Public Address | System (Home)

Posted at 11:57AM on 25 Nov 09. Permalink.

My ASB Visa was replaced last week due to the possibility it had been 'compromised', as was a friend's ASB Mastercard.

Posted at 12:00PM on 25 Nov 09. Permalink.

I recently had my credit card "disabled" by the bank and received a new one the next day in the post. The premise being they detected "dodgy" activity on it. Strangely the new card had the same number.

The Downtown payment machines have now had the CC payment option unavailable for a few days now.

Posted at 12:03PM on 25 Nov 09. Permalink.

I received a new BNZ Visa replacment about 2 weeks ago due to a security concern. When I rang up to find more details I wasn't given many. I was told that certain businesses in Auckland *may* have had a security problem and that BNZ were being proactive in the interests of security blah blah.

Posted at 12:05PM on 25 Nov 09. Permalink.

Me too, but it was more like three weeks ago. ASB visa. A workmate had hers replaced same way, same non-specific reason given.

I asked an ASB Bank teller and he just said that it's most likely a precautionary measure where they know data has been accessed and they want to make sure there's no fraud. So he was no help.

I guess if they're still investigating they're going to be a bit cagey about details... anyone got any anonymous sources from the banks...?

Posted at 12:10PM on 25 Nov 09. Permalink.

Righto. Clearly something's going on.

Posted at 12:10PM on 25 Nov 09. Permalink.

Ben Gracewood, who's no mug, has suggested that there might be a much larger breach or series of breaches that the banks aren't talking about yet.

I have often wondered about the security of credit cards. How easy would it be to place a small transaction on all the card numbers that, say, a waiter or checkout worker have collected over the years. When you charge to a card you have the option of stating what you want to appear on their statement, how hard is it to write "Account Charge" or "Card Management fee" ?.
If the charge is less than $5 most people would dismiss it as just another credit card company "charge" and do nothing about it.

Strangely the new card had the same number.

Is the 3 digit security number on the back of the card the same?.

Posted at 12:12PM on 25 Nov 09. Permalink.

If they're being cagey, I would suspect that there's a big data-matching exercise going on within and between all the main banks. The only reason to keep people in the dark is when you're still hunting. Once the hunt is over, it's safe to let the world know that something like this happened, especially since it makes the banks look good, rather than bad, that they detected it internally and it wasn't their systems that were compromised.
I doubt we've heard the end of this, either.

Posted at 12:13PM on 25 Nov 09. Permalink.

You'll never get figures from the Banks around the number of breaches.

Globally PCI (payment card industry) operate some seriously scary surveillance systems. I get to see these things. I have no concerns about using my card...

There are surges of activity as breaches tend to be detected in batches - so you will see a raft of cards replaced in clumps.

The PCI system is continuously under attack (many originate from Eastern Europe). The techniques evolve on a daily basis. Basically it's an ongoing battle.

A routine approach is to cancel cards that are old and not being used (just because villains tend to either use them straight away, or save up thousands and then do a concerted attack).

It is fair to say there have been two or three breaches over recent months. The Car Park issue is the most insidious kind, and you need to think carefully about why they did a release...

Posted at 12:18PM on 25 Nov 09. Permalink.

Is the 3 digit security number on the back of the card the same?.

My CC number was same too, but 3 digit security number was changed.

Posted at 12:19PM on 25 Nov 09. Permalink.

I have often wondered about the security of credit cards. How easy would it be to place a small transaction on all the card numbers that, say, a waiter or checkout worker have collected over the years. When you charge to a card you have the option of stating what you want to appear on their statement, how hard is it to write "Account Charge" or "Card Management fee" ?.
If the charge is less than $5 most people would dismiss it as just another credit card company "charge" and do nothing about it.

Most credit card companies proactively monitor for this sort of thing and suspend your card until you say it's OK to proceed.

The general pattern for Internet-based credit card fraud is that you'll get a couple of small (1-2 USD) transactions on your card to "test the waters", then a much larger transaction as the fraudster tries to withdraw the money as cash. Banks have gotten better at jumping on those first small transactions.

I've had my credit card suspended twice while this was investigated (though as far as I know my card's currently active.) The first time, my details had been stolen, but the second time I was signing up to an online gaming service which used a method of charging two small random amounts then having you report those amounts back from your statement to verify that you actually owned the card.

Posted at 12:24PM on 25 Nov 09. Permalink.

My MasterCard got replaced by ASB about 3 weeks ago... they were happy enough to keep it active over the weekend while I was away in Christchurch (they phoned about 3pm on Friday). No details, just said Visa had got in touch about a potential breach, and they were replacing it as a precaution.

Posted at 12:26PM on 25 Nov 09. Permalink.

Ross Anderson at Cambridge University is The Man on the security (or otherwise) of electronic payments systems -- and more recently on peer-to-peer networks and defeating censorship.

I dealt with him in the 90s when I was writing about the debacle of the Mondex stored-value card system that all the big NZ banks bought into.

Slarty, I'm guessing you know his work -- if not, he's your kinda guy.

Posted at 12:29PM on 25 Nov 09. Permalink.

Is the 3 digit security number on the back of the card the same?.

No, I got a new security number on the back. Still if people have access to card numbers there are plenty of places to use a CC # online without knowing the CVV code on the back.

Posted at 12:30PM on 25 Nov 09. Permalink.

Yep, ASB visa (not due to expire for ages) replaced 2 weeks ago for no obvious reason.

Posted at 12:42PM on 25 Nov 09. Permalink.

