★阿修羅♪ > 国家破産41 > 144.html
 ★阿修羅♪
米情報処理会社、規定に反しデータ残す カード情報流出【朝日新聞、NYT】
http://www.asyura2.com/0505/hasan41/msg/144.html
投稿者 ネオファイト 日時 2005 年 6 月 21 日 18:39:59: ihQQ4EJsQUa/w
 

(回答先: 【関連】 偽造カード 懸念も クレジット情報流出  各社、対応に追われ 【東京新聞】 投稿者 愚民党 日時 2005 年 6 月 21 日 10:15:00)

http://www.asahi.com/national/update/0621/TKY200506210192.html
2005年06月21日13時34分

 クレジットカード情報の大量流出事件で、不正アクセスを受けた情報処理会社カードシステムズ・ソリューションズのジョン・ペリー最高経営責任者(CEO)は、本来は小売店などから金融機関に取り次ぐだけで社内に蓄積すべきではなかったカード情報を「調査目的」で記録に残してしまっていたことを認めた。米紙ニューヨーク・タイムズが20日報じた。

 米マスターカード・インターナショナルの広報担当者も同日、朝日新聞に対し「当社の規定に反してデータが蓄積されていた」と同処理会社側の問題を指摘した。また、一部米紙が不正使用件数として伝えた6万8000件について「データベースからの盗難が確認された数で、必ずしも不正使用分ではない。不正使用の数は捜査の秘密だ」(広報担当者)と語った。

 今回の事件は、マスターカードが4月中旬に不正使用の異常さに気づいて発覚。5月22日に、同処理会社のコンピューターへの不正アクセスが原因だとわかった。ビザ・インターナショナル日本法人によると、昨年9月に同処理会社に不正なウイルスが侵入し、その後のデータ処理情報が200件に1件の割合で外部に転送されていた。



http://www.nytimes.com/2005/06/20/technology/20credit.html
Lost Credit Data Improperly Kept, Company Admits
By ERIC DASH
Published: June 20, 2005

The chief of the credit card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged yesterday that the company should not have been retaining those records.

The official, John M. Perry, chief executive of CardSystems Solutions, indicated that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard and other card issuers. He said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

"We should not have been doing that," Mr. Perry said. "That, however, has been remediated." As for the sensitive data, he added, "We no longer store it on files."

Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled.

"CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it."

The security breach was first reported Friday when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that could extract data from the system, potentially compromising 40 million accounts of various credit cards.

MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been "exported from the system." CardSystems said yesterday that the file also contained data from other cards in proportion to the volume of business it handles from each company. That would translate to about 100,000 Visa accounts and roughly 30,000 others.

It is not clear whether those numbers could yet grow.

The details about CardSystems' handling of the data raised new questions about the effectiveness and enforcement of the standards established by the card companies for data protection and storage.

To protect cardholders, Visa and MasterCard have long-established policies for the merchants and processors that handle transactions on their payment network. They require their processors, for example, to hire a certified outside assessor to do an annual security assessment. Processors must also conduct a quarterly self-evaluation and scans for network vulnerabilities.

The card associations have also spent millions of dollars to upgrade their own computer systems with sophisticated fraud-detection software. Over the last two years, they have sent out teams to processor and merchant sites to review compliance.

But one kink in this chain - one processor that fails to comply - can put untold numbers of cardholders at risk of fraud.

"The standards themselves are very effectively written," said Tom Arnold, a partner at Payment Software Company, a consulting firm in San Francisco that advises and provides security assessments for merchants and processors. "The challenge in the industry can be when people don't fully comply or try to cut corners."

Avivah Litan, an industry analyst at Gartner Inc., agreed. "If they are really serious about these programs, they should pay attention to how the processors are guarding the data, and they are not," she said. After the disclosure of the security breach at CardSystems, varying accounts were offered about the company's compliance with card association standards.

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems "a limited amount of time" to do so.

Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, "This particular processor was not following Visa's security requirements when we found out there was a potential data compromise."

Earlier, Mr. Perry of CardSystems said his company had been audited in December 2003 by an unspecified independent assessor and had received a seal of approval from the Visa payment associations in June 2004.

CardSystems, based in Tucson, processes more than $15 billion in payments for small to midsize merchants and financial institutions each year.

