castledoom.com

[JuntaJoe]

Lower ID Theft Rates Abroad May Aid U.S.

June 15, 2005 8:42 PM EDT
As U.S. lawmakers mull how to cure the blight of identity theft, privacy advocates suggest they look overseas, where tighter controls on personal data and credit cards make such fraud far less common.

Few experts believe other nations' data privacy laws are directly applicable to the United States, partly because the U.S. economy is greased by the convenience and efficiency of a detailed credit-reporting system.

But other countries' approaches could be instructive.

"We're behind much of the developed world," said Sen. Charles Schumer, D-N.Y., who is pushing a broad bill aimed at impeding the crime. "The major European countries are doing more than we are doing, and somebody can feel safer about giving information about themselves there than in America."

One such difference: Many countries don't use anything like Social Security numbers as universal identifiers, which serve as pass keys for criminals opening fraudulent accounts. Also, credit cards generally are harder to obtain and used less often.

Perhaps most importantly, many countries don't allow financial records and other data obtained on people for one purpose to be sold or shared without their consent.

As a result, some of the record-collating done by huge U.S. companies such as ChoicePoint Inc. - one of the aggregators whose records have become fodder for ID thieves - isn't allowed in most of Europe and Latin America.

"The default setting on most privacy laws is opt-in," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "In the U.S., it's opt-out."

At Thursday's scheduled hearing on identity theft by the Senate Committee on Commerce, Science and Transportation, someone is certain to cite the Federal Trade Commission's estimate that more than 10 million Americans are victims of such crimes annually, costing individuals $5 billion and businesses $48 billion.

Comparable figures for other countries are difficult to obtain because of differing standards in how the crime is tabulated, defined and reported.

European officials said they could not provide statistics on identity fraud. However, European banks and officials say the crime is much less prevalent there in part because of the European Commission's data directive that took effect in 1998.

Among its wide protections, the directive requires that EU citizens be consulted about transfers of their personal information to third parties and given the chance to correct erroneous data. Exemptions are allowed for national security or criminal investigations.

Obtaining and using credit cards is more rigidly controlled, too, and that limits a fraudster's potential damage. In Swedish stores, for example, card transactions require a photo ID and a signature.

Most European consumers rarely use credit cards, instead paying for things with prepaid debit cards. Commonly those take the form of "smart" cards that have embedded chips instead of magnetic strips, which are easily read by criminals. Users slide the cards into a cash register and punch in a PIN to make a transaction.

Meanwhile, countries with less restrictive data rules - and wider use of credit - such as Canada and Britain have struggled with identity theft much more.

Reports of the crime in Britain have risen 600 percent in the last five years, said National Consumer Council spokeswoman Susanne Lace. The British government estimates that in 2002 the annual cost reached 1.3 billion pounds ($2.3 billion in today's dollars). Prime Minister Tony Blair has cited the rising costs as a reason why the United Kingdom needs secure national identity cards.

Surveys indicate that as many as 9 percent of Canadians have been victimized by ID theft, with 3 percent of the population hit in 2003 alone, according to Susan Gardiner, senior policy analyst at Industry Canada. Complaints to PhoneBusters, a fraud task force run by the Royal Canadian Mounted Police and Ontario authorities, jumped 63 percent in 2003.

In response, Canada enacted the Personal Information Protection and Electronic Documents Act, which fully took effect last year. Similar to a new law in Japan, the act requires businesses to get consent from Canadians before trading their personal information, and even then only allows "reasonable" data transfers. Citizens are entitled to see information stored about them and correct inaccuracies. A national privacy commissioner enforces compliance.

Such transparency is limited in the United States, where many consumers didn't even know about big data brokers such as ChoicePoint and Lexis-Nexis until the companies disclosed in recent months that dangerous information breaches had occurred.

Some of the proposals pending in Congress would shine more light on the industry, though none would go as far as Europe's laws.

One bill would require companies to inform consumers if their personal information were compromised. That would expand the California rule that set off this year's flurry of announcements of data breaches. Other measures would crack down on the dissemination of Social Security numbers.

The proposal backed by Schumer and Sen. Bill Nelson, D-Fla., would treat personal data dossiers like credit reports, since consumers are allowed to regularly see and correct those files and know who has accessed them. The bill would create an office of identity theft within the FTC and fund it with $60 million annually for five years.

Schumer acknowledged that the plan is less restrictive than some overseas rules, but he said constantly notifying consumers about the sharing of their data would be impractical.

"You don't want," he said, "to deluge people."

