Rap Sheet

Computerworld |

The Official Responses

Here are official responses that three of the companies involved sent to Computerworld regarding the theft of 8 million credit menu numbers from credit card processor Information Processors International Inc. (DPI):

DPI's statement, dated Feb. 20, 2003

"Regarding your recent inquiry, Information Processors International (DPI), a carte transaction processing firm based in Omaha, confirms that information targeted by the system intruder did not include whatever personal data that could relate a carte du jour number to an individual.

"While it remains unclear if any useable information was compromised at all, we confirm that personal information including business relationship holder proper name, accost, phone number and Social Security number were not obtained through the attempted intrusion.

"Appropriate card clan and constabulary enforcement agencies continue their investigation with our full cooperation. Any consumer wishing to confirm the condition of their account should immediately contact their menu issuing organizations."

Statement from Visa United statesA. Inc. in Foster Urban center, Calif., received Feb. 20, 2003

"Visa U.S.A. has been informed by a third-party payment menu processor about an unauthorized intrusion into its reckoner system. On the rare occasions when there is a potential that account information may be compromised, Visa apace moves to protect the security of cardholders. It is important for Visa cardholders to know they are fully protected past Visa'southward $0 liability policy, which means they pay nothing in the event of unauthorized purchases.

"Visa's fraud team immediately notified all affected carte du jour-issuing financial institutions and is working with the third-party payment carte du jour processor to protect against the threat of a future intrusion. Visa volition continue to monitor the situation and the potentially compromised accounts.

"Although fraud is at an all-fourth dimension low, Visa helps to guard against it with our advance neural-network fraud-detection systems and antifraud protections such as $0 liability."

Argument from MasterCard International Inc. in Buy, North.Y., received Feb. 21, 2003

"In early Feb, MasterCard International was informed of an unauthorized intrusion of a database of a 3rd-party merchant processor in the U.Due south.

"The database contained approximately 2.2 1000000 MasterCard account numbers. Investigations are currently under way.

"MasterCard believes that it has identified all of the MasterCard account numbers and has notified the appropriate issuing members.

"MasterCard's rules require that merchants securely encrypt cardholder information, including card numbers. In addition, MasterCard has published and made available to its members 'Best Practices' for electronic-commerce merchants in lodge to guide them in securing this information.

"MasterCard continues to protect valuable online data and supports multiple security options, ranging from basic security measures to the nearly robust.

"In 2002, MasterCard launched Site Data Protection Service (SDP), a comprehensive ready of global e-business organization security services that proactively protects online merchants from hacker intrusions. MasterCard also recently announced MasterCard SecureCode, which secures online credit and debit payments between cardholders, online merchants and fiscal institutions past addressing the issue of cardholder authentication.

"MasterCard has been an manufacture leader in the evolution of security features such as the utilise of three-dimensional holograms, the first tamper-evident signature console and menu validation codes. Building on this history of innovations, MasterCard continues to lead in its research and in piloting and deploying new security initiatives that strengthen fraud prevention even as criminals who perpetrate fraud develop new schemes and technologies."

Looming Legislation

California is ahead of the curve in addressing identity theft. A proposed police, SB 1386, would require notification of consumers when card information is compromised. A summary of the bill says, "This bill, operative July 1, 2003, would crave a state agency, or a person or concern that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, whatsoever breach of the security of the data, as defined, to any resident of California whose unencrypted personal data was, or is reasonably believed to have been, acquired past an unauthorized person."

What's Wrong With This Picture?

Gartner Inc. analysts Avivah Litan and John Pescatore outline what's incorrect with the industry'due south response and the demand for changes in a paper titled "Stolen Credit Card Case Should Prompt Card Companies to Act." View it at the Gartner.com Web site.

Links to Other Resources

  • Read about the Verified by Visa program.
  • Larn more than nearly MasterCard's SecureCode plan in this press release (download PDF) and this "Tech Talk" bulletin.
  • Visit DPI's Web site, which contains no mention of the break-in.
  • To learn more well-nigh what can be done to prevent identity theft, read "Preventing Identity Theft: Manufacture Practices Are the Key," which contains recommendations from the U.Southward. Department of the Treasury's National Summit on Identity Theft.
  • And check out this consumer's guide to fugitive identity theft.

What practice you retrieve? Join our network security discussion forum.

Robert 50. Mitchell writes on a wide range of topics, including analytics, emerging technologies, green IT and data centers.

Copyright © 2003 IDG Communications, Inc.