Largest Data Breach Disclosed During Inauguration

rmogull writes "Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn't know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I've written some additional analysis on this and similar breaches. It's interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems." One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Heartland just put up a press release on the breach.

WTF???

[canUbeleiveIT]

Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration.

WTF??? What does the inauguration have to do with this? I suggest we go back to all Slashdot stories and insert what happened on that day. Examples:

* Researcher says Linux is better than Windows on Friendship Day.
* Researcher says Linux is better than Windows on Fall Equinox.
* Researcher says Linux is better than Windows on Kwanzaa.

Re:WTF???

[EvanED]

I would say it may have quite a lot to do with it... it's either a pretty big coincidence, or they are trying to bury the news by releasing it when the networks actually have something else to report on.

What's your bet on?

Re:WTF???

[amRadioHed]

The implication is that they timed the announcement to occur when no one is paying attention.

Re:WTF???

[oldspewey]

Today. During the inauguration. WTF??? What does the inauguration have to do with this?

Well, somebody who is inclined toward cynicism might conclude that the company deliberately chose to release this information when public attention would be diverted elsewhere.

Re:WTF???

[idontgno]

[Heartland Payment Systems President and CFO] Baldwin said Heartland worked to disclose the breach last week.

"Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until today," Baldwin said.

"Legal reviews": "Holy crap, we're gonna get our butts sued off if this breach becomes a big news story! You have to delay this until we can start a war or something to distract the press!"

"Will the inauguration hype of the first African-American President of the United States work as a distraction?"

"Brilliant!"

Re:WTF???

[canUbeleiveIT]

Well, somebody who is inclined toward cynicism might conclude that the company deliberately chose to release this information when public attention would be diverted elsewhere.

Ahh...now I get it. Still, there was that plane that landed in the Hudson a few days back, yesterday was MLK day, the Super Bowl will be in a couple of weeks. Not to mention that it would seem that it would be in their best interests to get the word out to minimize losses.

Re:WTF???

[Bryan+Ischo]

"Researcher says Linux is better than Windows on Pedantic Asshole day."

There, is that better?

Re:WTF???

[idiotnot]

Same reason Clear Channel laid off 8% while this was going on. :-)

Re:WTF???

[idontgno]

Not to mention that it would seem that it would be in their best interests to get the word out to minimize losses.

Oh, they've already got that covered:

Baldwin said it was not appropriate for Heartland to offer affected consumers credit protection or other identity theft protection services.

"Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible," he said. "In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible.

In other words, "Yeah, technically it was a breach, but you know, not enough data got released for us to actually be provably liable. So if your CC gets raped, you know, it's not our fault. Really. Trust us. ;)"

In related news, now we know what happened to the Iraqi Information Minister: He changed his name and became President and CFO of a large credit card payment processing company.

Re:WTF???

[fuzzyfuzzyfungus]

Yeah, but that was good news...

Re:WTF???

[idontgno]

And Linux is always better than Windows on Slashdot, because every day is Pedantic Asshole day here!

Re:WTF???

[box4831]

On Slashdot, every day is Pedantic Asshole Day!

Re:WTF???

[Ambiguous+Coward]

All of those other incidents (MLK day, super bowl, etc.) are in passing. They are temporary, at best. The inauguration is going to echo through the media for a loooong time to come. Even if someone publicly calls them out on this (more than just on /.) and there is an attempt to generate an uproar over this, in the end, the inauguration will far outweigh the breach when it comes to face-time in the news.

I'm the cynical type, and I reckon they succeeded at hiding this one in plain sight.

Re:WTF???

[joelmax]

Exactly. Considering the media hype behind the inauguration of Obama, and considering the possible pr nightmare (And it does promise to be a pr nightmare) that this poses to heartland, I would have to say that this was pre-planned as a form of damage control.

Re:WTF???

[bugs2squash]

The breach happened last year. What's the betting that the first customers know about it is when faudulent activity is showing up on their credit cards.

The first instinct of Heartland is to save itself and the first instinct of the banks will be that it can rate jack its customers if the new activity has put them overlimit.

Only after leaking of the news is inevitable and can no longer be delayed will Heartland grudgingly try to sneak it out under the radar and then in a general, untargeted sense, not directly to the customers involved. Nothing will be done to avoid spreading the pain to a card holder or to a vendor.

I dare say most of the legal wrangling was in how to spin this as a justification to claim from TARP.

Re:WTF???

[Ambiguous+Coward]

Well, somebody who is inclined toward reality

No need to thank me.

Also, FTFA:

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn't until last week that investigators uncovered the source of the breach...