Copyright 2005 Associated Press.

[JuntaJoe]

There's the story.

So how do we keep this big American economy going on generous credit and keep the concept of freedom of information and somehow protect our identity, privacy, and finances?

No need to be a policy, security, or financial expert.

Just weigh in on what is important to you and what you would like to see done.

Can we curtail everything, be safe, and avoid a massive recession because people quit spending like they used to?

[Waray]

I'm not quite catching this, does this article also imply that in the US companies & such may distribute your personal records & information without consulting with you first?

I'm from the Netherlands, where we indeed have the debit prepaid card system only accessible by PIN. I love that system. When I don't have money on my bankaccount I can't use it. I don't see why that wouldn't work in the States although I'm not familiar with how much US households are reliant on credit.
Would cutting the credit really mean that the US consumers will spend less money?
And how about a sort combination of systems, also use of a PIN but with an amount of credit available as well?

(Never been a credit cardholder though, I don't like the idea of paying for something without having the money, except maybe a mortgage or something).
________
Girlfriend pictures

[JuntaJoe]

The average US consumer holds 3 credit cards and has roughly $6000 dollars in unsecured debt. Unsecured debt is credit card debt as opposed to secured debt like a car or house loan where the loaning institution has the car or house to take back as collateral.

We do use debit cards as well. But they are attached to your bank checking account, use magnetic strips, and are not like those pre-paid cards you can buy. You can effectively charge your entire checking account balance on them in one shot.

[Brf]

Waray wrote: I'm not quite catching this, does this article also imply that in the US companies & such may distribute your personal records & information without consulting with you first?

No. They send out a notice that says something to the effect:

"We will send out your personal information to our ally companies, unless you write us a letter that says we cannot."

This is called an "Opt-Out". Most European countries have "Opt-In", which means they cannot spread your info unless you explicitly tell them they can.

[Waray]

Thanks for making that clear Brf :)

Also, that's ridiculous.

JuntaJoe wrote: The average US consumer holds 3 credit cards and has roughly $6000 dollars in unsecured debt.

:shock:

So basically speaking the US consumers fuel their economy with money that they don't have...?
________
SILVERSURFER REVIEWS

[NibbyCat]

You got it in one. Hell, if all the notes out there came due at once, the government itself would crumble.

[JuntaJoe]

We are all in debt to the hilt, Waray.

[Georgie]

Maybe for you, but not me. And, yes, I do not have a credit card. I thought that one can demand money back if one's goods do not arrive using credit cards.

[JuntaJoe]

The "we" I was refering to was the vast majority of Americans.

I do carry a small credit balance, though I keep it well contained compared to the rest of America.

I use the cards for the bonuses they give. Air miles, cash back, store discounts, and yes, the consumer protection aspect. You can direct the credit company to refuse payment for things that are purchased and do not function as promised, just plain defective, or do not arrive if ordered.

[Eddy]

One thing I'd like to see is harsher penalties for companies that allow information to be stolen.

[JuntaJoe]

You and me both, brother.

The internet and data lines need a massive change in operation habits.

Mandatory guidelines for security at all places that gather personal information.

Close the damn loophole on email stop-spam buttons that allow them to shift the data to a sister company or any other firm. If you hit the stop-sending button then they should wipe the data permanently and not distribute it anywhere.

Switch to an opt-in system like the Euros.

Establish a national do-not-email list.

Require credit reporting companies to also switch from opt-out to opt-in.

And why hasn't a company tried to create a bulletproof data vault yet? A place that only accepts communication from customers. No outside general web access. In house business would be on seperate servers and data lines. This way, banks and other sensitive info sites will have a hack-proof place to store data not currently being used on local networks. Hack a bank and you only see the accounts that had activity that day. It's not perfect, but a lot less info will be lost.

And best yet, all ISP's giving you the opportunity to block entire domain suffixes. Like saying that no mail can come to my inbox if it has an .ru suffix. Lock the spam countries out, thankyouverymuch! If they object then tell them to go after spammers with a vengence and prove real results before the ISP's will declare them safe domains.

[Brf]

Eddy wrote: One thing I'd like to see is harsher penalties for companies that allow information to be stolen.

Punishing the victim?

[Eddy]

It's not punishing the victim really. Think of it like a bank vault that is left open by a careless employee. A crook wanders by and quietly takes the goodies in your safety deposit box. Is the bank the victim or is it the safety deposit box holder?

