How Long Did The ‘Biggest Data Theft In History’ Go Unreported?

I continue to be intrigued, but somewhat perplexed, by the CardSystems security breach that happened nearly two months ago now. Who knew it first, and who told who, and when? And why did it take so long to tell the rest of us?

A U.S. company claimed it was its software that first spotted the breach last year, in a press release issued July 13:

ACI Worldwide (Nasdaq: TSAI), a leading international provider of enterprise payment solutions, today announced that its ACI Proactive Risk Manager™ software helped National Australia Bank (NAB) detect the recently revealed security breach at CardSystems Solution before any other bank or financial institution.

But did it? The press release from ACI quotes Australian Treasurer Peter Costello as having “recently told Parliament that National Australia Bank was actually the first bank in the world to uncover the fraud”:

“It was the NAB that uncovered this fraud out of all the domestic and international banks of the world and reported it to MasterCard and Visa in September 2004,” said Costello.

Wow. That’s eight months before anyone else, since CardSystems didn’t announce the fraud until May 22 2005. So what did the Australian media say about this?

AAP reported June 22 (sorry no links for these, they’re from Factiva) quoted Costello as saying:

“It was the NAB that uncovered this fraud out of all the domestic and international banks of the world, and reported it to Mastercard and Visa in Sept 2004,” he said. Mr Costello said the US Federal Bureau of Investigations began investigations soon after the fraud came to the attention of Visa and Mastercard.

He said the FBI declared the issue a crime scene only on June 1 this year. “During this investigation organisations were told by the FBI not to say anything publicly, and the FBI only allowed public comment on Thursday or Friday last week,” he said.

A Reuters report, covering the same press conference (or whatever it was; neither wire is clear on where Costello was speaking) quoted Costello as saying December, not September. An updated report from Reuters the same day adds comments from MasterCard and Visa that shed further light on this:

MasterCard spokeswoman Sharon Gamsin said, “We said from the beginning that it was reports of fraud from issuers that enabled us to do the analysis that led to CardSystems and led to the scope of this incident. One report of fraud would not necessarily have gotten us to that point.”

Visa spokeswoman Rosetta Jones said that when her company detects fraud, “banks are notified and accounts are closed. In this case, the National Australia Bank may have detected fraud late last year, but there was no clear indication that this fraud was part of a larger data compromise at that time.”

Finance Minister Nick Minchin said in an address to Australia’s parliament that Australia & New Zealand Bank Ltd. , Commonwealth Bank Ltd. and NAB had each been monitoring the fraud since December and had canceled and reissued cards where transaction were suspect.

An AAP story two days later adds further detail:

As long ago as December last year, round-the-clock fraud squads at the four big banks had picked up on a pattern of unauthorised transactions on their customers’ credit cards, originating out of the United States.

Treasurer Peter Costello told parliament this week that National Australia Bank was actually the first bank in the world to uncover the fraud, which has been traced to a security breach at a US company that processes transactions.

The Australian banks contacted about 2,000 affected customers and issued them with replacement cards months before MasterCard’s announcement this week.

This raises a host of issues that I’ve not seen addressed elsewhere. If the Australian banks saw this fraud so early, why did it take so long? The Australian Financial Review (subscription required) today pointed out these inconsistencies and the fact that California credit card holders have filed suit in San Francisco against CardSystems, Merrick Bank, Visa and MasterCard, claiming “the companies should take responsibility for the security data breach”:

CardSystems has claimed it did not discover the security breach until May 22, 2005. But it is now known MasterCard and Visa were alerted to fraud resulting from the data breach as early as January. The complaint also alleges Visa and MasterCard failed to take “prompt remedial action” or take steps to notify affected consumers.

“Defendants, by failing to timely disclose the security compromise or data theft to affected consumers and merchants, are attempting to shift the burden of discovering resultant fraud away from themselves, even though they are responsible and are in a better position to discover and prevent fraud to consumers and merchants.”

Visa and MasterCard have defended their handling of the incident, saying they had to be sure CardSystems was the source of the data spill before going public.

So, as far as we can deduce from this, NAB, via its fancy software, spotted some kind of fraud taking place. That information was passed on to Visa and MasterCard sometime between September 2004 and January 2005. The FBI passed this information onto CardSystems at some point, although why everyone decided to sit on the information is unclear. Their initial statements, which I illustrated in the original post, will probably require some finessing at some point as the suit passes through the legal system.