Meaning they knew about it long enough to hire some forensics teams, do the research, figure out where the breach came from, etc. and they finished all that up last week...and then decided to wait until NOON today to release the news to the public? Sorry, but that's plain bullshit, no cynicism involved. If they were interested in disclosure, they would've released the news sooner. At the very latest, they would've released it as soon as they found out how it happened (so they could say they had already closed the breach.)

Instead, they wait until noon (they're a New Jersey company) when the inauguration is happening? Why not sooner in the day? Why wait until what would arguably be lunch time usually? Who discloses breaches at lunch? Answer: nobody. On the other hand, who discloses breaches during a HUGE national (and arguably international) event? Answer: someone trying to hide something.

Again, I say inclined toward reality, not cynicism.

Re:WTF???

[Bill,+Shooter+of+Bul]

No, they are liable and are going to pay through the nose, but not for "identity theft". They will be responsible for improperly securing their network and permitting the theft of the cards. But identity theft is a different beast. No one will be able to sign up for new credit cards and or loans in the names of the people whose data was compromised.

Re:WTF???

[christianT]

I don't think they were trying to implicate our new President in this with the title, it was more of an implication that those announcing it were trying to announce the breach while most of the nation was distracted by the inauguration in hopes that it might fall under the radar of the news media.

Re:WTF???

good point. not even the Iraqi information minister would stoop so low....

Re:WTF???

[jdoverholt]

Incidentally, I got a call this morning about an hour before noon EST from Chase. They said they "received information" that my credit card information was compromised. The only suspicious charge was from November, which I didn't notice on my own. This is also the only time Chase has done anything but screw me, so I was pleasantly surprised that they were dealing with it so well. Now I see this and think "hey, I'm part of the largest ___ in history!" Sweet.

Re:WTF???

[Landshark17]

The inauguration has absolutely nothing to do with this, but it's the biggest story today. No other story is going to get higher billing, so it's the best way to hide the story about how your company fucked up royally.

Re:WTF???

[RiotingPacifist]

Thats nothing a certain middle eastern country broke it's fragile ceasefire, the night of the US election, that was more than just a good time to leak the news. TBH im surprised that a UK official got in trouble for saying 9/11 was a good day to get rid of bad news, this shit has been going on for years.

Re:WTF???

[LordSnooty]

The point is still valid, whilst on a normal day the news networks might've been following up the news, gathering info, interviewing victims, instead all their resources are working on the Coronation, er I mean inauguration.

My own government is guilty of the very same - "a good day to bury bad news" as the infamous leaked e-mail went. As he said, rooted in reality.

Re:WTF???

[failedlogic]

Their timing of the announcement is more than a little coincidental and at the least does nothing to help with their public image. Their main concern is that they don't want to lose their customers over this. By not revealing the names of the retailers involved, there won't be any public backlash from customers.

Ok, so this *one* transaction company 100 million transactions/month. There are several other competing companies. This incident is the result of a data breach without accounting for daily fraudulent attempts/successes (for which we don't know the numbers). We also don't know how much money was lost. We need a better system.

Re:WTF???

[Ambiguous+Coward]

My comments were based on the article itself. What more do you expect? The article claims the disclosure occured during the inauguration. Regardless, waiting for inauguration day is "interesting" enough.

Also, just a little heads up: "nothing to do with reality" and "incorrect on the point of exact timing" are not synonymous. It will help lend credence to your position in the future if you learn the difference.

Re:WTF???

[jdcope]

Cover up. Hell, even here in Portland, Oregon, the new mayor held a press conference today and said he lied about a sexual relationship with a teen boy.

Re:WTF???

[tobiasly]

Same thing happened to me back in December. I too have a Chase credit card. My card got declined on a couple purchases so I called them about it. They knew exactly which charges were fraudulent and had already reversed them and closed the card so they could send another with a new number. Interesting that the charges were rather small.. a $5 Netflix charge, maybe a couple $20 or $30 charges, and out of the dozens of legitimate charges per month my wife and I make, they knew which ones were bogus.

Re:WTF???

[Skrynesaver]

As the banks are not giving out credit any more he's probably safe on this one for a while ;)

Re:WTF???

[Nathan+Baum]

im surprised that a UK official got in trouble for saying 9/11 was a good day to get rid of bad news

She didn't get in trouble for saying it; she got in trouble because the media found out she said it.

Re:WTF???

[Vr6dub]

I was victim to this recently as well. A bunch of small charges and all purchases used my cell number and home address...even had some diet pills sent to my house. I though this was rather odd but I think a co-worker of mine nailed it on the head and said these people are probably using stolen card numbers to use with all these free laptop/ipod giveaways. You know, the ones that ask you to sign up for 5 "services" from their affiliates and get X number of friends to do the same to receive your free equipment.

