Page last updated at 00:16 GMT, Wednesday, 6 August 2008 01:16 UK

How secure is your card info?

By Maggie Shiels
Technology reporter, BBC News Website, Silicon Valley

cash machine
Stolen information was encoded on blank cards used at ATM machines

In light of the biggest identity theft case ever prosecuted in America, the spotlight is being turned on just how secure is our credit and debit card information?

The question is a simple one but the answer might appear to be a bit harder to pin down.

VeriSign, a firm that secures websites for e-commerce, told the BBC that credit and debit card information is "vulnerable" but they are working with retailers to change that.

"Credit and debit card information is just not incredibly secure," said Perry Tancredi, VeriSign's senior product manager for fraud detection.

"But it is counterbalanced by the amount of fraud losses due to cheque fraud and direct debit fraud which is much greater than credit card fraud."

Mr Tancredi said: "Regardless of how strong the security measures, and how vigilant, the weak part of the chain is there is always a human who is responsible and who has overall control over the information."

He suggested the best bet was for all consumers to "assume that there will be some sort of fraud on your account sooner or later" and put in place a plan to deal with it.

'Getting safer'

Espousing a completely different view is Jerry Tabeling who is the president of IDP, a company that carries out vulnerability assessments of networks and online business applications.

"Our information is a lot more secure after all the publicity we have had about attacks," he said.

"But yes there are still problems that still exist though it is getting safer." These, Mr Tabeling told the BBC, tend to centre [on] a retailer not doing a good enough job securing its network.

"If the proper encryption is configured on the wireless access point, then an attacker will not be able to get any information. I would have to bet in this case that didn't happen."

At stake for victims of fraud is more than just money

The authorities said the details of the 40 million credit and debit card holders was obtained by the hackers "wardriving" past stores to find wireless networks they could hack into.

This entailed driving around using a hand-held device to detect a wireless signal much in the same way a radio scanner hunts for a signal.

The US justice department said the hackers then loaded "sniffer" software onto the retailers' networks which captured numbers as well as passwords and account information as it moved through the retailers credit and debit processing networks.

That information was then sent to servers that the group controlled in Eastern Europe and the United States.

The justice department said the stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards and then used to withdraw tens of thousands of dollars from ATMs.

'Identity loss'

The Justice Department is not putting a figure on just how much the fraud has cost, but Mr Tancredi said the money is not the point with most card liability ranging around $50 (25).

MasterCard sign in shop window
MasterCard says it strives to safeguard account information

"If you are a victim of credit card fraud you might get your identity stolen and then you lose more than just money. You lose time, you lose trust and it could take years to fix your credit."

MasterCard said preventing fraud and safeguarding financial information is a top priority for the company.

Spokesman Chris Monteiro told the BBC: "If a cardholder is concerned at all about the security of their account they should immediately contact their issuing financial institution."

The Payment Card Industry, or PCI, has developed standards for retailers to adopt when handling credit and debit payments.

A spokesperson said while it is trying to get merchants to adopt these standards "it is not our job to go around checking who is compliant with this. That is lead by the credit card brands."

Meanwhile Mr Tabeling, an IT security specialist, suggested that all consumers need to play a more proactive part in policing their own transactions and their credit information.

"We have no choice but to trust the retailers are doing their bit but we can do more.

"We can keep track of our credit report once or twice a year, check our statements and set up a notification so that if there is any suspicious activity on our account we are told about it right away."

Bank phishing attacks on the rise
24 Jul 08 |  Business
Concern over rising fraud cases
28 Jul 08 |  Scotland
Hi-tech criminals target Twitter
05 Aug 08 |  Technology
Oyster card hack to be published
21 Jul 08 |  Technology
Phishing attacks soar in the UK
15 Apr 08 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific