Comments on: Credit card data breached at unnamed payment processor

Credit unions are reporting that consumer credit and debit accounts were exposed in a breach at a payment processor but the name is being withheld during the forensic investigation.

[yacahuma]

Do hackers know something we dont? If I encrypt my database data with 256 AES. Can they really crack that sucker? Or is just these processors dont have any security measures? Can they tell us, how did they do it, so everyone else can protect against that? It seems to me that the bad guys always know more than the good guys.

[discern]

If I encrypt a string w/ 256 bit AES, I use a key to do it. If I want to decrypt it, I use that key. The problem lies in storing the key.

[ti99_forever]

I worked for a major Telecom co 7 years ago, and we sent credit info in plaintext. I won't say who.
"Can you hear me now?"

Also, work now for a hospital who sends patient info in plaintext via ftp. Includes names, addresses, birth dates, SSNs, and of course the radiology results. Used to send it via 3.5" disk. Imagine that being dropped. Not that ftp is any more secure.

Just because the technology is available does not mean it is used. Think about it... it's cheaper to not change your processes...

[mmccaull]

Why are we bailing these guys out? And... Why are we making such a strong case for the mark of the beast? With todays knowledge and development tools, there is not excuse for this.

To whom much is entrusted to, much is expected...

It's really hard for network guys to know where to start to look for these kinds of failures. Pretty much every financial institution is in a perpetual game of cat and mouse on this stuff because there are just so many ways information can be moved. I don't know of any payment processing services that don't encrypt. The PCI standard require it from the point of sale to the back end where payments are cleared for all Tire 1 vendors and those requirements are being pushed down to lower tiers over time.

There have to be times when data is decrypted to be used. Unfortunately the places where that happens are often outside of the immediate control of the payment processor. The financial services industry is really pushing hard to make this process as secure as possible, but processes are flawed and hackers are smart and move fast. The way that standards and regulations are going in this space will hopefully have a positive impact on the number, frequency and size of these breaches.

I guess the only thing the consumer can do in the meantime is take precautions. Watch your credit card statements for unexpected charges and report them immediately. Put a fraud alert in place with the credit bureaus and always use PINs and passwords that are not obvious, don't write them down and keep them to yourself.

[JCPayne]

This new policy of all companies asking your mother's maiden name etc. is soo dumb...

It is easy to hack these days... Many people put their birthdate etc. on things like Myspace + Facebook etc. With that, a lot of banks etc. will allow you to verify a faulty password with birthdate information etc. Or if you get a hold of someone's credit report that will give out a persons credit card numbers....

[Harrison912]

Since I process cards on my safety and security web site as well as for by sales incentives business, I'm very interested in this story. Thanks, Elinor, for this information.