What's funny is that after I cancelled the card, I called some of these places up to have any accounts with them cancelled. Two of them showed no shame and asked that since I had already signed up (fraudulently), would I like to continue with their service since it had so many great things to offer.

figures

As soon as Barack Obama became President, the world started falling apart.

I warned this would happen but you were just too damn proud to listen.

Game over, man. Game over.

Re:figures

[hicks107]

Nice

What a perfect time..

[Jonah+Bomber]

...to steal the Hope Diamond. http://www.southparkstudios.com/episodes/207897/

Re:Burying the News?

[philspear]

If that was their plan, then that's a foolish one. It would have to be an EXTREMELY slow news day for this to get picked up on by the major news outlets, and even slower for most viewers to bother understanding it. And it's going to be picked up by people who are interested, like here, reguardless.

Burying it effectively would be waiting for something like the newest release of some major open source software, or waiting until China or Australia or other nation did something major about censorship.

Suckers

[htnmmo]

This is why I never go on the internet. It's just not safe.

Re:Suckers

[blair1q]

Neither do I. Unless I'm posing as you.

Re:Suckers

Except that the large majority of payments that they process are from actual storefronts, not internet transactions. You're not safe anywhere, sucker.

Re:Suckers

[Nixoloco]

Neither do I. Unless I'm posing as you.

Re:Suckers

Would have been so much funnier coming from htnmmo....

Re:Suckers

[mgblst]

Agreed, I stopped using computers years ago, never been happier!

Re:Suckers

[Roman+Mamedov]

But your on the internet now.

You have no way to know, he might as well be in the Slashdot hosting datacenter, reading the site from their LAN. :)

Re:Suckers

[aoheno]

Awesome. Slashdot is available off the Internet! Now I can be safe too.

Re:First CC

[Chabo]

Hey, that's mine!

Missing Address

[wiz31337]

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said.

Because as we all know it is impossible to get someone's address by having only their full name and credit card number.

They are trying to down play a very serious incident by disclosing the breach on a day heavily focused on the inauguration. Then they have the nerve to say "don't worry they didn't get your address" as if to say someone smart enough to embed malicious software which gathers credit card numbers is not smart enough to find someone's address. Common!

Re:Missing Address

[n0dna]

Let's also not overlook that while some stores/merchants may have a policy to ask for address when doing Cardless Transactions, the processing houses (at least the ones I've used) will more than happily process the transaction successfully without anything more than the card number and the expiration date.

Some processors will refuse to process transactions within the month that the card expires, but you simply add 4 years to the date and it'll go through just fine.

The Credit Card companies have pushed very hard and very long to make credit transactions more painless than cash. You have to drop some safeguards to do that though.

Re:Missing Address

[sorak]

Hmmm...B.H. Obama. Jeffery, get out the phone book. We need to determine where this guy lives.

Re:Missing Address

[NoobixCube]

ID thief: Hi, I've moved recently, and I just wanted to check you guys have my new address.

Every time I've done that with my bank, they've asked for my full name, date of birth, and account number (or if I go through the automated channel, the only ID I need is my phone or online banking pin). After those are provided, they tell me what address they have on file.

Re:Missing Address

[skuzzlebutt]

Slightly OT, but FYI:

Both of the first points are relative...it depends on the processor, and the product on which they are processing. The address verification (AVS) gives the merchant better pricing, but is not a mandatory knock-out rule with Visa/MC to get an authorization. Some processing platforms will force a reject if the AVS match fails, some will let it go through at the higher rate.

The expiration is relative, too...some platforms do a literal verification, some just check to see if it matches [0-1][0-9][date(YY)-13] or some such logic.

Re:Missing Address

[bastion_xx]

And most velocity check systems will pick up on expiry skipping (+1/mo or +1/year) transactions. But yeah, you think agreements between card holders and the respective issuer is fine print, take a look at those between a merchant and an ISO/acquirer.

AVS can get discount rates and/or better chargeback conditions for card-present transactions. To really get the best protection you need to use Verified by Visa or similar programs. Of course, they are a pain to implement, have horrible card holder participation, etc.

Why we don't mandate smart card technology like Europe is beyond me.

But as to the disclosure, most processors and acquirers operate fast and loose. And I'm talking about some of the big boys too. If I was doing PCI audits/reviews, I know I could find substantive findings at most everyone of those involved in card transactions.

Re:Missing Address

[bskin]

Standard practice in the finance industry these days is to send a notification whenever an address is changed - to both the new and old address. It wouldn't stop them from making the transaction, but it would notify the cardholder that something is up and make it pretty easy to dispute charges.

It's a blog post!

