SophosLabs: Brian Krebs is reporting that MasterCard and Visa are warning member-banks of a payment processor breach that may impact more than 10,000,000 credit cards.
It is important to note that MasterCard and Visa’s own networks were not involved in the attack, it appears to be related to payment processor Global Payments.
Reuters is reporting that Global Payments stock was suspended for trading after falling more than 9% on the Nasdaq stock exchange.
Krebs reported that one of the financial institutions he spoke with had to cancel 56,455 credit cards, of which fraud was detected on 876, or 1.5%.
There is much speculation about the source of the breach as many are reporting that the majority of the fraud is occurring in the greater New York City area, yet cards are being cancelled around the country.
What is a payment processor? Payment processors provide merchants (stores) with access to payment brokering networks like MasterCard, Visa, American Express and Discover. The terminal that processes your card sends the details of the transaction to the payment processor to facilitate the purchase.
It is being reported that the attackers got “full Track 1 and Track 2 data”. This is very bad as it would allow for the attackers to fully produce cards including the CVV/CCV code you often need to enter for online transactions.
Strangely, law enforcement contacts told Krebs they believe the breach is related to a Dominican gang in New York and primarily targeted corporate credit and debit cards.
Fortunately consumers don’t need to worry too much. Card issuing banks (Bank of America, Chase, etc.) are cancelling cards that are involved in the theft and card holders will not be held responsible for any fraudulent activity.
I wouldn’t cancel my card or ask for a new one, but it would certainly be prudent to keep a close eye on your statements to be sure nothing suspicious shows up.
As we find out more details on how this heist came about, we will post information here. From the sound of it the card information sounds like it may not have been encrypted or they wouldn’t need to cancel so many cards.