My argument is that the bank is at fault for not taking due diligence in securing the vault. Obviously the crook is the biggest culprit, but as a safety box holder, you expect the bank to at least do the minimum to safeguard your items. To carry this forward to the real life example, the banks (and credit agencies) could be making it a lot more difficult for a random hacker to get your credit info. Instead, they wrote the laws to put the burden on the consumers, with such things as opt-out provisions, requiring the consumer to dispute a charge and have the burden of proof. One particular item is outrageous to me. In order to get your credit report, you must ask all three agencies (for completeness) and pay a fee (which admittedly is being phased out). It amazes me that I have to pay for my own information.

One other thing I learned in my consumer law class is that information in your credit report must be accurate, but it does not have to be complete. What does that mean? Basically if you have one bad thing and nine good things, but the agency chooses only to have the one bad thing listed, there is nothing you can really do about it as long as the detrimental information is accurate. You can't make the agency report the good thing. This unfairly makes reports more negative than positive.

Again, the burden is on the consumer, most of whom aren't even aware how a credit report is made.

[JuntaJoe]

Internet Scammers Keep Working in Nigeria

August 07, 2005 7:07 AM EDT
LAGOS, Nigeria - In Festac Town, an entire community of scammers overnights on the Internet. By day they flaunt their smart clothes and cars and hang around the Internet cafes, trading stories about successful cons and near misses, and hatching new plots.

Festac Town is where communication specialists operating underground sell foreign telephone lines over which a scammer can purport to be calling from any city in the world. Here lurk master forgers and purveyors of such software as "e-mail extractors," which can harvest e-mail addresses by the million. Now, however, a 3-year-old crackdown is yielding results, Nigerian authorities say.

Nuhu Ribadu, head of the Economic and Financial Crimes Commission, says cash and assets worth more than $700 million were recovered from suspects between May 2003 and June 2004. More than 500 suspects have been arrested, more than 100 cases are before the courts and 500 others are under investigation, he said.

The agency won its first big court victory in May when Mike Amadi was sentenced to 16 years in prison for setting up a Web site that offered juicy but phoney procurement contracts. Amadi cheekily posed as Ribadu himself and used the agency's name. He was caught by an undercover agent posing as an Italian businessman.

This month the biggest international scam of all - though not one involving the Internet - ended in court convictions. Amaka Anajemba was sentenced to 2 1/2 years in prison and ordered to return $25.5 million of the $242 million she helped to steal from a Brazilian bank.

The trial of four co-defendants is to start in September.

Day in, day out, a strapping, amiable 24-year-old who calls himself Kele B. heads to an Internet cafe, hunkers down at a computer and casts his net upon the cyber-waters.

Blithely oblivious to signs on the walls and desks warning of the penalties for Internet fraud, he has sent out tens of thousands of e-mails telling recipients they have won about $6.4 million in a bogus British government "Internet lottery."

"Congratulation! You Are Our Lucky Winner!" it says.

So far, Kele says, he has had only one response. But he claims it paid off handsomely. An American took the bait, he says, and coughed up "fees" and "taxes" of more than $5,000, never to hear from Kele again.

Festac Town, a district of Lagos where the scammers ply their schemes, has become notorious for "419 scams," named for the section of the Nigerian penal code that outlaws them.

Why Nigeria? There are many theories. The nation of 130 million, Africa's most populous, is well educated, and English, the lingua franca of the scam industry, is the official language. Nigeria bursts with talent, from former NBA star Hakeem Olajuwon to Nobel literature laureate Wole Soyinka.

But with World Bank studies showing a quarter of urban college graduates are unemployed, crime offers tempting career opportunities - in drug dealing, immigrant-trafficking, oil-smuggling, and Internet fraud.

The scammers thrived during oil-rich Nigeria's 15 years of brutal and corrupt military rule, and democracy was restored only six years ago.

"We reached a point when law enforcement and regulatory agencies seemed nonexistent. But the stance of the present administration has started changing that," said Ribadu, the scam-busting chief.

President Olusegun Obasanjo is winning U.S. praise for his crackdown. Interpol, the FBI and other Western law enforcement agencies have stepped in to help, says police spokesman Emmanuel Ighodalo, and Nigerian police have received equipment and Western training in combating Internet crime and money-laundering.

Experts say Nigerian scams continue to flood e-mail systems, though many are being blocked by spam filters that get smarter and more aggressive. America Online Inc. Nicholas Graham says Nigerian messages lack the telltale signs of other spam - such as embedded Web links - but its filters are able to be alert to suspect mail coming from a specific range of Internet addresses.

