a person swipes a credit card to pay, the transaction is sent through a chain of processing.
The account number, expiration date and possibly the credit card holder’s name is sent from the point of payment to a processor which then connects to Visa or MasterCard. Information is then sent to the credit card issuer. In U.A.E. banks ultimately authorize the transaction, but the systems are monitored by employees who call customers if a transaction is suspicious. The actual transfer of money occurs one or two days later.
The information that was likely collected illegally is called Track 1 and Track 2 data. An individual improperly using the information can transfer the account number and expiration date to a magnetic stripe on a card and then try and use the card on a web site such as eBay, PayPal, Amazon and others. Those transactions are aggregated and sent to a server, but it has a lot of hops along the way before the credit card information reaches a processor.
The illegal use of the data could be stymied if an online merchant asks for the three or four digits printed on the back of the credit card known as the “CVV code.”
Processing companies, which perform millions of authorizations each day, are also supposed to encrypt credit card information. However, a breach could occur if someone gains access to the system and identifies a gap in the encryption.
The Visa-Mastercard breach is the first major incident in 2012 of consumer information put at risk by technological flaws or hacking. Plenty of of massive data breaches in recent years affected banks, retailers, technology companies and payment processors.
Last June, hackers stole information for 360,000 credit card accounts at Citigroup. In the past year, there have been also data attacks against Google and Sony’s PlayStation Network.