Security

Card Breaches Shake Faith in E-payments

In the past three months, all three of my payments cards -- one credit card and two debit cards -- have been compromised.

That means somewhere, in some database, various fraudsters have my name and enough card details to attempt a shopping spree anywhere in the world. The cards have all been replaced by the issuers and, luckily, I never discovered any fraudulent transactions.

The card breaches are particularly disturbing since I cover computer security. So what happened? I still have no clue. Investigating a card breach as a consumer, or a journalist, is a black hole.

Stealing card numbers isn't hard. A PC can be infected with a keystroke logger that records card details used during online transactions. Insecure databases at merchants can be hacked. ATM machines can be fitted with "skimmers" that record a card's magnetic strip information, which can be used to create a cloned card.

Point-of-sale devices can be modified to record card details. Unscrupulous employees can also steal information during merchant transactions. All of the methods can allow a hacker to eventually use the details and attempt an online transaction, known as card-not-present fraud.

It's impossible for me to trace where and when the card details were acquired. The only common element between the three cards is that I've used them all on my PC for e-commerce transactions at one time or another. But I'm pretty sure I've never been phished, and the various antivirus programs I've had on my PC have never detected malicious software.

Wachovia, my U.S. bank, sent me a new debit card unprompted about a month ago. I thought it was strange since I didn't request a card. I called the bank, and was told the card number had been compromised. Wachovia, though, included absolutely no notification with the new card saying that the old number had been compromised.

Although troves of card numbers are obtained by online thieves, banks will only reissue cards if there's a high fraud risk, said Avivah Litan, a card fraud expert at Gartner. It costs banks around US$20 to reissue a card, so less than 10 percent of the cards that are compromised are replaced, she said.

Upon hearing two of my cards had been compromised, Avivah said, "That is very, very unusual. You should be worried. I would be worried if this happened to me. I tend to be more paranoid than average."

This wasn't making me feel any better.

Wachovia spokeswoman Jennifer Darwin refused to give any information about the breach, such as where it happened and if a law enforcement agency is investigating.

Without information, it's impossible for me to follow up. I can't check in with the police. I can't check to see if a merchant is complying with data-breach disclosure laws that exist in many U.S. states. It's a dead end.

Darwin further downplayed the potential for identity theft. "The physical card was compromised and not your personal information," she said.

Nonetheless, Litan said online scammers will build profiles on people that include card details and sell those profiles to criminals who perpetuate ID theft.

Since Wachovia isn't straightforward with its customers about card compromises, most consumers just start using the new card. They wouldn't know to go back through their statements to ensure there are no funny transactions since Wachovia doesn't tell them.

That's dangerous and irresponsible, since it can be an administrative pain to try and claim money back after a fraud has happened. At that point, the fraudsters could be well on their way to executing a more serious identity theft.

Credit card companies and banks "don't want to alarm people because they think it might be bad for business," said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse. "They're making money on every transaction and don't want to scare you."

In the case of my U.S. credit card, neither Citibank -- which issued the card -- nor MasterCard would say if law enforcement is investigating. Chris Monteiro of MasterCard said there are "legal implications" around giving information about a breach.

Card companies often say that, even though law enforcement agencies never say they've told companies not to release breach information, Stephens said.

"You get stonewalled," he said.

But consumers should be able to get a more clear view of what happens when there is a chance for fraud, Litan said. Companies such as Visa and MasterCard have the information and "you have a right to get it," Litan said.

The opacity of card theft investigations is astounding considering how card fraud is exploding.

In the U.K., phone, Internet and mail-order card fraud increased 18 percent from January to June compared to the same period in 2007, according to the Association of Payment Clearing Services, the U.K. payments association. The fraud amounted to £90.6 million (US$144 million) in the first half of 2005; it hit £161.9 million for the first half of 2008.

In 2007, U.S. card fraud totalled $1.24 billion while 10 years prior fraud amounted to $760 million, according to The Nilson Report, a card payments analyst.

Since the breaches, I've developed severe card-payment anxiety.

The cards have all been replaced, but I'm leery about ever buying something on the Internet again. I've reinstalled my home computer's Windows XP operating system in case there was some secret keylogger on the PC that Symantec's antivirus software was missing.

And I'm considering going back to paper checks.

Subscribe to the Security Watch Newsletter

Comments