[Reality+Master+201]

The guy posted to his blog about it. On the same day as the inauguration.

Seriously, the tone of the summary is dumb as fuck. The press release is from today, as is the blog post. It's not even a fucking newspaper article.

Re:It's a blog post!

[whoever57]

The guy posted to his blog about it. On the same day as the inauguration.

Did he? I would RTFA, but I've given up trying to read white-on-black web pages. Seriously, whoever thought that dense white text on a black background is easily readable?

I'll agree that it is a little more readable on LCD monitors than it was on slightly old CRT monitors, but it still isn't easily readable.

Re:It's a blog post!

[Reality+Master+201]

Dunno; I don't have much problem with white on black text. I prefer green or amber on black, though, but that's mostly nostalgia for the VT-220s I spent so much time in front of.

what the bad guys didn't steal

[Gary+W.+Longsine]

Nearly every company that suffers a breach like this tries to assure people about what the bad guy's didn't manage to steal. Don't believe it. Even if it might be true at the strict technical level, it's still not relevant to the analysis of the severity of this issue. The bad guys already have databases full of names and addresses which they will cross reference against the data they stole.

Re:what the bad guys didn't steal

[noidentity]

Come on, use the right word! They COPIED the data, not STOLE it, unless they really did delete it from the original server, in which case they would have noticed it missing immediately.

Re:what the bad guys didn't steal

[innocent_white_lamb]

The bad guys already have databases full of names and addresses which they will cross reference against the data they stole.
 
I think they're called telephone books.

Re:what the bad guys didn't steal

[apoc.famine]

And potentially any other data stolen anywhere else. Who's to say that these same individuals don't have a copy of the data from other big break-ins lying around.

If they managed to buy one of those databases, suddenly they have a massive amount of data-mining information available to them.

"Actually quite difficult"?

[MozeeToby]

The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address.

Because we all know that it's impossible to spoof the magnetic strip on the credit card.

Re:"Actually quite difficult"?

[Repton]

I'm not sure what you mean ...

The magnetic stripe doesn't have anything to do with card-not-present transactions. CNP basically means internet: you type in your name, card number, expiry date, possibly security code. It's not clear whether they got the security code, but I guess they did, otherwise the company would be touting that as another up-side.

The magnetic stripe has its own security code, which is not printed on the card. This means that you can't make counterfeit cards given only knowledge of the number/expiry/name and the magstripe standards. However, according to TFA, "The data stolen includes the digital information encoded onto the magnetic stripe" so there's nothing stopping them running off counterfeit cards and hitting the shops.

(well, chip-and-pin style smartcards would stop them, but I don't think you have those in the US?)

Re:"Actually quite difficult"?

[drinkypoo]

The point is that it's really amazingly easy to make a fake credit card that looks just like the real thing. The only hard part is the hologram and you can just get some holographic sticker and scuff the crap out of it and convince most people if you can distract them away with social engineering (and if the card works the first time.) Not that I would ever do this, I'm about as sneaky as Baby Huey.

Re:"Actually quite difficult"?

[new+death+barbie]

You don't have to make a fake credit card, just rewrite the magstripe on an existing expired/stolen card.

Re:"Actually quite difficult"?

[drinkypoo]

If you can make your own then the data can match the card... Stealing them works, but there's a short window of usefulness. Most people who wouldn't notice if their card is stolen don't have any credit left.

Re:First CC

[Janek+Kozicki]

Then prove it - what is the security code on the back?

This is why CC zero-liability is a good thing.

[brunes69]

When stuff like this happens, it is not the consumers who end up paying, but Visa / MC - who end up putting pressure on these guys to get their act together.

Re:This is why CC zero-liability is a good thing.

[Chuck+Chunder]

Some clueless person says this every time there is a story on credit cards.

Visa/MC do not end up paying. Merchants on the receiving end of fraudulent transactions do. Visa/MC may even profit from it as the fees they charge merchants for chargebacks can be quite steep.

Re:This is why CC zero-liability is a good thing.

[__aagmrb7289]

And? Most of the time, the reason the chargeback happened is because the merchant didn't bother to follow procedures - they didn't validate the identity of the person using the CC.

Re:This is why CC zero-liability is a good thing.

[Todd+Knarr]

Save that Visa and Mastercard rules prohibit the merchant from validating the identity of the person using the credit card. For instance, a merchant is prohibited from requiring the customer to present ID (such as a driver's license) before they'll take the card. If a merchant refuses to take cards without identification, Visa/MC will terminate their merchant account.

Re:This is why CC zero-liability is a good thing.

[nolen]

If a merchant refuses to take cards without identification, Visa/MC will terminate their merchant account.

