Hacker breaches 8 million credit card accounts

March 2003 ISSN 1361-3723

How to recover fraud losses — 6 The situation with Web services security — 15

Hacker breaches 8 million credit card accounts Over 8 million credit card accounts have been compromised after an intrusion into a credit card transaction processor.

Editor: Sarah Hilley American Editor: CHARLES CRESSON WOOD Baseline Software, Sausalito, California, USA Australasian Editor: BILL J. CAELLI Queensland University of Technology, Australia Editorial Advisors: Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P.Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Silvano Ongetta, Italy; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Peter Stephenson, US. Correspondents: Frank Rees, Melbourne, Australia; John Sterlicchi, California, USA; Paul Gannon, Brussels, Belgium. Editorial Office: Elsevier Advanced Technology, PO Box 150 Kidlington, Oxford OX5 1AS, UK Tel: +44-(0)1865-843645 Fax: +44-(0)1865-843971 Email: [email protected] Subscription Price for one year: (12 issues) (£442)*US$732/¥89,700/
675.00 including first class airmail delivery subject to our prevailing exchange rate * Sterling prices are quoted as a reference/guide only. If you wish to pay in sterling you will be charged at the current daily rate of exchange at the time of purchase. Price valid to end of 2003 Subscription Enquiries: Orders and Payments: For customers residing in the Americas (North, South and Central America) Elsevier Science Customer Support Department PO Box 945, New York NY 10010 USA Tel: (+1) 212-633-3730 [Toll free number for North American customers: 1-888-4ES-INFO (437-4636)] Fax: (+1) 212-633-3680 Email: [email protected] For customers in the rest of the World: Elsevier Science Customer Support Department PO Box 211, 1000 AE Amsterdam, The Netherlands Tel: (+31) 20-3853757 Fax: (+31) 20-4853432 Email: [email protected] To order from our website: www.compseconline.com

Publishers of Network Security Computers & Security Computer Fraud & Security Computer Law & Security Report Information Security Technical Report

Visa, Mastercard, Discover Financial Services and American Express have admitted that they have all had credit card data compromised during the recent intrusion. Mastercard has confirmed that 2.2 million of its own cards were affected while Visa has reported 3.4 million affected cards. Reports say Data Processors International has been hacked leading to the theft of the cards. The merchant processor, which processes card-not-present transactions said it had "recently experienced a system intrusion by an unauthorized outside party" in a statement. According to a Gartner report, if this case follows the path of other typical incidents, the card associations will probably fine the processor, who suffered the hack or issue a formal warning. The credit card companies confirm that they have not seen any evidence of the cards being used fraudulently so far.

But Gartner believe that credit card issuers rarely inform customers about security breaches that occur through merchants or processors. The issuers just sit and wait to see whether or not a consumer reports fraud on the card. No details of the actual technical attack, suffered by Data Processors International have been disclosed. Gartner also points out that zero-liability policies save victims from paying for the fraud, but there is no process for relieving victims from the threat of identity theft and bad credit reports. Since the breach, PNC Bank has cancelled 16 000 cards according to USA Today reports following the deactivation of 8000 cards by Citizens Financial Group of Providence, The credit card companies should ensure that all online credit card databases have encryption, improved vulnerability scanning be enforced and new cards issued say Gartner.

Contents News Roundup Hacker breaches 8 million credit card accounts 1 Bid to silence ATMcrack

2

Keystroke logging software — secret threat 2 Ahold — A European Enron

2

BS7799 — slow uptake by companies

3

NHS treats fraud with intelligence

3

Caught Red Handed Operation Ore — the Tip of the Iceberg 4

Cyberfraud Recovering Fraud Losses

6

Real-life Fraud Bad Credit? No Credit?

10

Spam Spam — Out of Control

12

Web Services Security Web Services Security

15

Getting the Whole Picture Using Evidence Effectively

17

US Focus

20

Events

20