Credit card security breach causes concern

By Ed Brock

Like millions of credit card users across the country, Kin Cohen of Jonesboro is worried about the recent compromise of millions of credit card numbers.

"I think it's a shame that it's happening," Cohen said. "I'd like to see tougher penalties for the people who are doing it."

Credit card giant MasterCard announced the breach on Friday, saying computer hackers apparently gained access to around 40 million card numbers after accessing a database at the Atlanta-based company CardSystems Solutions, Inc. John Perry, chief executive for CardSystems, has since admitted that his company wasn't supposed to have the numbers in their system in the first place.

He said the data, which also included numbers from Visa and other credit cards, was being stored for "research purposes" to determine why some transactions had registered as unauthorized or uncompleted. "We should not have been doing that," Perry said in Monday's editions of The New York Times.

Under rules established by Visa and MasterCard, processors cannot retain cardholder information after handling transactions.

"CardSystems provides services and is supposed to pass that information on to the banks and not keep it," Joshua Peirez, a MasterCard official, told the Times. "They were keeping it."

Of the 40 million numbers, 13.9 million were MasterCard accounts, but MasterCard International Inc. spokeswoman Jessica Antle said only about 68,000 of those were considered to be at "higher levels of risk."

While those 68,000 should closely examine their credit or debit card accounts, customers do not have to worry about identity theft, Antle said.

"No, none at all," Antle said. "Social Security numbers, dates of birth, information like that are not stored on your credit card."

It is not clear how many of the other card accounts that are not MasterCard accounts are at high risk. The incident appears to be the largest yet involving financial data in a series of security breaches affecting valuable consumer data at major financial institutions and data brokers.

Under federal law, credit card holders are liable for no more than $50 of unauthorized charges. Some card issuers, including MasterCard, offer zero liability to customers on unauthorized use of the card.

Antle said MasterCard traced the breach to CardSystems based on an unusual pattern of fraudulent transactions.

"I don't have the detail on what type of fraud it was," Antle said. "It wasn't a large amount of fraud, just an abnormal pattern that triggered our system. ... We have tracking systems in place to find the common point of interaction."

FBI spokeswoman Deb McCarley would not confirm the intrusion was the result of Internet hacking.

"I'm not going to get into details of what they have been able to determine right now," she said.

If it was a hacker who accessed the system, they were extremely good, said Chris Mickle, owner of ASAP Computer Solutions in Jasper County that provides computer networking and security services for customers in several counties including Clayton and Henry.

Good security at a system like the one at CardSystems comes down to having a good administrator, one who knows as much as the hackers.

"With hackers, their knowledge of security protocol is damn near second to none," Mickle said. "The most effective way to do it is put yourself in the chair of the hacker and try to break in."

The most difficult thing is detecting the intrusion to begin with. In this case the breach was found through MasterCard's investigation of one abnormal pattern.

"If they found it that way, this guy is good," Mickle said.

In the end, no computer system is completely safe from compromise.

"The only 100 percent way to safeguard your network is to unplug it," Mickle said.

Cohen says he tries to "minimize my exposure" to credit card fraud.

"I only have one or two cards and I shred all my receipts," Cohen said.

The Web site for SunTrust Bank has some more tips to avoid being a victim of credit card fraud.

They include signing the card as soon as it arrives, memorize your PIN number and don't write it down on something in your wallet, report stolen cards immediately, compare receipts to billing statements and monitor the statements monthly. Also, make sure voided transactions don't post to the card's account, only carry the cards you need, destroy carbon receipts and don't give your account number to someone unless you know and trust the company.

The Associated Press contributed to this article.