SophosLabs: Visa is investigating a potential security breach that may have compromised payment cards of Eastern Europeans.

Although Visa hasn’t disclosed which countries were hit, the Romanian state-owned CEC Bank has blocked and reissued 17,000 cards on suspicion that they had been compromised.

CEC Bank said in a statement that “a number” of cards issued by banks both in Romania and abroad might have been compromised via an international database.

Here’s an excerpt from the statement, translated into English from Romanian by

The bank has been informed that a number of cards issued by banks in Romania and abroad have been potentially compromised through an international database. CEC Bank has decided to block the cards and reissue a new card and PIN, at no cost, for a number of cards in its portfolio

This attack did not target CEC Bank’s cards alone and was not due to any bank vulnerability. Our clients’ money is safe.

Visa pinned the problem on a European payment processor and issued this statement:

Visa Europe has been informed of a potential data security breach at a European processor and an investigation is underway. We are working closely with our member banks to ensure cardholders are protected.

In his report on this incident, v3’s Phil Muncaster pointed to a warning earlier this month from Trend Micro regarding a basic design flaw in some implementations of the 3D Secure protocol – aka “Verified by Visa” and “MasterCard SecureCode” – that could allow crooks to conduct ID fraud on some Visa cards.

The potential security hole in 3DS is a result in a weakness in the password reset process of some system versions, Trend Micro’s Rik Ferguson explained the flaw on his CounterMeasures blog:

If you are making a purchase through a merchant that is subscribed to the program, you will be redirected, during the payment phase, to a 3DS verification page. On this page you confirm the details of the transaction, enter your password and hey presto, the transaction is complete. So far so good, the merchant never sees my password, no transaction with that merchant can be completed without it and I’m protected, but…

He then goes on to describe the password reset link, finding that three of four pieces of information used to verify identity – cardholder name, expiration date and signature panel code – are all contained in the card itself, either embossed or printed and contained in the magnetic stripe data.

The fourth piece of information, cardholder date of birth, would be drop-dead easy to track down, he says:

Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.

The Eastern Europe breach and the 3DS flaw are spelling one headache-y month for Visa so far. Yikes, now all the company needs is for the EU to contemplate carving away at its profits with big fines for privacy breaches or something like that.

But wait, that’s exactly what the EU is mulling!

The way the Financial Times reads it, the proposed rule, slated to be introduced in January, will impact social media most sharply, serving as a significant tool to boost the EU’s powers when it comes to combating data protection breaches.

But it will be interesting to see what happens (if in fact the rule doesn’t get watered down to pointlessness, that is) in cases such as credit card payment breaches like the one Visa is now investigating, if it turns out that Visa or its payment processor was treating customer data with anything less than kid gloves.