The Lastest Big Processor Breach
So it’s now roughly confirmed, except for a few denials from Visa. First there was CardSystems, then Heartland, and maybe there’s at least one more known-to-some criminal breach at a payments processor. A lot of security bloggers have been talking about this, but I figure another day, another breach. Can’t we just get some facts? Do we have to get all wrapped around the secrecy axle?
I wanted to talk a little about this release [link to http://cardnet.pcua.coop/Home/NewsFlash/tabid/248/Default.aspx no longer works] from the Pennsylvania Credit Union Association, which was the first confirmation of the new breach, and said in passing:
Visa began releasing affected accounts on Monday, February 9, 2009 under CAMS event series US- 2009-0088-IC. They expect to have all accounts released by Friday, February 13. MasterCard began releasing accounts on Wednesday, February 11, 2009 under MC Alert series MCA0150-US-09.
Now, what I found really interesting is the form of those numbers, which apply to “event series” and “alert series.” Visas is “US-2009-0088-IC” If I were to break that down, I’d figure that the 0088 is an event number, and Mastercard’s on MC alert #150.
So before anyone jumps up and says “OMG! 150 breaches! pwn! doom!” let’s analyze. First, either Visa and Mastercard have very different rules about what gets an event or an alert, or very different detection speeds. I think the former is more likely. So given that the networks have different definitions of what an event is, there are at least two professionally defensible definitions, and likely many more.
I wonder what the definitions are, and if they tell us anything about public breach notification rates.
I wouldn’t be surprised if every podunk ring of card cloners at places like gas service stations register a number. Maybe even failed audits, depending on what messages they want to get through to their members. I’ve lost track of how many times I’ve seen CC handling code store raw numbers in DB along with CVV/CVCs.