About the SA Blog Network



Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

Hackers Steal More Than 10 Million MasterCard and Visa Numbers

The views expressed are those of the author and are not necessarily those of Scientific American.

Email   PrintPrint

Just days after retiring FBI executive assistant Shawn Henry warned that U.S. businesses and law enforcement are vastly overmatched by cyber criminals, more than 10 million MasterCard and Visa card numbers have been reportedly stolen in a “massive” data theft.

The two companies late last week began warning banks that specific cards may have been compromised in January and February, yielding information that could be used to counterfeit new cards, Brian Krebs reported Friday on his security news blog. Neither Visa nor MasterCard’s systems themselves were breached, according to Krebs, who added that the information was stolen from an as-yet-unidentified U.S.-based processor working for the payment services companies.

The method used to obtain the card numbers remains a mystery for now. Still, Krebs reports, “Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.”

The FBI’s Henry, who will soon leave his post as executive assistant director of the agency’s Criminal, Cyber, Response, and Services Branch, told The Wall Street Journal earlier this week that FBI agents are increasingly coming across data stolen from companies whose executives had no idea their systems had been accessed.

Digitized personal data thefts have become quite common over the past decade and a half, and this latest event doesn’t even rank among the largest. Heartland Payment Systems earned that dubious distinction in May 2008, when hackers took about 130 million records. Among retailers, TJX Companies, Inc., which owns retailers TJ Maxx and Marshalls, has had the largest customer-payment data breach. Thieves pilfered more than 94 million customer payment records between 2005 and 2007 from the company’s computer systems.

Earlier this week, the U.S. Federal Trade Commission asked Congress (pdf) to pass data privacy legislation and on companies to do more to ensure the privacy and proper use of consumer data, according to The White House has also called on Congress to act on privacy and data security concerns, issuing its Consumer Data Privacy in a Networked World report (pdf) in February to encourage the development of enforceable privacy policies both nationwide and internationally. This report included the Obama administration’s request for a Customer Privacy Bill of Rights.

Hacks are difficult to detect and even more difficult to track to their source. One common way they evade detection is to break into poorly secured computers and use those hijacked systems as proxies through which they can then launch and route attacks worldwide. Although such strikes are an international problem, there is no coordinated system for an international response, which frustrates local law enforcement seeking cooperation from countries where these proxy servers typically reside.

Image courtesy of Alex, via

Larry Greenemeier About the Author: Larry Greenemeier is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots. Follow on Twitter @lggreenemeier.

The views expressed are those of the author and are not necessarily those of Scientific American.

Rights & Permissions

Comments 9 Comments

Add Comment
  1. 1. jnrowell 6:37 pm 03/30/2012

    Currently credit card processing banks actually benefit when stolen cards are used. They still get all their fees for the transactions. But they don’t pay the consequences – rather, they bill the merchant where the stolen card was used (who usually has no idea the card was stolen), who then has to pay back the bank for the transaction and a hefty fee which the bank gladly pockets. So the bank profits from this and therefore has an incentive to process stolen cards.

    If the credit card processing banks would be held responsible instead, I’d bet you anything they would act really quick to change their procedures and we would see a whole lot less of credit card thievery.

    Link to this
  2. 2. sonoran 8:08 pm 03/30/2012

    Rather than design a more secure system (such as one where the customer communicates with the bank and the merchant only gets a transaction number rather than a number that is the key to the entire account), credit card companies pass the risk and responsibility for security onto individual merchants. They persist in a transaction system that dates back to the ’60′s. The only risk for credit card companies is reputation risk, but since these break-ins tend to affect all card types even that is minimal.

    Someone needs to break the stranglehold these companies and banks have on this system and allow innovation to create credit transactions that are fundamentally more secure.

    Link to this
  3. 3. Jerzy New 7:53 am 03/31/2012

    Interesting, but what it has to do with science?

    Except perhaps a reminder, that electronic data of any kind should by default be considered unsafe and stolen.

    Recently U.S. Army admitted that it introduces a policy where hackers are assumed to have access to its network by default.

