?

Log in

No account? Create an account
Glare, Grouchy

[Life] Card theft!

So, today I get a little letter in the mail. I open it, and find:

Dear Valued Cardholder,

We are writing to provide you with a replacement Washington Mutual ATM/Visa Check Card and inform you about a situation that affects the security of your current card.

Visa recently informed us that the information on your Washington Mutual ATM/Visa Check Card was revealed to unauthorized persons by a company that processes ATM transactions (not affiliated with Washington Mutual). Visa has not informed Washington Mutual of the name of the company involved, nor will this information be provided to us.

< Lots of info on what to do next, etc... >


Not going to provide the name? Dammit, I want to know who so I can ensure I never use that ATM or Point-of-Sale service again! Grmph.

I'm reasonably good. I don't leave receipts anywhere without shredding the card number, I try not to make it easy to steal my ID info, and I only do online purchases from places with strong crypto. And now the ATM companies are giving away the card info??

Ugh. Gotta change aaaall my services over to the new card, etc. Whee...

Comments

(For once, I can comment intelligently and professionally...)

It probably wasn't a specific vendor. It was probably CardSystems or one of those other guys that processes credit card transactions for Visa and the banks - so not WaMu themselves, as they say.

Recall when CardSystems had an information leak that exposed 40 million identities to the world? Well, this could be part of the subsequent fallout.

Also, WaMu has been a top fishing target for a long time. One of the reasons for this is that, like many banks, they're poor about checking 'track 2 data'. Track 2 is a supplementary authentication mechanism encoded on a debit card when it is issued. (If you can change your ATM pin over the phone, the bank doesn't do track 2.)

It's much easier to counterfeit a card with only track 1 data. The format for Track 1 is an open standard. The particular use of track 2 varies from bank to bank. That doesn't mean it's impossible to forge Track 2, but it means that the banks that only use Track 1 are much easier to attack. They're the 'low hanging fruit', so to speak.
Yeah, I do know the Track 1 / Track 2 stuff; I used to have to write cardreader software for the arcade platform that a number of companies (including 'lith) were working on. I was the poor sap responsible for arranging for all the custom hardware (joystick stuff, card reader stuff) and writing the low-level drivers for it.

Fishing is another annoyance, but I just ignore all those mails. I'm just cheesed about the breach being way beyond anything I could've dealt with by being cautious. :(
Right. And the back-end security for a lot of these financial services and institutions sucks. Seriously, I don't think I've ever audited one that wasn't terrible. Visa and MasterCard have some basic standards that people are supposed to implement to do transaction processing, but many of them fail at that, or comply for the audit alone and then go back to doing whatever insecure convenient thing they were doing before.

One of the banes of my line of work is knowing that even if you're spectacularly paranoid about your data, the centralized systems aren't. Sigh.
And it's going to stay that way until the cost of insuring against the problem is larger than the cost of fixing it. Probably much larger, since entrenched systems have an additional cost of shocking people out of torpor and habit.

And then there's the fun part where the real cost of bad security isn't on the banks, or Mastercard, or Visa, or whomever. It's on the consumers who have to go and clean up the mess it makes for them. The banks and card companies don't care since it's not their cost.

One might presume that people who decide to use credit cards have decided that it's worth the risk, but I still don't think that's any kind of excuse for deploying a broken system in the first place.
I can understand how you feel! >_<
Are there a lot of ATM companies that you can switch to? There really aren't many here! That's why its a little IFFY! >_<