Wiretapping Your Way Into Credit Card Fraud

If you think the Internet is a scary place for stealing your sensitive bank data, try your local gas station.

The Star Tribune in Malaysia reports that criminals there are increasingly intercepting the transmission of credit card data between the point of sale machines that swipe your card and the bank. This data, incredibly, is being sent in unencrypted text form so all a criminal has to do is ‘wiretap’ the phone line and capture the data — usually onto an MP3 player.  All they need to do is find the phone line, either in the outlet’s Main Distribution Frame room, or that of the bank itself and record the gurgling modem sound. A special decoder can then convert that noise into data. Your data.

The banks are finally getting onto this. Malaysia’s central bank has ordered all credit cards in the country to be EMV(Europay/MasterCard/Visa)-compliant by end-2005 (this means smart, and supposedly fraud-proof). But for now, The Star Tribune says, the banking industry is trying to encrypt data. Unfortunately, so far nothing has been agreed on.

At the risk of sounding appalled, I’m appalled. How can such data be transmitted without a modicum of encryption? This means that when we’re typing our credit card number into a web page it’s actually more secure than if we give it to the guy at the gas station or restaurant?

I was never that happy anyway doing the latter, given the prevalence of skimming — where a crooked employee would either double-swipe your card, or swipe it into a separate device that stored your details — but now, it seems, the data is up for grabs even when it’s being transmitted to your bank for verification. Yikes.

Ho, Ho, Ho, Tis The Season Of The Online Scam

Phishing — the art of depriving folk of their sensitive password data and then using it to empty their pockets — has become the scam du jour of the holiday season. The Anti-Phishing.org website says it has seen ‘dramatic’ growth in November and December of email spoofing (emails claiming to be from, for example, your bank) and general fraud activity. (Anti-Phishing is an industry group founded by Tumbleweed Communications, a builder of anti-spam software.) For example:

— More than 60 unique new phishing email fraud attacks have been launched against consumers in the last 2 weeks
— Over 60 million email fraud attacks are estimated to have been sent out in the same period – timed for the peak of the holiday season
— eBay customers were the most highly targeted by scammers, with 24 unique email fraud attacks over the past 60 days
— Online financial institutions, including banks, Visa and PayPal, represented the largest target group with 35 unique email fraud attacks reported over the past 60 days

It seems that phishing has been remarkably rewarding for the scammers involved. The Anti-Phishing Working Group reckons an average of 5% of recipients respond to such emails, resulting in financial losses, identity theft, and other fraudulent activity. And, perhaps worse, this “activity threatens the integrity of companies that do business online”. (I’m assuming they’re talking about banks, eBay and other folk who rely on ordinary folk to maintain their faith in the security of online commerce.)

There are a number of ingenious scams that play on the holiday theme — which also highlight that it’s not just banks and big-ticket items that the phishers are targeting. One example is a fake online Christmas card, designed to compromise AOL accounts. In this scam, the recipient receives a spoofed email from the “AOL Hallmark” team, and is asked to visit a website to pick up his/her card. In order to access the site (which is run by the scammer), the user is asked to log in to his or her AOL account, thereby divulging the account name and password. The compromised account can then be used, anti-Phishing says, to launch further phishing attacks, virus attacks, spam, or other nefarious activity.

Clearly this sort of thing is going to grow, becoming more sophisticated as users wise up to the scams. Recent emails now play upon the growing awareness of scams by claiming to be from your bank, warning you about such scams and telling you to ignore other emails. They then, of course, go on to tell to visit the legitimate website to confirm your password. (The main component of this trick is that 90% of the email is genuine, in that the images are all from the bank’s website, and if you hover your mouse over the link you’re being asked to visit, it may well look genuine too. What you’re actually seeing, is a clever ruse: the real website is buried at the end of the link, hidden after a lot of empty space. So checking that sort of thing is no longer enough. It should go without saying that you shouldn’t react to any email that requires you to do anything with your password. For a good resource on such scams, check out Codefish.)

In the end all this will help educate users about the Internet and improving their own security. I don’t see it doing any serious damage to online commerce, at least in terms of undermining public confidence. I do believe, however, that we’ve seen only the tip of the iceberg in terms of the sophistication of scammers, and banks and other online institutions must improve their awareness of the threat, as well as protect and educate their customers.

Have a phishing-free Christmas.