You're right about the rules, but nine times out of ten, large retailers will deny you if you don't show ID, just because the clerks don't know better. Visa is not about to terminate the merchant account of a Macys or Best Buy. (Yes, I've even complained with Visa about it, but I have given up on this one.) They are allowed to check your signature against the card, of course.

Re:This is why CC zero-liability is a good thing.

[Achromatic1978]

Not quite. The merchant agreement typically states that the merchant cannot use ID to validate the identity ONLY for card purchases. If they check ID for check purchases, too, they'd typically be free to do so. It's essentially "you cannot do anything that makes it more inconvenient to the customer to purchase via our card than via other methods".

Re:This is why CC zero-liability is a good thing.

[kalirion]

You're right about the rules, but nine times out of ten, large retailers will deny you if you don't show ID

Let me guess, you're were buying tobacco, alcohol, or porn, weren't you? Or you look extremely creepy, since usually the retailer won't even look at the signature unless you buy an expensive big screen tv.

Re:This is why CC zero-liability is a good thing.

[nxtw]

Not quite. The merchant agreement typically states that the merchant cannot use ID to validate the identity ONLY for card purchases. If they check ID for check purchases, too, they'd typically be free to do so. It's essentially "you cannot do anything that makes it more inconvenient to the customer to purchase via our card than via other methods".

Same applies for cash, too, which isn't quite the same as writing a check.

How many people would present identification for a cash purchase that wasn't age restricted?

Re:This is why CC zero-liability is a good thing.

[skuzzlebutt]

Everyone pays. Consumers deal with losses and ID theft, merchants deal with lost customers and higher fees and time to deal with the issue, acquirers and issuers pay fines and fees and hire people to work the issues and fix the problems, the card brands have to pay people to sort through the problem, ensure the current regulations were adequate and who is at fault, hire lobbyists to keep themselves from being slammed in Washington. Everybody, at all points of the industry, loses.

Re:This is why CC zero-liability is a good thing.

[Achromatic1978]

Yeah, that's an awkward one - on one hand if it was a mom and pop that relied on repeat business, you could play the "keeps our merchant fees down, we pass the savings on to you!" card, but that's dubious.

But it is possible. :)

Re:This is why CC zero-liability is a good thing.

[pintpusher]

slightly OT, but since I own an only-slightly-larger-than-mom-and-pop business, I have to say, this sort of thing is becoming a real consideration. 10 years ago, my business was 60/40 cash/cc, now it's reversed and getting worse (because of the ubiquity of debit cards, and those stupid commercials that try to make people feel bad for paying cash...how stupid is that?). I'm seriously considering giving a cash discount just to avoid or reduce the:

1) costs of cc transactions
2) the hassle of securly storing so much paperwork
3) because cash is king!

In reality, it'll probably never happen, but once in a while I think about it.

Re:This is why CC zero-liability is a good thing.

[Achromatic1978]

Just make sure you do it as a "discount for cash", not a "fee for CCs". The former, your merchant account is fine, the latter, you can be severely slapped. And by slapped I mean a fine levied by your merchant provider / revocation of your merchant facility.

Re:This is why CC zero-liability is a good thing.

[pintpusher]

yeah, I'm aware. What's amazing is how many small shops do charge a fee, or a minumum amount, both of which are violations of the merchant agreement. I'm always curious how they get away with it... probably no one bothers to report it and life goes on.

Re:This is why CC zero-liability is a good thing.

[Cedric+Tsui]

The merchants don't pay. Well, not exactly. Merchants are charged a certain percentage of each transaction. I believe it is 4%. Included in this is fraud insurance.

When a stolen credit card is used, the amount lost is paid by the insurance.

So, it's the merchants who pay. But it comes out of their regular expenses, which gets charged to the consumer.

Re:This is why CC zero-liability is a good thing.

[__aagmrb7289]

Fair enough - I forgot that they couldn't require the use of ID without doing so for all transactions (according to the credit card agreement) - however - they DO have the ability to check for matching signatures, which is something most do.

Re:needess to ask what OS ..

[Whuffo]

And visiting that link brought up an "invalid security certificate" warning. Good old Microsoft - they can't even get their own servers set up right.

Re:needess to ask what OS ..

[jgtg32a]

You do know that has nothing to do with the server itself right?

who pays for security ?

[rs232]

"When stuff like this happens, it is not the consumers who end up paying, but Visa / MC - who end up putting pressure on these guys to get their act together"

It's the consumers who pay for it with higher charges to pay for things like the chip-and-pin upgrade. Similar to how the consumers pay for shop-lifting ..

Re:who pays for security ?

[brunes69]

Last I checked it didn't cost me anything to get my chip & pin card. The only people who pay are the ones stupid enough to carry a balance on their credit card. Darwin in action AFAIAC

solution to CC breeches ..

