Theft of credit card files could inspire new layers of hacking shields
The news of a possible data breach at credit card companies Visa and MasterCard this week could inspire lenders to double down on their investments in security software.
Hackers can use private financial information to ring up fraudulent charges on simple purchases or to commit full fledged identity theft. With implications on such a large scale for both consumers and lenders, banks and other financiers have stepped up their defenses against intrusion in recent years.
Those improvements may not have been enough, as thieves penetrated the secure files of an estimated 50,000 cardholders held by Global Payments in Atlanta, Georgia, according to the Wall Street Journal. The company processes credit cards and debit cards for banks and merchants.
Both Visa and MasterCard moved quickly to alert their banking partners - the firms that actually issue credit cards to consumers - and to activate their data loss prevention plans.
The incident could put pressure on lenders to beef up their data protection practices, especially because credit card issuers typically insure cardholders against fraudulent purchases, so any theft may come out of corporate pockets.
Despite fears generated by the data theft, the numbers involved were relatively small. An estimated 648 million Americans hold credit, debit and prepaid cards from Visa, and another 308 million people use MasterCard’s services.
While the credit card companies quickly announced their own systems had not been penetrated, they both launched investigations to improve future security practices by learning whether the breach had occurred through problems in anti-virus software, phishing intrusion or blended threats.
"MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information," the company said in a statement to NetworkWorld magazine.
Some experts say the event illustrates the need for companies to move beyond "knowledge based authentication" - regulating access to websites by demanding passwords or answers to security questions that only a genuine customer would know.
In fact, determined crooks can usually bypass two or three layers of authentication, so the best defense is to combine many layers of fraud prevention, Gartner fraud analyst Avivah Litan says in her company blog.
"Malware-based attacks against bank customers and company employees are levying severe reputational and financial damage on their victims," Litan says. "They are fast becoming a prevalent tool for attacking customer and corporate accounts, and stealing sensitive information or funds. Fighting these and future types of attacks requires a layered fraud prevention approach."