The card associations have taken recent steps to help deter fraud, but others in the payment system have to be diligent as well, said Stan E. Belitz, MasterCard Vice President of Security and Risk Management, at BAI's recent Internet delivery and risk management conference.
In late 1999, a merchant site was compromised. The hacker threatened to post 6,000 customer MasterCard account numbers on the Internet unless the merchant deposited $50,000 in a Russian bank account.
Other merchants who suffered similar security breaches include Egghead.com, Amazon.com and Western Union, hurting their credibility and businesses.
Those events prompted MasterCard to adopt a Web site protection plan. The plan was accepted by six different acquirers, including First Data Merchant Services, in May 2001, and was launched in March, 2002.
Issuing banks wanted enhanced security because it costs them $40 to $60 to block and reissue an account number, Belitz said.
Escalating Internet fraud and chargebacks are other serious problems for the industry, Belitz added.
The U.S. government was hacked more than 300,000 times in 2001.
Only 10 percent of merchant hacks ever get reported. The other 90 percent don't get reported, primarily because the merchant doesn't want to lose credibility, Belitz said.
"I've been told by several merchants that federal law enforcement agencies have told them to pay [the hacker]," Belitz said. "That's blackmail. If you pay them once, they'll come back again."
In an attempt to fight that, MasterCard now has a program that alerts members of hacks within four hours via a secure e-mail. The e-mail includes information about what happened, who to contact and what number(s) were compromised. MasterCard sends the same information to other credit card companies as well.
Perhaps even more distressing is that only 15 percent of intrusions are actually detected, Belitz added.
Street gangs for the most part are no longer waisting their time with armed robbery, instead they're perpetrating credit card and ATM fraud and hacking to support their other criminal activity.
There are 30 widely available hacker publications, as well as 444 known hacker bulletin boards and 400,000 Web sites with hacker tips, Belitz said.
Another precaution, according to Belitz, is not to view any of these sites using the company computer. Doing that will prompt solicitations from the site. The only way to stop those solicitations is to send a reply e-mail declining further solicitations. But sending such an e-mail opens up a hole in the security system because it gives the hacker your computer (IP) address.
"Once they have your IP address, they can become you," Belitz said. "Be aware of that."
Additionally, California recently passed a law requiring all POS terminals to be truncated," Belitz added. "The problem with that is when the merchant swipes the card, he's only going to see the last four numbers. For security, that's a bad idea."
It's a bad idea, Belitz explained, because law enforcement officials often rely on credit card associations to help track down criminals. With only the last final four numbers of a credit card account, the association's ability to help in such matters is seriously curtailed.
Skimming is another pervasive problem, with 85 percent of all incidents occurring at gasoline stations and restaurants particularly Middle Eastern-owned gasoline stations and Asian restaurants, Belitz said.