Harry Sverdlove, chief technology officer of Waltham, Mass.-based security company Bit9, recently found out he was one of the 1.5 million people who had credit-card information stolen in the data breach of Atlanta-based payment processor Global Payments.
"Initially, I was not told my credit card had been compromised. I called my bank after my card was declined," Sverdlove told SecurityNewsDaily. "First, I was told that my purchase was flagged as being 'suspicious.' After pushing the agent on the phone harder to explain 'suspicious,' she made reference to a 'security breach' that I may have heard about in the news recently. She did not know any further details about what information might have been lost.
"It was not surprising that the bank customer service representative did not have very much information," Sverdlove said. "It would have been better if flagged accounts, like mine, contained detailed information about what information was lost, and if representatives were trained to share this information proactively with customers.
"Sadly, disclosure policies are not that advanced or customer-friendly," he added. "But I assumed, in addition to my credit card number, my personal name and contact information were also breached.”
According to Global Payments, the March breach, which exposed at least 1.5 million accounts, was focused on credit-card numbers and also took the card expiration dates and security codes.
"They [Global Payments] claim that no customer names, addresses or Social Security numbers were compromised," Sverdlove said. "In other words, the thieves have enough information to create counterfeit credit cards, but not enough information to fully steal people's identities."
More than just credit-card numbers
When a company like Global Payments is breached, the first reaction for many, if not most, consumers is, "Oh, no, my credit card has been stolen!"
We forget just how much other sensitive data is stored with the card information, and have no idea who has control or access to that personal and financial information.
"Hackers want a lot of different types of information, but there are two types of consumer information that can present problems," explained John Dickson, principal with the Denim Group in San Antonio.
“First, there is personally identifiable information — the kind of information that a hacker can use to steal someone's identity," Dickson said. "That includes an individual's name and address, plus some additional information that would provide a hacker enough info to recreate a person's identity, like birthday, hometown or driver's license number.
"Second, when hacking a credit card company, hackers can find the credit-card information necessary to be able to 'clone' or recreate those credit and/or debit cards," Dickson said. "This info includes not just the credit-card number, but also security or access codes for the credit card and passwords for accounts. Having a combination of this data can allow hacker to recreate a credit card and to purchase goods and services with a credit card that retailers think is owned by you."
The information that thieves can mine from a data breach is a valuable commodity on the black market.
"Thieves steal it, then resell card details in bulk to wholesalers and dealers who will sell them on again or use them to finance other activity," said Geoff Webb of Addison, Texas' Credant Technologies. "It's interesting that there is evidence that over the last decade, the price of a stolen card has steadily declined. This is almost certainly the simple economics of supply and demand — thieves had been so successful at stealing massive amounts of credit-card data that the unit price fell through the floor."
For this reason, the more personal details a thief can get about the actual credit-card holders, the more valuable the credit information is.
The more, the better
The best information for hackers to steal today is banking information, since many people have turned to online banking, said Bill Morrow, CEO and executive chairman of Quarri Technologies in Austin, Texas.
Unfortunately, if consumers want to use credit cards, they have to provide a lot of personal information.
"Some companies may ask for a little more details than others, and what they ask for often depends on the applicant's previous credit history," said Fred Touchette, a senior security analyst with AppRiver in Gulf Breeze, Fla. "Sometimes it may seem that a credit-card company is asking for very little information comparatively, but this is only due to the fact that they already have all of the other information from the applicant's credit history."
Consumers can take some steps to protect that information, Touchette pointed out, such as by shredding all credit-card applications that are thrown out, by never entering credit-card information into a field on an unsecure website and by never sending PIN numbers or credit-card numbers via email.
Consumers should also monitor their credit-card transactions to quickly notify their credit-card company when they see a suspicious transaction.
"Online banking and applications like Quicken allow consumers to do that fairly quickly after a transaction has hit their credit card statement," Dickson said. "The key is to let the credit-card company know as soon as possible, so they can cancel your card, and prevent future fraudulent transactions from going through."
But as Sverdlove discovered, there's almost nothing the consumer can do about larger organized criminal theft of personal data, like the one that hit Global Payments.
"Once you use your credit card, for example, that data traverses from clearing centers to payment processing centers and to banks," Sverdlove said. "You have no control over this process or over the security practices of each institution involved in the supply chain.
"In many cases, even if you wanted, you can’t opt out of their use," he added. "For example, when I used my credit card at a train station in New York, I had no way of knowing, let alone controlling, whether Global Payments or any other third-party would be involved in that transaction."
If you find out that you are the victim of a data breach that involves both personal and financial information, you should ask lots of questions, Sverdlove said.
“Exactly what information was stolen? Are any of my other accounts at risk? Who do I call if I see suspicious charges on my account? When did this happen? What are you doing to prevent this from happening again?" he gave as examples.
"You are not likely to be told many details, but it doesn’t hurt to ask," Sverdlove said. "And if we all keep asking, maybe companies will learn to be more forthcoming about disclosures in the future."