I just got a letter in the mail (dated February 5, 2009) from my credit union stating that my "Visa Credit Card may have been compromised as a result of an unauthorized intrusion into Heartland Payment Systems." This story hit the news on January 20, 2009, and was covered by USA Today, MSNBC and others. Heartland has put up a website on the Breach, mostly as P.R. damage control. The hacking occurred over several months, and could be the largest breach, with highly sophisticated hackers.
What this means to me is that I'm getting a new credit card and debit card, with new PINs. 20 years ago, I'd just have to activate the new cards and memorize the new PINs, and be done with it. Now, with the proliferation of on-line shopping, I also need to find all the websites that have my credit card on file and update my information for automatic payments. This includes Amazon, iTunes, GoDaddy, etc.
With credit cards, the truth is that I don't care much if my number is stolen. Visa carries a "Zero liability policy", which means that I pay nothing in the event of unauthorized use. Also, the scope of the breach is so large that the chance of my card being singled-out is low. I'd be more worried if it were a small breach.
In a down-economy, this kind of breach can be even worse because people might become more afraid to use their credit cards and might resort to cash or checks. I suspect this is part of why Visa has the zero liability policy -- to keep the fear down.
Overall, though, as a security professional, I'm glad to see that these are still news events. I work on the Sun Key Management Appliance and in the IEEE 1619 Security in Storage Working Group, and this is the kind of problem we are working to solve.
2009-02-09
Subscribe to:
Post Comments (Atom)
You're working to solve this problem by encrypting all data saved on tape drives by companies that keep personal information, right? Like anything, this will cost money. Why would a company spend more money to encrypt our data? Bad PR is probably enough, but are there any laws that will require this? I recall California enacted such a law, didn't they?
ReplyDeleteRegarding the zero liability policy (same goes for MasterCard as well), I read that federal law limits a individual's liability to $50. The bank issuing the card is responsible for the rest. So the cost of the zero liability policy to the company per stolen card is pretty small. As you pointed out, one advantage is this will keep people using a card they have. But also imagine if MC would brag about a zero liability policy and Visa didn't have one. That would convince many to go with only MC.
I imagine this $50 limit law encourages card issuers to take effective steps against fraud like the 3 digit code on the back of the card, requiring the billing zip code for some purchases, and calling you when an unusually large purchase is requested.