Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Debit Card Compromise Letter - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Debit Card Compromise Letter

Well for the second time in 4 months I have received a letter from my bank indicating that their Credit/Debit card processor has once again notified them of a possible compromise in their system.  My debit card is once again being replaced and I will have to contact anyone that I have used for automatic payment using the card number that the number is changing and that the old card will no longer be valid after I receive my new card.  They don't say how the compromise occurred, how they discovered it or what is being done to prevent it from happening again.

So here we go again,  logging into my account everyday to check and make sure that there are no unexpected transactions.  What a pain!!!!  Is it too much to ask that the banking and credit/debit card folks get their act together and figure out a way to protect my financial information?  Perhaps they could take just a portion of the TARP money that they have received or maybe a portion of the additional money that they are asking for, and instead of using it to buy planes or pay bonuses use it to hire someone to help them figure out how to accomplish the task.

I am beginning to think it is time for me to call LifeLock and check out their identity theft prevention deal. 

 

Deborah

278 Posts
ISC Handler
I hope you are aware of the story about LifeLock that made headlines last year. Lifelocks CEO advertised his own Social Security Number on the website and claimed that their service guarantees complete protection against identity thefts. They make the guarantee by setting fraud alerts at the three major Credit Bureaus namely, Experian, TransUnion and Equifax. They thought that by doing this , anyone who tries to use a SSN not belonging to himself will get caught. But they made a very very big assumption here that any of the outfits like CreditCard companies, banks etc. will always run a credit check before activating services for an individual. Guess what ! they were proved wrong in a really stupid way. Someone stole the CEO's own identity from his website and took a $500 loan in the CEO's name. The reason the fraud alerts did not get tripped was because the loan company did not bother to run a credit check at all !!

I think the only way out is to be always monitoring activity on your account. Maybe a software like Quicken would help monitor all accounts from a single portal. If you want something free try http://www.mint.com.
Anonymous
A relative of mine received one of these form letters about a data compromise from their bank recently; the most interesting part was the 2nd piece of paper, telling them they had been automatically enrolled in a $1/mo identity theft prevention program offered by a 3rd party. No consent was requested for enrollment, and is it not just a little bit ironic that they included this with the data compromise letter? Shouldn't said bank be paying for this identify theft prevention when they have JUST been compromised? And shouldn't they also ask you before they automatically start taking money from you for a service that you obviously now need because of their incompetence? Odd.
Anonymous
Now everybody get ready for the next phase -- phishers faking these notices in spam. \"Deepest apologies for this compromise & inconvenience; Please connect to our secure Compromise Center website and enter your current card number, we will issue you a new one on the spot.\"
Anonymous
I have to agree with Pip's comment, and am kind of surprised it hasn't happened already. In concept it's very similar to phishing letters already out there, but it wouldn't be difficult to clean these up and time them with known actual compromises...
Lee

21 Posts
I've recently had a similar experience, like yours, where I was notified by my bank that my debit card number my compromised. Thankfully in order to alleviate the hassle that you mentioned the bank enabled for me a notification setting (that is not normally available) where I got notified (via email) of each and every transaction made using the card with a sum that is over $0.01. Needless to say that I preferred canceling the card and getting a new one.
DemiGuru

5 Posts
I too have received such letter and received my new card. I bank with a small credit union in northeast Florida (US). My letter was just as vague. They don't say how the compromise occurred. They did say they were notified by a "company" that a breach had occurred with a "significant number of credit and debit cards" Only my card was compromised to the account not my wife's. I would tend to think it was a big chain store or even possibly Visa itself.
DemiGuru
1 Posts

Sign Up for Free or Log In to start participating in the conversation!