I knew there was a problem when I started seeing transactions on my account made in Phoenix, AZ a few weeks ago. It was around the same time the machines in the carpark stopped accepting credit cards. Happily ASB issued a new card and refunded the money within a couple of days.

Posted at 12:42PM on 25 Nov 09. Permalink.

I asked an ASB Bank teller and he just said that it's most likely a precautionary measure where they know data has been accessed and they want to make sure there's no fraud. So he was no help.

I 'd be happy with that info. Quite informative I would have thought.

Posted at 12:42PM on 25 Nov 09. Permalink.

there are plenty of places to use a CC # online without knowing the CVV code on the back.

Call me old fasioned but I wouldn't touch one of those sites with your credit card.
;-)

Posted at 12:46PM on 25 Nov 09. Permalink.

Both Amex and ASB Visa Platinum cards replaced in the past month by issuers due to fraudulent transactions appearing - train tickets in Sweden, various stuff in Germany etc. All the ones they've told me about have been European transactions. Haven't been asked to honour of these phony 'transactions'.

Posted at 12:46PM on 25 Nov 09. Permalink.

A dozen responses...yet no-one has suggested John Key is behind this conspiracy so far?? Come on centre left, you can do better!

Posted at 12:49PM on 25 Nov 09. Permalink.

This all sounds very odd.

Also, I have always wondered about street parking machines where it debits your card without any pin number being entered. This is the case at the airport machines too. They charge like wounded bulls, and so in that case can be $50 or more being charged. What is the point in having the security measures if they aren't always applied?

I booked a train trip in Italy last year over the internet with my credit card - through the national carrier, Trenitalia. I was stunned to see when I got back from my trip that some bugger had my number and was using it to buy all sorts of stuff in the UK, including a NZ$1000 phone. The bank noted these transactions were fraudulent and hence I wasn't liable, but it was horrible.

The worst part was the credit card people suggested that they had problems with card numbers after people had made purchases though Trenitalia. I told them that average punters like me would think it was safe to use in this way, with a large national rail company, but they said not. I give up.

I hear BNZ is phasing in card with a chip, hopefully that might reduce fraud. We seem to be late bringing in the chip cards here though.

Posted at 12:51PM on 25 Nov 09. Permalink.

Slightly off track.
The appropriately named 'Your Telecom' service from Telecom has been offline for a week.
Security breaches ?

Posted at 12:52PM on 25 Nov 09. Permalink.

A dozen responses...yet no-one has suggested John Key is behind this conspiracy so far?? Come on centre left, you can do better!

Nah, it was Hone Key who said he could do better.
We do the truth to power thingy.

Posted at 12:53PM on 25 Nov 09. Permalink.

Talking about the dodgy use of credit cards.

I have been travelling in the USA for the last three weeks. I used the BART train system in SF and the Amtrak routes in and out of SF too. To buy tickets just insert your credit card in this handy machine. No authentication required. None. I think I remember doing this in Europe too.

Posted at 12:57PM on 25 Nov 09. Permalink.

A dozen responses...yet no-one has suggested John Key is behind this conspiracy so far?? Come on centre left, you can do better!

Isn't just assumed that John Key is personally responsible for everything even slightly crappy that has ever happened in the whole wide 'verse since just before the extinction of the dinosaurs?

Posted at 12:59PM on 25 Nov 09. Permalink.

Call me old fasioned but I wouldn't touch one of those sites with your credit card.

phew! I am more worried about bad guys using one of those sites with my credit card number :})

Posted at 1:04PM on 25 Nov 09. Permalink.

I'm guessing that in addition to your security number they will have changed your expiry date, which you do need to use your card on most sites.

Posted at 1:04PM on 25 Nov 09. Permalink.

Personally for small-value transactions I'd prefer no PIN... less chance of disclosure. It's mainly there for contract, not security purposes!

NZ has pretty much the lowest CC fraud rate in the world (it's 1/3 of that in Australia - but my info is a couple of years old). It's because we are quite unusual in a) only having 2 EFT switch networks and b) we've been real-time for a long time (many countries "batch" their CC transactions and process them overnight).

Like I say, I have no qualms using my card in NZ. But when I go overseas I order a new card in advance, use that while I'm travelling and destroy it when I get back. My bank does this for nothing. A good alternative is the stored value cards (but they can be expensive...)

And yes, a bit of common sense online is good! Visa, MC or the PCI site all have good, simple tutorials on what to look for...

[H-T RB!]

Posted at 1:05PM on 25 Nov 09. Permalink.

Isn't just assumed that John Key is personally responsible for everything even slightly crappy that has ever happened in the whole wide 'verse since just before the extinction of the dinosaurs?

Government is a blame sink. By being in power, you get to be responsible for everything. And that shoe goes on both feet.

Posted at 1:05PM on 25 Nov 09. Permalink.

Slightly off track.
The appropriately named 'Your Telecom' service from Telecom has been offline for a week.
Security breaches ?

I'd be highly surprised if it was anything like that, from what I understand it's heavily integrated with other services which are still up and running, and there's no way to get "free money" (or free services for that matter) from it.

Much more likely to be an issue with an upgrade or change to the backend of the service that had to be rolled back, resulting in the shutdown until they could get things fixed. It wouldn't be a priority at this time of year, unfortunately.

Posted at 1:07PM on 25 Nov 09. Permalink.

I'm guessing that in addition to your security number they will have changed your expiry date, which you do need to use your card on most sites.

Ahh very true. I knew there was some detail I was missing.