[rs232]

What's needed is a totally new kind of online financial transaction system. One that don't use card numbers. A dongle on the client connects to the server generates a one-time session key,and identifies itself to the server and displays a random Pin code, the customer then types it in to verify the transaction. The session is encrypted and the data sent can only be used for the one transaction, no repeat man-in-the-middle hacks ..

Re:solution to CC breeches ..

[lectos]

*redirects transaction and inserts own transaction for spare parts at someone else's expense*

*reports an error to original request so that they make a new request to server for another transaction*

*builds robot girlfriend*

Re:solution to CC breeches ..

[ducomputergeek]

Please mod parent up. I have mod points, but posted elsewhere. Having just gone through PCI compliance (which is frankly a joke), there needs to be a better system out there.

Re:solution to CC breeches ..

[Hoi+Polloi]

I was just thinking the same thing today. Blizzard is offering this for WOW players to protect accounts. A loss in convienience is a small price to pay at this point to address the ever growing insecurity (not to mention costs to businesses) of the credit card system.

Re:solution to CC breeches ..

[the_olo]

That's what EMV and chip and PIN with end-to-end encryption is generally all about. All that US companies need to do is stop postponing it and finally make the switch to that technology like companies in many other countries already did.

Re:solution to CC breeches ..

[jrumney]

Not quite what you are suggesting since it doesn't connect to the client PC so there's a lot more data entry required of the user, but these devices, widely deployed by UK banks, have a feature where they can sign transaction amounts and destinations. Some banks terms and conditions hint that their use might be extended to online shopping in the near future, which would be a great improvement over the horribly insecure "click here to change your password using the information that any fraudster already has" verified by visa system.

Re:solution to CC breeches ..

[bill_mcgonigle]

The technology exists. The US credit card companies have zero incentive to implement it. They pass off all the costs of fraud to mostly their merchants and occasionally their cardholders.

A well-funded insurgent could start making some headway, but then they'd finally have reason to switch. So, good luck getting that company funded.

Re:solution to CC breeches ..

[jc42]

Hmmm ... I walked through the Barclays demo pages, and one thing I noticed was that the URL always started with "http://". So what's to prevent my ISP or anyone else along the data path from extracting all the data from the packets and adding it to their database? In particular, I noticed that the protocol involved typing in the recipient's account number and name, which could be useful data to anyone watching the conversation.

Re:solution to CC breeches ..

[jrumney]

I'd be very surprised if the real Barclays internet banking site used http.

Re:needess to ask what OS ..

[rs232]

"You do know that has nothing to do with the server itself right?"

Do you have any citations for that?

'A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients'

why were they even

[bugs2squash]

storing this information ?

Re:why were they even

[ducomputergeek]

Because they are the ones processing the transactions. We don't use heartland, but when take online orders through our website, we don't store the credit card information, our CC Processor does. The processors are the one that actually run the transactions, take money from the customers account, take a percentage, then deposit to the merchants account. And they have to keep records of all that.

In order for CC payment to work someone has to store that data somewhere.

Re:why were they even

[cbiltcliffe]

I don't think they were necessarily storing it, from the press release. To me, it basically says a network sniffer picked up network traffic on the wire. That can happen whether you store the info or not.

Re:why were they even

[Repton]

This happened to a processing company called CardSystems a few years ago. After that, it came out that "CardSystems had been keeping data that it was contractually obligated to delete" (quoting wikipedia) and it lead to VISA and MasterCard firing the company.

So what is different here?

Re:why were they even

[bwindle2]

Maybe they sniffed something, but the Payment Card Industry Data Security Standards, which I'm sure someone as large as these guys must be forced to comply with and get regularly audited to, clearly requires all card-holder data be encrypted, either while on-disk or on-wire.

Re:why were they even

[cbiltcliffe]

But it's got to be decrypted somewhere, in order to be used.
Maybe the sniffer was on the computer at one end of the encrypted connection.

Re:needess to ask what OS ..

[Whuffo]

Did you check the security certificate that is being used by that Microsoft site before posting? I'm sure you understand what role these certificates serve in relation to https connections.

Of course, the connection to their site might be being intercepted by aliens who are replacing a valid certificate with a bad one. Or maybe they're using an old skool coal fired server and forgot to shake down the clinkers.

I'll just use Occam's Razor here - and the simplest explanation is that that server is running Windows and it wasn't configured correctly.

Re:needess to ask what OS ..

[Kalriath]

Actually, they can. It isn't invalid at all, it was merely issued by Microsoft's certification authority (which itself has a CA certificate issued by GTE CyberTrust). The problem is your browser (my Firefox 3 didn't even blink twice at it).