MasterCard said that it had detected atypical levels of fraudulent charges on its cards as early as mid-April and, joined by Visa and an unspecified bank in mid-May, had requested that CardSystems allow its independent forensics team, Ubizen, to investigate. It was not until May 22 that the security specialists identified the rogue computer program as the source, MasterCard said.

CardSystems said it contacted the F.B.I. offices in Tucson and Atlanta on May 23. The F.B.I. said Friday that its investigation was continuing.

Only MasterCard affirmed that it knew of specific instances of fraud against its customers traced to the CardSystems breach. Visa said it was monitoring the situation but had yet to detect any fraud traceable to the case. Those companies, along with American Express and Discover, said their cardholders would not be liable for fraudulent charges on their accounts.

Cardholders' concerns were largely referred to the card-issuing banks. Citigroup said the risk of identity theft to its cardholders was low but said it would closely monitor accounts. Chase Cards said that if cardholders spotted suspicious activity on their monthly or online statements, they should contact their bank. In such a case, identity theft experts said, it would be prudent to cancel the account.

CardSystems is one of hundreds of processors that provide terminals to merchants and help banks process millions of transactions a day, electronically relaying cardholders' names, account numbers and security codes so that once a card is swiped, the sale will be authorized, the merchant will be paid and the customer will be billed.

The processors area also a point in the matrix exposed to Internet traffic and possible intrusion.

"They typically have a Web site where merchants sign on with and then the merchants can look at the daily transactions, the balance in their account," Edward Lawrence, a managing associate at the Auriemma Consulting Group in Westbury, N.Y., which advises credit card merchants and processors. "My guess is that a hacker would get into the Web site and somehow find their way past a firewall and through the passwords and encroach onto the programming system."

Mr. Peirez of MasterCard said that the data inappropriately retained by CardSystems was particularly sensitive because it included cardholders' three- and four-digit security codes, making it more attractive to potential thieves because it can double or triple the black-market value of a cardholder's account. Ms. Litan of Gartner said there was no reason for a processor to store security codes. "It's probably just laziness or they don't know the rules," she added.

In addition, the data lost in the CardSystems case was apparently not encrypted. "If it was encrypted, the hacker would have gotten data but would not have known how to read it," said Mr. Lawrence of Auriemma Consulting.

The 40 million accounts that passed through CardSystems during the period in question may be the largest case of exposed data to date.

"There is going to be a lot of finger-pointing," said Susan Crawford, a professor of Internet law at Cardozo Law School. "It's a very complex situation, and we'll wind up for calls for very heavy-handed government regulation of data transmission."

Yet, there may be little incentive for processors to change. Visa and MasterCard have said that payment processors that violate their rules must pay a penalty, but they do not disclose the amounts of those fines. And it is typically the merchant that bears the cost of data fraud.

Zero liability for customers means that fraudulent charges come out of a bank or store's coffers in the form of higher merchant transaction fees. "The retailers will pay for it and the issuing banks will get rich off it," Ms. Litan said. "It's just another revenue stream."

"What is the incentive?" she added. "Staying out of the newspapers."

 次へ  前へ

  拍手はせず、拍手一覧を見る

▲このページのTOPへ       HOME > 国家破産41掲示板



  拍手はせず、拍手一覧を見る


★登録無しでコメント可能。今すぐ反映 通常 |動画・ツイッター等 |htmltag可(熟練者向)
タグCheck |タグに'だけを使っている場合のcheck |checkしない)(各説明

←ペンネーム新規登録ならチェック)
↓ペンネーム(2023/11/26から必須)

↓パスワード(ペンネームに必須)

(ペンネームとパスワードは初回使用で記録、次回以降にチェック。パスワードはメモすべし。)
↓画像認証
( 上画像文字を入力)
ルール確認&失敗対策
画像の URL (任意):
投稿コメント全ログ  コメント即時配信  スレ建て依頼  削除コメント確認方法
★阿修羅♪ http://www.asyura2.com/  since 1995
 題名には必ず「阿修羅さんへ」と記述してください。
掲示板,MLを含むこのサイトすべての
一切の引用、転載、リンクを許可いたします。確認メールは不要です。
引用元リンクを表示してください。