Also, the scams have a limited shelf life.

In the con that Internet users are probably most familiar with, the e-mailer poses as a corrupt official looking for help in smuggling a fortune to a foreign bank account. E-mail or fax recipients are told that if they provide their banking and personal details and deposit certain sums of money, they'll get a cut of the loot.

But there are other scams, like the fake lotteries.

Kele B., who won't give his surname, says he couldn't find work after finishing high school in 2000 in the southeastern city of Owerri, so he drifted with friends to Lagos, where he tried his hand at boxing.

Then he discovered the Web.

Now he spends his mornings in Internet cafes on secondhand computers with aged screens, waiting "to see if my trap caught something," he says.

Elekwa, a chubby-faced 28-year-old who also keeps his surname to himself, shows up in Festac Town driving a Lexus and telling how he was jobless for two years despite having a diploma in computer science.

His break came four years ago when the chief of a fraud gang saw him solve what seemed like "a complex computer problem" at a business center in the southeastern city of Umuahia and lured him to Lagos.

He won't talk about his scams, only about their fruits: "Now I have three cars, I have two houses and I'm not looking for a job anymore."

Copyright 2005 Associated Press.

[NibbyCat]

New Zealand: The New Nigeria?

Yesterday, I found a fax on the farm's machine. It was from someone in New Zealand, wanting my dad to act as front man for them in their American office. It's supposedly an agricultural firm, I'm guessing for international brokerage.

I'll try to find it, and give y'all the full details.

[JuntaJoe]

And it gets worse......

http://www.castledoom.com/forum/viewtopic.php?p=11199#11199

[JuntaJoe]

Big News day for this stuff.

First is two articles on the Acxiom case and another on a Verison goof.

I have carefully deleted some duplicate data in the second Acxiom article to avoid wasting your time.

Huge Computer-Theft Case Gets Conviction

August 12, 2005 5:51 PM EDT
LITTLE ROCK, Ark. - A Florida man was convicted Friday of stealing information from data-management company Acxiom Corp. in what prosecutors said was the largest federal computer theft trial ever.

The jury convicted Scott Levine, the owner of defunct e-mail marketing contractor Snipermail.com, on 120 counts of unauthorized access to data, two counts of access device fraud and one count of obstruction of justice.

Jurors cleared Levine of 13 counts of unauthorized access of a protected computer, one conspiracy count and one count of money-laundering.

Statutory maximum sentences for his convictions total 640 years in prison and fines of $30.7 million, though his punishment likely will be much less under federal sentencing guidelines. Sentencing was set for Jan. 9.

Prosecutors said Levine and his company stole 1.6 billion customer records - the equivalent of 550 telephone books filled with names, e-mail and postal addresses. The government did not charge anyone with identity theft.

"We're very pleased with the outcome. We think it's the appropriate verdict," U.S. Attorney Bud Cummins said outside U.S. District Court. "These are very serious crimes, a huge amount of data that was stolen for monetary gain and he should be held accountable. The jury apparently saw it that way."

Six Snipermail employees pleaded guilty to conspiracy charges and testified against Levine in the case.

In the trial, Levine's lawyer, David Garvin, claimed Levine's employees were guilty of the unauthorized downloads and tried to pin them on their relatively computer-illiterate boss.

Levine said nothing as he left the courthouse with his wife, Sabrina.

Garvin said the verdicts were "compromised" because the jury found Levine guilty based on the same evidence jurors acquitted him on in the other counts.

"We thought that the jury had reached the correct conclusion when they found Mr. Levine not guilty of conspiracy and proceeded to find him not guilty on (other) counts," Garvin said. "We were very disappointed. We will go forward at this stage and try to clear Mr. Levine's good name."

Prosecutors say Levine ran Snipermail as a spam factory, devising computer aliases to get around industry blacklisting. Atlanta-based Experian Inc., one of the three credit bureaus that control consumer credit scores, said it was approached by Snipermail for a corporate buyout of its contact lists - which had been artificially enlarged through the theft of Acxiom's data.

Although both sides in the trial acknowledge that Snipermail didn't initially hack into the Acxiom server, prosecutors alleged Levine and subordinates unlocked some passwords to reach more Acxiom data in an effort to make Snipermail attractive for a multimillion-dollar buyout.

Acxiom stored the data for one of the advertisers with which Snipermail had a contract. Through that relationship, Snipermail was given what should have been limited access to some data on Acxiom's servers. In April 2002, former Snipermail programmer Jeff Burstein entered an Acxiom server to find nearly unlimited access to personal customer records, including names, postal and e-mail addresses, bank and credit card numbers.

