US credit card hack 'not possible in SA`

The chances of a credit card database being hacked, as happened in the US, is zero, according to SA financial institutions, as the problem lies not in the technology but in the business process.

The US was rocked this week by revelations that a third-party card processing company`s database had been hacked and that about eight million credit card accounts were compromised.

Reuters reports that in what is believed to be the biggest credit card hacking incident in history, Omaha-based Data Processors International said in a statement that it had "recently experienced a system intrusion by an unauthorised outside party". The company processes transactions involving Visa, MasterCard, American Express and Discover Financial Services for merchants.

"We are aware of the matter and looking into it," said FBI spokesman Paul Bresson, declining to comment further on the pending investigation.

The credit card issuing agencies say there has been no evidence that the numbers have been fraudulently used and cited "zero liability" policies under which consumers would be protected in the case of fraud.

South African companies and banks involved in credit card security say the chances of such a hack happening in this country are minimal, if not impossible, as there are no third-party transaction companies and merchants are not allowed to keep credit card account numbers.

"This was a database hack, probably using the Internet as a means to access it," says Iveri CEO Ben Coetzee. "Interestingly, this happened when there was a SQL database worm on the loose, but this could just be coincidence."

Iveri supplies secure payment software to merchants and banks, and the company considers itself to be the largest supplier of secure payment software in the Internet retailing side of the industry.

Coetzee says the US company that was hacked was a third-party transaction processor which acted on behalf of merchants and banks. "Those companies do not exist in SA because all our banks have kept such functions in-house."

Johan van Schalkwyk, head of Standard Bank`s card division, says the popularity of outsourcing business units in the US means both sides of the credit card transactions are usually in the hands of third-parties.

"The two legs of the credit card business are the card issuing and then the acquiring side, which relates to processing the merchants` claims. It was a company doing the latter that was hacked."

Van Schalkwyk says Standard Bank and the other major commercial banks are comfortable that credit card security in this country is adequate. "The encryption environment is very secure. A merchant has no real sight of the credit card number because when a customer is asked to enter the details, a pseudo number is generated and all the merchant sees is whether the transaction has been approved or not."

However, a source within the retail industry disputes this and says it is well known that many retailers and suppliers keep credit card details. "We have customers who expect us to keep their account numbers as they wish to renew subscriptions and make regular purchases without having to resubmit their details every time."

He says that while the banks have extremely secure systems, many of the retailers use standard commercial off-the-shelf databases that are vulnerable to hackers.

Iveri`s Coetzee says it would be impractical for every company to have a proprietary database, but that most come with encryption set-ups that can be customised. "The issue is that if you have information that needs to be protected, then you must do everything in your power to do so."

He says the main financial implication of the US case would be that of the cost of issuing new cards and account numbers to the customers and the reputation of the company that was hacked.

In terms of the new Electronic Communications and Transactions Act that was passed in SA last year, hacking a database constitutes theft, even if the information is not used fraudulently. However, in the US, the federal law does not see this and state laws differ markedly. The problem for the US is that banks located in one state often use third-party transaction companies situated in another state and this blurs the implications and penalties for illegal hacking.

SA banks do not make public announcements about credit card and other forms of fraud. However, sources within the industry say there are widespread attempts "every day" to commit fraudulent transactions from within and outside the financial services sector.

"Several of the banks make a practice of e-mailing staff lists of people who have been caught and are charged, fired or facing disciplinary action for trying to commit some kind of fraudulent transaction," the source says.

Mario Fazekas, relationship manager for the forensic services department of auditing firm Ernst & Young, says: "There is a continuous cat and mouse game being played between the banks and the hackers. Sometimes the banks are on top and other times the hackers and fraudsters are."

Fazekas says a similar database hack could happen in SA at anytime and that Ernst & Young has come across such cases.

"Banks, locally and internationally, are being compromised all the time; however, they try and keep silent as they fear losing public trust."

He says there are numerous cases of large international banks paying hackers who have broken into their systems in order to keep them silent. "However, to our knowledge no such case has happened in SA."

An operations director at a large SA commercial bank sarcastically says: "National productivity would increase tenfold if the energy used to defraud banks was applied to legitimate business."

Reuters quotes Alan Paller, research director at the System Administration, Networking and Security Institute in Bethesda, Maryland as saying: "There is an epidemic of credit card thefts from banks and e-commerce companies."

Paller and David Robertson, publisher of The Nilson Report, a credit card industry trade journal, believe this is the biggest case of theft of credit card numbers in history.

"While consumers are protected from liability, the credit card issuers will have to pay about $4 to $5 each to replace the cards, putting the total cost at between $32 million and $40 million," Robertson says.

"The real losers here are the [card] issuers themselves and potentially [Data Processors International], depending on how much insurance they have. The costs to issuers are not only just the new piece of plastic and mailing the card, but the customer service issues, such as notifying the card-holders."

Credit card institutions are prime targets for organised crime groups that try to extort money out of them and sell the card numbers on the black market, according to Paller.

"[Credit card] fraud is far worse everywhere in the world than in the US, with the exception of France, which uses smart cards with microchips in them," which can`t be easily faked, Robertson says. "As a result, fraud in the US makes up only 7c out of every $100 of sales."