Re:needess to ask what OS ..

[Kalriath]

And this is somehow anything to do with the server? We're talking about a payment processor, who has to comply with PCI DSS. One thing that requires is that the server managing payment data be isolated from all the client PCs, and run appropriate security software etc. If anything, this is Heartland's fault (and their PCI assessors, of course). Nothing to do with Microsoft, who for the most part make good servers (even if everything else sucks).

Card not present transactions

[CmdrPorno]

This is BS. Anyone with a card terminal can key the number in, or the card could be cloned. I discovered that FIA categorizes keying the number into the terminal as a "card present" transaction, when I tried to dispute an unrecognized charge. They then use this as a reason that the charge was legitimate, even when the card was not in fact present.

Re:Card not present transactions

[CmdrPorno]

In my case, they didn't have or provide the manual imprint, but that didn't bother FIA (now MBNA).

Re:needess to ask what OS ..

[Fulcrum+of+Evil]

Sure, if you want to be pedantic, but the rest of us include the software that the server is there to run and its config in server setup. Invalid security certs don't give me a warm fuzzy.

Re:needess to ask what OS ..

[WiiVault]

How did this get marked troll? I mean it is relevant what software was used when a system is breached isn't it?

Donations to Obama

[robert899]

One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Heartland just put up a press release on the breach.

You could have donated to the Obama campaign using a credit card without a correct address. Google "obama AVS".

Re:needess to ask what OS ..

[Cajun+Hell]

Actually, that's an example of Firefox3 screwing up in a situation where every other browser (even Firefox2) does a better job. It ought to allow me to see the page, without "adding a security exception" and risking accidentally leaving the 'permanent' box checked.

Re:needess to ask what OS ..

[pallmall1]

Nothing to do with Microsoft, who for the most part make good servers...

Damn straight. Just ask any malicious software author what their server platform of choice is.

Re:No Big Deal

[Hordeking]

That new meme is old news.

I've been saying that for weeks.

AVS is optional

[Archon-X]

AVS is not necessary to process a transaction.
Anyone with a merchant account has the full ability to control their scrub by adjusting their AVS settings, from full matching, partial or none at all.

Biometrics: When, How

[BoRegardless]

We have been going through these issues for years. These problems are not created by consumers, but by the companies that want to legitimately take their funds in return for goods, yet the consumers wind up having their share of problems from this.

At some point facial, iris, thumbprint readers (of pattern or blood vessels) or something is going to have to be implemented.

Given that most computers/cellphones have cameras now, when will it happen?

Re:No Big Deal

[Hordeking]

Actually, you're only smelling the unwashed masses as they exalt Obama.

Re:needess to ask what OS ..

[wastedlife]

Perspectives is an excellent add-on for Firefox 3 that checks pages with self-signed certs from several locations and then bypasses the terrible Firefox 3 warning page if everything checks out. This is pretty effective at negating man-in-the-middle attacks.

cancel and re-issue lots of cards?

[Benjamin_Wright]

Mass re-issuance of cards may not be the best response. In the TJX experience, the cost of re-issuing cards far exceeded the actual risk. Alternatives to re-issuance include tighter monitoring of and restrictions on affected card accounts. --Ben

Re:cancel and re-issue lots of cards?

[cdrguru]

I'd say it is up to the card company. Under no circumstances is it the cardholder's problem, and never could be. Also, it is unlikely any merchant that takes reasonable care is really going to be taken.

The best lie...

[rickb928]

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address."

Hah.

Addresses in card-not-present transactions can in fact be gotten, and if they use AVS then at the least the AVS data is readily available.

In other words, you're getting pwned even if it was card-not-present.

For those not in the know, most Internet transactions, phone orders, mail orders, and eBay/PayPal transcations are card-not-present. In fact, virtually all of the above.

The quote from Heartland was just weasel-talk.

First in a long line of discoveries to come

[WillAffleckUW]

Those who claim to be perfect but never admit mistakes usually are covering up for massive mistakes.

And the missing million emails we know of are just the observable symptom, as are the transactions in this health data breach.

The old truisms of data security still apply:

1. It's usually insiders that provided or passed on information used to get access.

2. Those who cover up problems only create even larger problems, due to the system of trust.

3. You can stop 99 percent of attacks with reasonable security measures, but a determined attacker willing to use human intelligence methods will almost always get through the other 1 percent - the trick is knowing what measures will dissuade the 99 percent and implement those, and use reporting to discover the other 1 percent instead of measures that will be defeated anyway.

Re:Undisciplined users

[JustNiz]

>> Users who install software on their workstations.
>> In a perfect world, software makers wouldn't write software that demands that it run with administrator privileges.