Security is crucial to the operation of Little Rock-based Acxiom, which serves large corporations by collecting and managing information for marketing purposes. In a statement Friday, Acxiom said that, since the unauthorized access was uncovered two years ago, the company has tightened its security.

"There is no evidence that any individuals are at risk of harm due to the breaches," the company said. "It is also important to note that only one external server was accessed, and there was no intrusion of Acxiom's internal security firewalls or internal databases."

The jury heard testimony for a month, and began deliberations Wednesday.

Copyright 2005 Associated Press.


Computer Theft Case Shows Database Perils

August 12, 2005 12:43 AM EDT
LITTLE ROCK, Ark. - On the hunt for a hacker two years ago, security officials at data management company Acxiom Corp. discovered that an Internet address at one of its clients' contractors was taking far more data than it should have.

The e-mail marketing contractor, Florida-based Snipermail.com, gathered contact information and sent bulk-email advertisements and sweepstakes offers on behalf of advertisers. But downloading 1.6 billion customer records - the equivalent of 550 telephone books filled with names, e-mail and postal addresses - wasn't part of the job.

Prosecutors say the company and its owner, Scott Levine, were stealing the data from Acxiom servers for its own purposes.

On Friday, a federal jury in Little Rock was continuing its deliberations on 144 federal theft, conspiracy, money laundering and obstruction charges against Levine. Six other Snipermail employees pleaded guilty to conspiracy charges and testified against Levine in the case.

The computer theft case is considered the largest the U.S. government has prosecuted to date.

Levine's attorney, David Garvin, tells much the same story as the government, except he says Levine's employees were guilty of the unauthorized downloads and tried to pin them on their relatively computer-illiterate boss.

The prosecution says Levine ran Snipermail as a spam factory, devising computer aliases to get around industry blacklisting. Atlanta-based Experian Inc., one of the three credit bureaus that control consumer credit scores, said it was approached by Snipermail for a corporate buyout of its contact lists - which had been artificially enlarged by swiping Acxiom's data.

Although both sides in the trial acknowledge that Snipermail didn't initially hack into the Acxiom server, prosecutors allege that Levine and subordinates unlocked some passwords to get to more Acxiom data in an effort to make Snipermail attractive for a multimillion-dollar buyout.

Acxiom stored the data for one of the advertisers Snipermail worked for. Through that relationship, Snipermail was given what should have been limited access to some data on Acxiom's servers. In April 2002, former Snipermail programmer Jeff Burstein entered an Acxiom server to find nearly unlimited access to personal customer records, including names, postal and e-mail addresses, bank and credit card numbers.

U.S. Attorney Bud Cummins said Acxiom's decision to report the breach quickly and expose its internal workings in open court probably prevented major identity theft. As a result, the only clear victim in the case is a corporate giant.

But the government and industry observers say the public should care about the often obscure work of companies like Acxiom. Prosecutors said some stolen information was sold by Snipermail to other Internet marketers and the data was used to make Levine's company more attractive for a potential corporate buyout.

"You can't measure the importance just by what happened, but you have to look at what could have happened, the invasion of people's privacy and how it could lead to identity theft," Cummins said. "Data and technology is a big part of our economy now, and if we turn a blind eye to that, there will be grave consequences."

Cummins said the information in the Acxiom case was worth $100 million to Acxiom and its clients, but Garvin has disputed that the data were valuable.

Copyright 2005 Associated Press.


Verizon Web Site Flaw Allowed Record Access

August 12, 2005 6:13 AM EDT
NEW YORK - Verizon Wireless customers who signed up for online billing services were able to peek at some details of others' accounts due to a Web site programming error that was caught by a customer and fixed this week, a company spokesman said Thursday.

The flaw allowed customers who punched in another user's phone number to see how many airtime minutes that person had used, as well as the number of free minutes they had remaining for the month, spokesman Tom Pica said. Snoopers could also learn what cell phone model a customer used.

All users who registered to use the "My Account" system were affected by the glitch, which could have been in place for as long as five years, Pica told The Associated Press. It did not appear that anyone had taken advantage of the error to pry into individual accounts, he said.

Pica said there was no indication that "sensitive customer information" such as financial information, call records and addresses, had been at risk.

But Jonathan Zdziarski, the software developer who notified the phone company of the problem, said that the programming flaw exposed account balances and the date of the most recent payment, the Washington Post reported in Friday's editions. The company would not confirm the claim.

