Only a fraction of lost cards are "high-risk"

Only a fraction of lost cards are "high-risk"

Summary: Over at Digital Identity World, Eric Norlin reacted with incredulity to MasterCard's PR spin on the loss of 13.9 million customer card numbers by card processor CardSystem Solutions.

TOPICS: Security

Over at Digital Identity World, Eric Norlin reacted with incredulity to MasterCard's PR spin on the loss of 13.9 million customer card numbers by card processor CardSystem Solutions. The spin was part of a story in USA Today that read in part:


Credit card users, don't fret. Only a small fraction of the 13.9 million credit cards accounts at MasterCard exposed to possible fraud were considered at high risk, the company said Saturday.

MasterCard International Inc. spokeswoman Jessica Antle said only about 68,000 of its card holders are at "higher levels of risk." And while those 68,000 should closely examine their credit or debit card accounts, customers do not have to worry about identity theft, Antle said.

I'm sure you're feeling better already.  What exactly is a higher level of risk?  Fortunately, the CardSystem Solutions breach didn't contain Social Security numbers like other recent losses of personal data, but sloppy handling of personal data is still sloppy. 

You may wonder why we're seeing more and more of these kinds of incidents lately.  I think there's two primary drivers:

First, some state consumer protection laws, California's in particular, require the the disclosure of any loss.  This forces companies to tell consumers things that they would have tried to quietly hide in the past.  This is a two-edged sword.  Sometimes, such disclosures alert thieves of the true value of what they've got, as in the case of a couple of stolen laptops at UC Berkeley a while back.

Second, there's a growing market for identity data.  Five years ago, this sort of thing was relatively disorganized, but at present, I'm told, an SSN sells for $1.00 to $1.50.  So, stealing a single SSN isn't worth much, but if you can get your hands on thousands of them, that's a business.   I recently heard from a friend who worked for a virtual hosting company.  He said they would regularly have accounts opened on stolen credit card numbers and no sooner did they shut them down, than another stolen card would be used to open another account that was obviously from the same person.  Sometimes this would go hundreds of times.  Since the accounts were provisioned from overseas, there wasn't much law enforcement could do.  Entire criminal enterprises are being run on stolen credit cards.

I'm with Eric on this one.  I don't want MasterCard's glib assurances that only a small fraction of the lost cards are high risk.  I want them to take steps to protect customer data. 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • B a s t a r d s ...

    They need to pay dearly.
  • not suprising

    I have little doubt that until we adopt a completely new set of standards, methods, and really a new physical network to handle this sort of high value data, that this crime will continue to increase. Amalgamating all of the data on one pipe is like transporting cash to and from the bank on a bus, its really a bad idea..... enter the armored car.
  • How do we know?

    How do we know if we're one of the "fraction" that are at high risk? I don't live in California. Is MasterCard going to tell me if I am in this group?
  • Civil liberty vs Fear

    You know where all of this is headed don't you? We are going to be so wary of the use of our credit cards by others that we will be, yet again, willing to give up some degree of our privacy to safeguard against it. This was bound to happen. Hey, how about an embedded chip like our pets that will not only identify us, but let marketers know what stores we even walk into? Carry this scenario out ...
    • exactly, but the blind sheep don't see it coming like this!

      I was going to input the same scenario but you beat me to it. All
      these high profile credit card & other personal client ID losses
      are just going to eventually open the door for this global
      government system being put in place now, which will have this
      world's federated citizens to be implanted with some kind of
      digital microchip (in the right hand or forehead). This way we
      can have our fool proof, secure and untouchable positive means
      of identification on our persons at all times to be tracked and
      profiled 24/7 in realtime via canvassed wireless technologies
      providing data streaming on a global scale. This is where all
      these RFID type technologies are headed, like it or not. I read a
      Book one time that mentioned this type of scenario ........
  • Amex, Visa, MC profit from stolen cards!