    Which creates a problem to engineers thinking about databases of everything and smart objects laced with sensors.

    Link to this
  4. 4. singing flea 11:59 am 03/31/2012

    The relevance to science is obvious to anyone who has become a victim of these thefts. Scientists and engineers designed these flawed systems. They are the ones who are ultimately responsible and will have to develop the means to secure the machines that now run the worlds money markets.

    Link to this
  5. 5. jtdwyer 5:47 pm 03/31/2012

    I haven’t looked into credit card processing enough to know, but doesn’t the (I think increasing) use of cards that support proximity scanners present a whole new level of risks, since they can be scanned by a passive scanner located in a high traffic area, like Salvation Army Santa Clauses?

    Anyway, they’ve been cracking down on a number of local restaurants and other retail shops whose employees were scanning cards into a hand held device for sale internationally using the internet.

    Another rich source of credit card info are store front businesses that specialize in outsourced medical office bill processing. Thousands of people’s personal information can be obtained by smashing in a glass door and quickly grabbing a PC or two.

    Then there’s the convenience of carrying personal financial information in phones & tablets, etc., occasionally using them on unsecured network ‘hot spots’, I guess.

    Personal information security issues are endemic in the choices of increasingly “frictionless” convenient consumerism and personal entertainment that have been and are continuously being made for nearly a generation now. It simply won’t be possible to put all the little gremlins back into Pandora’s box!

    Link to this
  6. 6. Bett 1:07 am 04/1/2012

    Why are these stores KEEPING the credit card data? They should bill the card, then trash the number the instant the transaction goes through. It’s a no-brainer.

    Guess I’ll be using cash at TJMaxx in future.

    Link to this
  7. 7. Alessandra 2:59 am 04/2/2012

    Since FBI man Shawn Henry “warned that U.S. businesses and law enforcement are vastly over matched by cyber criminals”, it follows that no amount of “Data Privacy Legislation” will quell the activity. From the gate, it was a set-up for failure for people to broadcast their banking information online. For the White House to call on Congress to “act on privacy & data security concerns”; or enacting this or that “Act”, is too much too late – not to mention a fruitless endeavor. If it took them this long to get in gear on the issue …. well, YOU know.

    More government intrusion into your personal affairs via “Enforced Policies” for you Americans … when will you ever band together and step forward and say “ENOUGH!” “NO!” You should each read the Declaration of Independence, and return to the most sublime document in history – your Constitution.

    Link to this
  8. 8. HubertB 8:41 am 04/4/2012

    Policemen have a saying, “Virgins make lousy cops.”As long as the top positions in Banking are filled by graduates from liberal Ivy League schools, so long will such problems be with us.
    They hire people just like themselves except for a few women and blacks to meet mandated quotas. They pull off financial deals. That level pulls off Mortgage Fraud and Ponzi Schemes.
    Liberals do not believe in the doctrine of Original Sin and do not believe it exists. They do not realize that sin can reappear in a form which they do not recognize and sucker them just like they have suckered others. They are out of touch with the goings on in society and become shocked when others pull off such scandals such as computer fraud. No one in their group is familiar with that type of crime. Being insular has protected them until it failed them.
    Our sin was trusting them and believing their lies.
    We need to go back to the days when FDR would hire Joe Kennedy, the biggest crook on Wall Street, to run the SEC and clean up Wall Street. This concept of trusting the bankers is not working. Get the liberals to stop Borking nominees.
    Lets get a real hacker in charge of internet safety. The current system is not working. It is time to put someone in who knows what is going on.

    Link to this
  9. 9. hemmerlepierre 3:52 pm 04/8/2012

    Well you guys, it is all behind me. Only certified small cash, a good conscience and no cards at all. I am retired and happy. I do not believe that something has been changing or can change : a bit more here, a bit less there. As a retired astrophysicist I trust the Universe is matterially invariant, and sociologically too. A bit more here, a bit less there.

    Link to this

Add a Comment
You must sign in or register as a member to submit a comment.

More from Scientific American

Email this Article