The Georgia-based developer discovered the problem while writing a computer program that would automatically access his online account and report the number of cell phone minutes he had used, the Post said.

Copyright 2005 Associated Press.

[JuntaJoe]

Credit Card Court Battle Tests Laws

September 22, 2005 3:52 PM EDT
SAN FRANCISCO - Testing the bounds of consumer protection laws, Visa USA Inc. and MasterCard International Inc. are headed for court to determine whether they are obliged to notify 264,000 customers that a computer hacker stole their account information.

The dispute to be argued Friday in San Francisco County Superior Court revolves around a highly publicized security breakdown at CardSystems Solutions Inc., one of the nation's largest payment processors.

Although a ruling in the class-action consumer lawsuit wouldn't have legal standing outside the state, it would increase the pressure on Visa and MasterCard to notify all affected accountholders in this and any future breaches.

That would compound the headaches that the CardSystems imbroglio already has caused.

The breach, initially disclosed by MasterCard three months ago, exposed up to 40 million credit and debit card accounts to potential abuse between August 2004 and May 2005.

It's the largest of more than 70 consumer information security breaches reported in the past seven months, according to the Privacy Rights Clearinghouse.

Although the scope of the CardSystems break-in has been generally outlined, the credit card associations haven't sent warnings to the most vulnerable customers.

San Francisco-based Visa and Purchase, N.Y.-based MasterCard maintain that responsibility should fall to the myriad banks that administer the accounts because neither credit card association has direct relationships with the affected customers.

Both Visa and MasterCard provide processing and marketing services to thousands of banks nationwide. It's a profitable endeavor. MasterCard's parent company earned $213.5 million on revenue of $1.4 billion during the first half of this year, according to documents filed in preparation for an initial public offering of stock. Visa doesn't disclose its profit.

Internal investigations have determined that the still-unknown thief grabbed enough sensitive details from CardSystems to defraud about 264,000 Visa and MasterCard accountholders nationwide, according to evidence gathered in the lawsuit, which was filed by San Rafael, Calif., attorney Ira Rothken.

No home addresses or Social Security numbers were stolen in the CardSystems breach, minimizing the risk for identity theft. But the hacking obtained customer names, account numbers and security codes that could be used to create bogus credit and debit cards.

The lawsuit seeks a court order requiring Visa and MasterCard to warn each Californian whose information was compromised. The order is being sought under a pioneering state law that requires consumers to be alerted whenever personal information stored on computers is lost, stolen or breached.

Since California imposed the mandate in July 2003, 35 other states have approved or proposed similar laws, according to the U.S. Public Interest Research Group. That means other states could end up addressing similar legal issues raised by this California case.

"We are trying to establish an efficient method that would hold Visa and MasterCard responsible for giving all consumers their due notices, so each customer can decide whether they want to change their card number," Rothken said.

Replacing a credit card costs an issuer about $35.

That would total $9.24 million for 264,000 cards that might have to be replaced if customers learn of the fraud risk, with the cost rising even higher to the industry if it's discovered even more of the 40 million accounts are vulnerable.

Both Visa and MasterCard have blamed CardSystems' lax security for the breach. Infuriated by the breakdown, Visa has since cut its ties with Atlanta-based CardSystems, which says it has tightened controls to comply with industry standards.

In their legal briefs, Visa and MasterCard have argued there's little chance any affected customer will lose a cent because of the association's long-standing policies to reverse all charges for fraudulent transactions. The "zero liability" policy lessens the need to alert individual customers about the fraud risks, said MasterCard spokeswoman Sharon Gamsin.

In a statement, Visa also said it is comfortable with its anti-fraud measures. But both companies worry that the opposite message might be sent if they are ordered to warn individual customers.

"Such an order would harm the banks' goodwill because some customers would certainly be confused by the notice and believe the issuing banks were somehow to blame for the security breach," Visa's attorneys argued in a court brief.

The companies' fraud-fighting assurances don't soothe Eric Parke, a Marin County resident representing consumer interests in the suit. In a sworn declaration, Parke said he has been fretting about his potential fraud exposure since news of the CardSystems theft broke.

"I do not think it's fair for ... me to have to look through cryptic credit card statements with (an) eye toward forensically determining if fraud was committed ... when Visa and MasterCard can just tell me if my data was compromised," said Parke, who has seven MasterCard and Visa accounts.

---

On The Net:

Class-action complaint: http://www.techfirm.com/cardsystems.pdf
Copyright 2005 Associated Press.