Tuesday, August 05, 2008

Ho hum. Another 40 million credit cards stolen

Yawn. The Webtel, Netfill, MJD Services credit card fraud of 1998 (ten years ago) netted about $40 million, so this $60 million + fraud is simply more of the same. I'm guessing Schneier has covered about 3-4 similar scans in the past decade....
11 Charged in Theft of 40 Million Card Numbers - NYTimes.com

BOSTON — The Justice Department said on Tuesday that it had charged 11 people in the theft of tens of millions of credit and debit card numbers of customers shopping at major retailers, including TJX Companies, in one of the largest reported identity-theft incidents on record.

TJX, of Framingham, Mass., which owns the Marshall’s and TJ Maxx chains, was the hardest hit by the ring, acknowledging in March 2007 that information from 45.7 million credit cards was stolen from its computers.

The charges focus on three people from the United States, three from the Ukraine, two from China, one from Estonia and one from Belarus.

The authorities said that the scheme was spearheaded by a Miami man named Albert Gonzalez, who hacked into the computer systems of retailers including TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW Inc. The numbers were then stored on computer servers in the United States and Eastern Europe.

They then sold the information to people in the United States and Europe, who used it to withdraw tens of thousands of dollars at a time from automated teller machines, the authorities said...

... TJX has agreed to pay more than $60 million to credit-card networks Visa and MasterCard to settle complaints related to the incident, which is one of the largest on record based on the number of accounts involved.
It's only the largest based on the number of accounts involved, sounds like a lot of the accounts haven't been hit ... yet.

The $60 million only represents losses from people who noticed the transactions and then complained. The article doesn't describe the size of the per-person losses, but typically these scammers will hit an individual for $40 to $100 bucks.

I probably wouldn't even notice the hit, we long ago ran out of time to audit our credit card statements for petty thefts (big thefts are another matter). As long as the crooks don't get to greedy we're better off bleeding than fighting with Visa.

I suspect the basic Visa/Master Card security infrastructure is about as pathetic as it was in 1998, and that AMEX is still the best alternative (though not invulnerable).

The only way this will be addressed will be if we make the banks liable for cost plus punitive damages.

It's going to take a fortune to improve our credit card security infrastructure, and no bank can afford to make that investment if it has any plausible alternative. Making the banks pay more for security breaches is the only way to make change possible.

Update 8/12/08: The NYT has more details on the crime.

No comments: