Card breaches shake faith in e-payments

In the past three months, all three of my payments cards -- one credit card and two debit cards -- have been compromised.

That means somewhere, in some database, various fraudsters have my name and enough card details to attempt a shopping spree anywhere in the world. The cards have all been replaced by the issuers and, luckily, I never discovered any fraudulent transactions.

The card breaches are particularly disturbing since I cover computer security. So what happened? I still have no clue. Investigating a card breach as a consumer, or a journalist, is a black hole.

Stealing card numbers isn't hard. A PC can be infected with a keystroke logger that records card details used during online transactions. Insecure databases at merchants can be hacked. ATM machines can be fitted with "skimmers" that record a card's magnetic strip information, which can be used to create a cloned card.

Point-of-sale devices can be modified to record card details. Unscrupulous employees can also steal information during merchant transactions. All of the methods can allow a hacker to eventually use the details and attempt an online transaction, known as card-not-present fraud.

It's impossible for me to trace where and when the card details were acquired. The only common element between the three cards is that I've used them all on my PC for e-commerce transactions at one time or another. But I'm pretty sure I've never been phished, and the various antivirus programs I've had on my PC have never detected malicious software.

Wachovia, my U.S. bank, sent me a new debit card unprompted about a month ago. I thought it was strange since I didn't request a card. I called the bank, and was told the card number had been compromised. Wachovia, though, included absolutely no notification with the new card saying that the old number had been compromised.

Although troves of card numbers are obtained by online thieves, banks will only reissue cards if there's a high fraud risk, said Avivah Litan, a card fraud expert at Gartner. It costs banks around US$20 to reissue a card, so less than 10 percent of the cards that are compromised are replaced, she said.

Upon hearing two of my cards had been compromised, Avivah said, "That is very, very unusual. You should be worried. I would be worried if this happened to me. I tend to be more paranoid than average."

This wasn't making me feel any better.

Wachovia spokeswoman Jennifer Darwin refused to give any information about the breach, such as where it happened and if a law enforcement agency is investigating.

Without information, it's impossible for me to follow up. I can't check in with the police. I can't check to see if a merchant is complying with data-breach disclosure laws that exist in many U.S. states. It's a dead end.

Darwin further downplayed the potential for identity theft. "The physical card was compromised and not your personal information," she said.

Nonetheless, Litan said online scammers will build profiles on people that include card details and sell those profiles to criminals who perpetuate ID theft.

The IDG News Service is a Network World affiliate.