The revelations of spying on credit card transactions are also incendiary. Under the codename "Dishfire," the intelligence agency collects information on credit card transactions from some 70 banks worldwide, most of them in crisis-ridden countries, including banks in Italy, Spain and Greece. The Americans also take advantage of the fact that many banks use text messages to inform their customers of transactions. The Dishfire program has been running since spring 2009.
The documents also show that the intelligence agency targets large credit card companies, such as the US company Visa. At an internal conference in 2010, for instance, NSA analysts provided an extensive and detailed description of how they searched for possible points of access in the complex network that Visa uses to process its transactions -- and were allegedly successful in penetrating the company's network.
During the presentation, the analysts said that the target was the transactions of Visa customers in Europe, the Middle East and Africa, adding that the idea was to "collect, parse and ingest transactional data for priority credit card associations." One slide depicts in detail how the authorization process for each transaction works, starting with a credit card reader in a store, continuing via the bank and a data processor, and finally reaching the credit card company itself. A subsequent chart points to possible "collection access points."
When contacted by SPIEGEL, a spokeswoman for Visa responded, "Visa Inc. does not have a processing facility in the Middle East or the UK." In addition, she stated, "We are not aware of any unauthorized access into our network. Visa takes data security seriously and, in response to any attemption intrusion, we would pursue all available remedies to the fullest extent of the law. Further, it's Visa's policy to only provide transaction information in response to a subpoena or other valid legal process."
Nevertheless, Visa data from the Middle East apparently ends up in the NSA database. The XKeyscore spying program is used to skim regional data from the Visa network, according to a document.
A Wide Range of Credit Card Companies
The agency's snooping efforts now focus on more than one provider. According to another document, transaction data from a wide range of credit card companies flows into the NSA financial database Tracfin. This allegedly includes data from payment authorization processes by Visa and MasterCard. All in all, "credit card data" and related text messages made up 84 percent of the datasets within Tracfin in September 2011.
MasterCard did not comment by SPIEGEL's printing deadline.
In order to find their way through the jungle of information, Tracfin analysts even have their own manual for "credit card tap search tips." On top of that, the intelligence agents have their own electronic tool that allows them to independently and very rapidly verify the authenticity of credit cards.
By all appearances, the NSA collects everything that it can in the sensitive financial sector -- at least that's the message of a presentation from April. The agency sets out to access "bulk global financial data," which is then fed into the Tracfin database, the presenter noted. Furthermore, the author concluded, thanks to network analyses and the use of the XKeyscore spying program, NSA analysts had stumbled across the encrypted traffic of a large financial network operator in the Middle East.
According to the presentation, the NSA was previously only able to decrypt payment transactions by bank customers, but now they have access to the internal encrypted communication of the company's branch offices. This "provides a new stream of financial data and potentially encrypted internal communications" from the financial service provider, the analysts concluded with satisfaction. This bank data comes from countries that are of "high interest." It's interesting to note that the targeted company is also one of the many SWIFT service partners.
The documents reveal how short-lived intelligence agencies' access to the financial world can be, as well as the fact that encryption actually can present problems, at least temporary ones, for the spies. According to one document, the agency had access to data from Western Union, a company that manages money transfers in over 200 countries, for quite some time. But in 2008 Western Union began to protect its data with high-grade encryption. This made access virtually impossible, as NSA staff members complain in one paper.