Last week I got a new Visa card from my bank in the mail. This a relatively quotidian matter, not worth mention, save for the fact that
- I did not ask them for a new card, and
- It came with a rather curious letter.
The letter, titled URGENT SECURITY WARNING — CARD INFORMATION COMPROMISED, said (certain details have been modified, obviously):
Visa U.S.A. recently notified GenericBanCorp of a security intrusion to a retail merchant’s database. We believe that the Visa card number associated with your account may have been compromised. While we continue to monitor your account for unusual activity, your GenericBanCorp Visa Card will be deactivated on [date] as a proactive measure.
So, working backwards, it looks like one possible chain of events was that the retailer noticed a security breach, notified Visa with the list of possibly compromised accounts, and then Visa, in turn notifies the banks of the affected card holders.
But another, more troubling, possible chain of events is that someone not the retailer (probably a bank) noticed a very large number of fraudulent charges or unusual patterns of activities, and then notifies Visa. who then works backwards and figures out who the retailer is from past charges. It’s troubling because that’d mean that they were incompetent enough to not notice a major security breach, something that’d be akin to walking out your front door and not noticing an overturned garbage truck on your front lawn.
Then there’s the matter of what kind of ‘security intrusion’ was involved. It’s written to suggest that the database was hacked into by an outside party. The problem with that idea is that part of Computer Security 101 is that you don’t keep credit card numbers on a computer that’s connected to the Internet. If that was the case, then the ‘security intrusion’ was an inside job. But if it wasn’t, and those numbers were hacked into from the outside, then the merchant was, at the very least, negligent, if not reckless, in handling their security.
The third option, of course, is that the numbers were on a laptop that got stolen, but that’s even stupider than leaving your credit card database connected to the Internet (though, unfortunately, not unprecedented).
Of course, the $64 question is: who’s the unnamed ‘retail merchant’?
I just noticed that I won the monthly contest. Too bad I don't have a website anymore.
Well, in all fairness, you can practice reasonable computer security and still be compromised and lose credit card numbers. You -shouldn't-... but it's definitely possible.
Any company that has "quick buying", like, say, Amazon.com's 1-click, or that has a subscription/ rebill/ etc. service, will have to store your credit card info. And realistically, while they shouldn't be stored on a machine that's directly connected to the internet, nowadays it'll probably have to be connected to the internet in some indirect way in order to process the payments... and if it's connected, even indirectly, then it means it's possible to compromise it remotely.
(There are some companies that will still do private line or other similar connections for payment processing, but most of them do it directly over the internet.)
Well, even if that information is on a machine that only indirectly connected to the internet, then that means that at least two machines were compromised, which is a Very Bad Thing indeed.
My money's on an inside job, though.
You should mail them a letter asking for the name of the retailer.
The banks were notified by Visa in late January that a U.S. merchant might have compromised their credit-card account information. here
Polo Ralph Lauren?
http://news.bbc.co.uk/2/hi/business/4444477.stm