    I have yet to see someone mention another reason why stolen credit cards are a big problem - the card companies profit from stolen cards, so they have every incentive to keep them in circulation. As a merchant who accepts credit cards, I have tried numerous times to report that a stolen card was used on my site. No one cared! They wouldn't even give me the name of the actual cardholder so I could alert them. On a few occasions, I found the cardholder myself and they had no idea their card was being used.
    When a merchant accepts a stolen card, he ends up not only paying the cost of the transaction but an additional penalty of $25 to $50. This is pure profit for the card company. So unless the actual cardholder calls them, they won't stop a stolen card from continuing to be used. There are also cardholders who use their card, then claim it was stolen, they do it again and again with impugnity.
    West Virginia, among other states, is in the process of passing a bill which requires card issuers to prove that they stopped a card from being used again when a it was reported stolen and that they took steps to prevent fraud. The card companies are FIGHTING this legislation! I wonder why they WANT stolen cards to continue to be used.
  • Thief

    Were there lost or Stolen? If they were lost then someone made mistake. If they were stolen then it was thieves willing to take the risk. Until people get serious about crime prevention (not law enforcement) with tougher punishment these things will continue to happen.
  • W hich Fraction; Which Cards?

    It isn't the cards I personally hold presently that worries me, but the results of the following story:
    This story is convoluted, but I shall endeavor to keep it as brief as possible.

    First was the attempted purchase at BestBuy of memory on sale along with an external housing for an internal hard drive.
    When I advised the sales clerk that I did not have enough to purchase the memory, he encouraged me to apply for one of their "No Cost, No Obligation" cards. That will be the theme of the last part of this report.

    Because I divorced in 1993, and the court awarded custody of our minor daughter to me; and because her mother continued to receive AFDC in Florida while attending college in California without the child - who was living with me - I am considered a "DeadBeat Dad" by the state of Florida, so I know I don't have good credit - and I told the salesclerk that. Of course I was denied.

    I did, however, purchase the disc box. After three uses on each of two machines, I discovered that XP would fail to recognize and use the USB connection on the box.

    I returned it the very next weekend (I live in Chillicothe MO and the Best Buy in question is in Columbia - 2? hours away and gas). Because it took three tries to get it to fail on their machines, and because they did do the required three tries, they too discovered that the product, when used with XP was defective, and since they had no other OS to sell me, they refunded my price.

    We then tested - and failed - all the remaining boxes on their shelves and the "geek-squad" returned all product to the manufacturer.

    One month later I revisited the same store and discovered the same merchandise on their shelves. I mentioned it to the "geek-squad" who said they had wondered if they should test these too - - - but hadn't.

    Yesterday I received a bill in the mail from HSBC. Inter alia, they told me that
    1). I had not activated my card;
    2). I had no previous balance;
    3). Their annual fee was $69.00; and finally,
    4). My minimum payment was $18.00

    My options were to pay the bill; however this appears on the back:
    "By sending us a check for payment on your Account, you authorize us to initiate an electronic funds transfer from your bank account according to the terms of the check. If you do not want your checks to be converted to an electronic funds transfer, please call customer service at the phone nmber on the back of your card."

    (Remember, I do not have a card so I cannot ascertain the terms...)

    And, of course, at the bottom:
    "Negative Credit Bureau reporting: We may report information about your Account to credit bureaus. Late payments, missed payments, or other defaults on your Account may be reflected in your credit report."

    I'm sorry, but this does not seem much like the "No Cost, No Obligation" offered so enthusiastically by the BBSC (Hey, they use initials, so can I), and since it now involves the USPS, I reported it to the Inspection Service. Debby advised that I call them to see if they would resolve this amicably and properly - but sent me a "Mail Fraud Report" just in case.

    I called the customer service number provided. Before getting further, I had to "acknowledge" the last four digits of the Account Number they had assigned me. They even had all my information from the caller-id so they gave me my information!

    I was reluctant to enter the "1" for fear that might count as some acknowledgement of my acceptance of their "offer/bill". Nothing ... then a repeat of the required step. I pressed "1".

    Now I have the typecast Hindi voice: "Hi, my name is JOOOOOOOe, how mayeeeeee Ieeeee heeeeeelp youuuuuuu?

    Well, Joe, before we proceed, I need to inform you that I have already contacted the Postal Authorities and I am proceeding according to their advice. Since what happens here and now may result in an investigation for Mail Fraud, is there some supervisor or manager you need to add to the line before we proceed?

    He assured me he could handle it.

    Soon he had punched some buttons and offered me letter confirming that my card was being cancelled. I added that it had better also say there was no charge, or outstanding bill, and that there would be no "Negative Credit Bureau Reporting" as a result.

