Re: Cardholders Kept in Dark After Breach -- Washington Post

I had been planning to call my active credit card companies to
> determine whether any had been compromised. This article caused me to > start the process this morning, calling American Express, my most > active account. > After thanking me for carrying their card for 21 years, they refused > to tell me whether any of my three cards was among those > compromised.

Well, they don't *know* which cards were actually compromised. NOBODY _knows_ which card numbers were actually stolen from CardSystems.

CardSystems only knows which card numbers were _vulnerable_ to have being stolen -- data as to which of those _were_ stolen is simply not available.

They tried to tell me that they have all sorts of "anti-fraud" > procedures. Even so, it was Master Card and not American Express > that first uncovered the problem,

NOT surprising. MC has a _lot_ more cards out there, and a *lot* more transactions/day than AMEX does.

Identifying 'suspect' transactions is one thing -- you look for things that are 'inconsistent' with the history _for_that_account. Identifying *where* a 'data theft' occurred, is a whole different kettle of fish. You have to have a _volume_ of accounts with similar suspect transactions first, and then go looking for 'common history' in prior activity on those accounts.

If only because of the larger number of cardholders, and thus the larger volume of transactions, I would _expect_ MC to find 'statistically significant' correlations sooner than Amex.

and there is no way I can reliably double check an account that has > dozens of charges a month, many of them posted in the name of parent > companies located at head offices in other cities, so that many of > the charges are not easily verified and must usually be taken on > faith.

Well, unless, _you_ keep a record of everything you charge -- date and amount. And match them against the statements you get. It's not really rocket science.

I used to do it every month, for several corporate cards that had several _hundred_ charges/month. Life was _really_ fun when the Company President's son (away at college) used daddy's card to sign up for Internet access (and the fact that the initial posting was 'late', and was for _4_ months services). That one _jumped_ off the statement at me -- the company had it's own dial-up pool, and everybody used _that_ for home access.

If you choose not to do so, and 'uncritically' accept their accounting, that _is_ your choice.

Accordingly, I told them to cancel all three cards and send me new > ones. They were not happy, but were unwilling to tell me whether > the cards had been compromised. Perhaps if they have the expense of > replacing many customers credit cards, some necessarily and many > unnnecessarily, they will start taking security and customer service > more seriously. > When I get the new American Express cards I will call the second > most active card in my wallet, and so on down the list.

Note: if you are in the UK, as your email address seems to indicate, it is _unlikely_ that any of your cards were exposed via the CardSystems 'problem'. Unless you're doing siginficant credit-card buying in the U.S., that is. CardSystems clears almost exclusively for U.S.-based merchants.