American Express follows Visa's lead, dumps CardSystems
A day after Visa said it would stop letting CardSystems Solutions process its transactions, American Express announced it would also end its relationship with the company.
American Express said Tuesday it will soon end its relationship with the payment processor, whose security weaknesses put the records of 40 million cardholders at risk for fraud. Judy Tenzer, an American Express spokeswoman, told The New York Times the company would cut ties to CardSystems at the end of October and help its merchants switch to another processor.
Monday, the newspaper reported that Visa was dropping CardSystems. "CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts," Tim Murphy, Visa's senior vice president for operations, said in a memorandum sent to several banks and obtained by The New York Times. "Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system."
For now, MasterCard International said it will continue to let CardSystems handle its cardholders' data as long as security is upgraded. "As of today, we are not aware of any deficiencies in its systems that are incapable of being remediated," MasterCard said in a statement.
USC hack exposes 270,000 records
A University of Southern California database containing about 270,000 records of past applicants was hacked last month, officials acknowledged Tuesday.
The breach of the university's online application database exposed "dozens" of records, which included names and Social Security numbers, to unauthorized individuals, Katharine Harrington, USC dean of admissions and financial aid, told the Reuters news agency. Reuters said Harrington could not be more specific about the number of people whose personal data may have been viewed by the hacker or hackers, nor about what the motivation had been for the computer break-in.
"There was not a sufficiently precise tracking capability," Harrington said, but added that the hackers had not been able to access multiple records at once. Records were also only able to be viewed at random, she said. "We are quite confident that there was no massive downloading of data," Harrington said.
USC learned of the breach June 20 when it was tipped off by a journalist, Harrington said. It has since shut down the Web site and has notified people whose names and Social Security numbers were in the database that was breached.
The university was not able to identify exactly which records may have been exposed, Reuters reported.
Security hole in PHPbb
Malicious users could conduct cross-site scripting attacks by exploiting a security hole in PHPbb, a popular program used to create Internet forums. The French Security Incident Response Team (FrSIRT) said in an advisory that the flaw "is due to an input validation error in the 'includes/bbcode.php' script that does not properly filter a specially crafted 'BBCode' URL, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser."
The problem affects phpBB version 2.0.16 and prior. Users are advised to upgrade to phpBB version 2.0.17.