    Next I called 1-888-BESTBUY to report to them that I (and hopefully, thousands of others) did not appreciate the tactics used by HSBC, and that by being in bed with them made it clear to me that I would not like to pass through their "In" doors again - even with wads of cash oozing from my bulging pockets.

    Maybe you would not be surprized by the hoops I had to jump and the buttons I had to push and the menus through which I had to wade before finding a person at the other end. ... Not the least of which was that they required an Account number - followed by the "pound-sign" before allowing me to move on; I finally pressed "0" - nope, that won't work; so I pressed the # key and that got me through.

    I thought I was talking with a BestBuy rep, but it turned out that the call was re-directed to HSBC! I did not learn that until I told them that I was reluctant to return to their store if they were going to continue to be bed-partners with HSBC, and the woman on the other end finally "fessed-up" that she was actually with HSBC and not BestBuy. ... Talk about a "smoking gun"???

    That's the end of this subject. I hope there are no Pre-Quel's or Se-Quel's. I also hope you enjoyed my writing. It has been many years since I have done this, but after reading your articles and then the article on the guy who signed "Not Authorized" on his CC purchase, I thought maybe I'd give it a try again.

    • I'm so ****ing sure (flame alert)

      (flame on)

      I can't believe I read the whole thing. Cue the alka-seltzer commercial.

      Any intelligible information in this post is buried in a mass of self-apologetic dreck. Thank goodness you weren't writing about your trip to the grocery store, and I'll just mention here that I really don't want to know what brand of deodorant you use or any FURTHER personal life details, much less the name of the person you talked to at the post office.

      The more interesting issue here is about your credit. WHAT IS THIS COUNTRY SMOKING? It bothers me greatly - and should bother you as well - that someone with poor credit and no cash can walk into a Best Buy and come out with a) merchandise and b) a high-interest credit card account. Someone, somewhere (hint: all of us) is footing the bill for the continued deterioration in credit.

      If you went to Best Buy knowing that you couldn't pay for what you wanted, AND didn't have a credit card, AND allowed yourself to be suckered into signing up for the house credit card, AND didn't read the fine print when you signed, then you darn well deserve what you got.

      You need a steady job. You need to spend only what you can afford. You need not to run up bills on credit cards when you can't pay the whole amount when the bill arrives. You most especially need not to be so indignant about the way you think you're being treated. Get a grip.

      (flame off)
      • You didn't thoroughly read before flaming, did you?

        He said his x-wife had crippled his credit by submitting him as a deadbeat dad, even though the daughter was awarded to him, and under his financial support without any input from her. There was nothing in there about him being unemployed, financially unresponsible, or otherwise. This is another problem with our society is that men are always considered guilty when it comes to family matters, before their side is heard, as if they are automatically less credible than the women. And many ladies say that men run the world....
        • trust me, I read it

          ... every excruciating word. I have cheerfully drawn my own conclusions about his lifestyle based on the assumption that, if he has been unable after 11 years of divorce/custody/etc to walk into a Best Buy without a useable credit card, there's more to the problem than a dysfunctional state welfare agency. Nor do I have any intention of ascertaining the fact or fiction behind his tale or woe. This country's credit system is screwed up beyond belief and MEDIA_TED's story is a chilling example of why.

          Last hint: THIS IS NOT ABOUT EX-WIVES. Count on it.
  • Security is now EVERYONE'S problem

    Microsoft is not the only getting yelled at about security. Every one of these agencies that has access to our confidential information better buckle will not be long before we are sueing them. They have couple of choices, get rid of the confidential information or security it. I look at these companies like having the neighbours kids over to my place. I have some of theirs that is very valuable to them and they expect me to watch over them and keep them out of harm to the best of my abilities. If I abuse them or all them to come to harm due neglegence on my part, then they have the right to bring criminal charges or at the very least sue my sorry butt.

    There are way too many companies today that will gather databases of information on their customers for their business gain(eg shopping habits, spending amounts,etc) along with the usual financial/personal information and I believe this is very wrong and should be prohibited by law. I believe that in the absence of law, then they should be sued if there database is hacked and I become the victim of identity fraud. After all, this information was given to them in trust that it would be protected. I am sure that after a few law suits, these companies would think twice about keeping any confidential information about their customers.
    This was the great thing about paying confidential/personal information need be given and there was no possible worry about identity theft.