TELECOM Digest OnLine - Sorted: Re: Cardholders Kept in Dark After Breach -- Washington Post

Re: Cardholders Kept in Dark After Breach -- Washington Post

Robert Bonomi (
Fri, 24 Jun 2005 11:02:59 -0000

In article <>, Marcus Didius Falco
<> wrote:

> I had been planning to call my active credit card companies to
> determine whether any had been compromised. This article caused me to
> start the process this morning, calling American Express, my most
> active account.

> After thanking me for carrying their card for 21 years, they refused
> to tell me whether any of my three cards was among those
> compromised.

Well, they don't *know* which cards were actually compromised. NOBODY
_knows_ which card numbers were actually stolen from CardSystems.

CardSystems only knows which card numbers were _vulnerable_ to have
being stolen -- data as to which of those _were_ stolen is simply not

> They tried to tell me that they have all sorts of "anti-fraud"
> procedures. Even so, it was Master Card and not American Express
> that first uncovered the problem,

NOT surprising. MC has a _lot_ more cards out there, and a *lot* more
transactions/day than AMEX does.

Identifying 'suspect' transactions is one thing -- you look for things
that are 'inconsistent' with the history _for_that_account.
Identifying *where* a 'data theft' occurred, is a whole different
kettle of fish. You have to have a _volume_ of accounts with similar
suspect transactions first, and then go looking for 'common history'
in prior activity on those accounts.

If only because of the larger number of cardholders, and thus the
larger volume of transactions, I would _expect_ MC to find
'statistically significant' correlations sooner than Amex.

> and there is no way I can reliably double check an account that has
> dozens of charges a month, many of them posted in the name of parent
> companies located at head offices in other cities, so that many of
> the charges are not easily verified and must usually be taken on
> faith.

Well, unless, _you_ keep a record of everything you charge -- date and
amount. And match them against the statements you get. It's not
really rocket science.

I used to do it every month, for several corporate cards that had
several _hundred_ charges/month. Life was _really_ fun when the
Company President's son (away at college) used daddy's card to sign up
for Internet access (and the fact that the initial posting was 'late',
and was for _4_ months services). That one _jumped_ off the statement
at me -- the company had it's own dial-up pool, and everybody used
_that_ for home access.

If you choose not to do so, and 'uncritically' accept their
accounting, that _is_ your choice.

> Accordingly, I told them to cancel all three cards and send me new
> ones. They were not happy, but were unwilling to tell me whether
> the cards had been compromised. Perhaps if they have the expense of
> replacing many customers credit cards, some necessarily and many
> unnnecessarily, they will start taking security and customer service
> more seriously.

> When I get the new American Express cards I will call the second
> most active card in my wallet, and so on down the list.

Note: if you are in the UK, as your email address seems to indicate,
it is _unlikely_ that any of your cards were exposed via the
CardSystems 'problem'. Unless you're doing siginficant credit-card
buying in the U.S., that is. CardSystems clears almost exclusively
for U.S.-based merchants.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Choreboy: "Re: DSL Speed"
Go to Previous message: Robert Bonomi: "Re: SBC DSL Total Fee Per Month"
May be in reply to: Marcus Didius Falco: "Cardholders Kept in Dark After Breach -- Washington Post"
Next in thread: Steve Sobol: "Re: Cardholders Kept in Dark After Breach -- Washington Post"
TELECOM Digest: Home Page