Skip to main content

Major Banks In Talks To Exploit Debit Card Loophole

3 days 23 hours ago
JPMorgan, Bank of America, Wells Fargo, PNC, and other major banks have reportedly explored acquiring Fiserv's debit-card networks, STAR and Accel, in a move that could help them bypass federal caps on debit-card transaction fees. A law limits the fees big banks can charge merchants, but only if the transactions are routed through an outside network. There are no caps on these interchange fees over a bank-owned network, however. The Wall Street Journal reports: When Capital One Financial bought Discover Financial in a $50.6 billion deal, it got a network that cut out the need for a middleman in card transactions and allowed it to deal more directly with merchants. Now, big banks are looking on with envy because owning a network can mean exemption from a federal law that caps debit-card fees. Those fees collectively amount to billions of dollars each year across the industry, but banks have long complained the government-defined cap limits their ability to offer customers debit-card rewards and other services. Some have been exploring a small deal that could upend the rules, though they are worried about political backlash if they try. Big banks including JPMorgan Chase, Bank of America, Wells Fargo and PNC Financial Services Group have in recent months held preliminary and tentative discussions about a deal to acquire a network owned by the financial-technology company Fiserv, according to people familiar with the matter. There is no certainty a deal will happen. Several of the banks that looked at the Fiserv network have already decided it would be unlikely for them to move forward, some of the people said. Some have privately expressed concern that such a deal could prompt backlash from lawmakers, regulators and merchants, the people added.

Read more of this story at Slashdot.

BeauHD

Microsoft Can Track Users Via a Windows Device ID

4 days ago
A criminal complaint against alleged Scattered Spider member Peter Stokes revealed that Microsoft can associate Windows activity with a persistent "Global Device ID," which investigators used to link his PC to online activity connected to a hack. While unique device IDs are common, the case has raised privacy concerns because the identifier can apparently persist across updates, has no simple opt-out, and may allow Microsoft to connect a Windows installation to activity on third-party services. PCMag reports: Last week, the U.S. announced it had extradited 19-year-old Peter Stokes from Europe for allegedly being a member of the notorious hacking group Scattered Spider. But the case stands out because Microsoft played a key role in linking Stokes to the suspected hacking crimes, according to an unsealed criminal complaint. Stokes allegedly hacked an unnamed luxury jewelry retailer in May 2025 while using a VPN. The 39-page criminal complaint shows the FBI used Microsoft records to discover that his IP address was associated with a Microsoft device identifier known as Global Device ID (GDID). "According to a Microsoft representative, a Global Device Identifier in the Windows ecosystem is a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device, either a physical device (e.g., a mobile phone or laptop) or virtual machine, across certain Microsoft services and scenarios," the complaint explains. The global device ID isn't exactly surprising, given that it's standard practice to assign a unique ID to each account or device so a tech provider can recognize and distinguish between them. But the complaint reveals Microsoft can associate the GDID with third-party services and the timing as well, giving Redmond a way to theoretically track a user's online activity. In other words, Redmond might be able to track the online activity of your Windows PC without third-party browser cookies. Stokes was discovered exploiting a web development tool called ngrok to bypass the jewelry retailer's network defenses. The complaint says Microsoft had records showing that on May 12, 2025, at 19:21 UTC, the GDID associated with Stokes' computer "accessed, among other ngrok pages, 'https://dashboard[.]ngrok.com/signup,' the ngrok page to set up an ngrok account." The document adds that Microsoft records also showed the GDID accessing "multiple sites" from servers at Tzulo, a web hosting provider, to help pull off the hack. Hence, the fact that federal investigators used the Microsoft identifier to nab a suspected hacker is raising concerns that it could be abused for other surveillance purposes. "Microsoft Windows is surveillance software," cybersecurity expert Matthew Hickey alleged in a tweet.

Read more of this story at Slashdot.

BeauHD