Blog post

New credit card data breach revealed

By Avivah Litan | March 30, 2012 | 11 Comments

Just when we thought the big credit card data breaches were over, at least for a while (with Alberto Gonzalez put away after his scams at TJX, Heartland Payments and others) – along comes a new one reported today in www.Krebsonsecurity.com. See KrebsOnSecurity.com

Visa and MasterCard have already issued warnings on this. I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently. From what I hear, the breach involves a taxi and parking garage company in the New York City area so if you’ve paid a NYC cab in the last few months with your credit or debit card – be sure to check your card statements for possible fraud.

One interesting twist again sheds light on the fact that knowledge based authentication should not be relied upon. I heard (and this may not be factual) that the crime was perpetrated by a Central American gang that broke into the company’s system by answering the application’s knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently.

Isn’t that usually the case? So if that’s indeed what happened, we can expect the PCI assessors to say NO to KBA on administrative accounts. They need to say NO to many different types of authentication which are being successfully bypassed by determined crooks. See our research on “The Five Layers of Fraud Prevention” and “When Strong Authentication Fails and What you can do about it.”

A layered approach is always best, since you have to assume the bad guys will get through one or two or even three layers.

In the meantime, I’m not sure what’s holding up public disclosure of this breach but expect it to come soon.

Comments are closed

11 Comments

  • John says:

    We offer a software solution that automatically blocks the affected cards once the Visa/Mastercard scheme has alerted the Banks/Credit Unions of the compromised cards. It can stop and reissue over 20,000 card accounts a day – which in a large compromise situation like this is invaluable. Please forgive the blatant push for our software,but it does what it says and could save Credit Card companies millions in protecting potential compromised cards immediately. One German bank that uses it has saved countless money. http://freshvue.co.uk/cap.php
    Please get in touch for a frank discussion on how we can help.
    John