Both of the above statements seem to indicate that you're running MS Windows. If I were you I'd be thinking about how to change that.
Linux has a much stronger security model and generally does not require users to run apps as root.
Also, 99.999% of virusses are windows-only.
Also, most basic users aren't even going to be able to get their favorite windows apps running under Linux anyay.

Re:Undisciplined users

[erroneus]

Yes, I can dream of the day I could get users over to something else...

Sometimes people are just stuck until something better comes along. But I'll say this much: When Autodesk starts making CAD for MacOSX again, I'm pushing for change.

Re:First CC

[skuzzlebutt]

Thanks...I needed a new one to renew my 2600 sub.

Re:Burying the News?

[skuzzlebutt]

Well, considering the pummeling TJMaxx got for a smaller breach, they may be trying to keep their brand from becoming synonymous with some nefarious concept like 'security breach', 'stolen credit cards', etc

Re:needess to ask what OS ..

[skuzzlebutt]

Hi, you must be new here. Welcome to-

Fuck it.

100 million

[Repton]

Why are we assuming 100 million transactions?

TFA says "100 million transactions per month". But they have no idea how long the malware was in place. It could have been a week; that's 25 million transactions. It could have been six months. Hell, the TJX breach happened over the course of several years (although they weren't stealing data continuously). It sound like it'll definitely be big, and it could be the biggest ever (TJX clocks in at around 45 million transactions stolen), but we don't have any idea how big.

Re:needess to ask what OS ..

[Kalriath]

Uh, Linux?

Why don't merchants do more over this

[jonwil]

Given how much it costs merchants when someone issues a chargeback (they loose the money they got paid for the goods, they likely loose the goods AND they have to pay fees to Visa/MC/etc), why aren't the merchants doing more to pick up on fraudulent transactions? And why aren't they doing more to apply pressure to Visa/MC/etc to change the rules (e.g. get rid of the rules that make it harder for them to do ID checks etc to pick up the fraud)

I have no clue how much money, say, Wal-Mart is out annually because of credit card fraud but they must be big enough to lobby Visa/MC for change. Or better yet, lobby the government to change the rules so that Visa/MC foot the bill for fraud instead of the merchants. Argue that since the merchants are prohibited by Visa/MC rules from taking these measures that would help prevent fraud, they shouldn't be liable for said fraud).

In any case, merchants on the receiving end of a chargeback are the losers when it comes to credit card fraud so it would be in their best interest to use their lobbying power to fight for a better deal (or can Visa/MC out-lobby even the might of Wal-Mart?)

It's 999, everyone knows that!

[freaker_TuC]

I'm smarter, so I just won't let you know the order of the numbers ...

HUH?? CNP not hard to do?

[new+death+barbie]

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address."

So... of the 300-million-plus transactions they KNOW have been exposed, NONE of them were card-not-present(CNP) transactions that included address verification data?

Address verification data might not be enough for identify theft -- but then it might -- but it SURE as hell is enough to forge more CNP transactions. Oh, and by the way, a lot of CNP transactions would ALSO include the CVV2 on the back of the card.

What are the odds that, out of 300 million transactions, SOME cards have been used in both card-present AND card-not-present situations? Simply match on card numbers, and poof! Magstripe *and* AVS *and* CVV2. That's the whole card security scheme, shot to hell. Pwned.

Re:HUH?? CNP not hard to do?

[stubob]

Credit cards are a great example of security theater. It's like walking around with your root password written down in your wallet.

Is there any technical limitation preventing an RSA-like dongle for verifying credit cards? Just like we're all accustomed to logging into VPN, you enter your user id, passpharse AND randomly-generated key. That way, even if the transmission is intercepted, the key is useless for the next translation.

Good and Bad are Relative

[nutznboltz]

As icky as this might sound, the longer it takes before we crash the higher the population.

Crashing sooner involves fewer people suffering.

This sucks...

[hesaigo999ca]

Again, no accountability for keeping personal info of people that trust your organization.
I tell you no don't keep records of my cc in your db. You say, we can and will....is there not a police for this sort of thing? Sounds to me like this should be another one of Obama's point of interest while in office.

Data Theft, Breach, Infection - a Solution?

[johnfranks999]

Price Waterhouse Cooper and Carnegie-Mellonâ(TM)s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture â" and people arenâ(TM)t getting the training they need. For example: Microsoft patched for this virus 4 months ago. I like to pass along things that work, in hopes that good ideas make their way back to me, and as CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices. The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html - The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. In the realm of risk, unmanaged possibilities become probabilities â" read the book BEFORE you suffer a bad outcome â" or propagate one.