Wednesday, December 24, 2008

Mother of All Hacks Coming?

There is a disturbing development brewing in the payments world.   It's bad enough when a retailer's computer  security is breached but now we've got us a completely different ballgame.  When hackers penetrate the computer systems of major acquirers and processors, well to use a famous quote, "We've got a problem Houston." 

This could turn out to be a "Royal pain in the ***" for Visa and Mastercard themselves because acquirers like Royal Bank of Scotland link directly into their networks. 

On the surface, this appears to be "one small step for hackers but it's "one giant step" for hack-kind."  
 
According to reports I've read this morning,  according to Gartner Research analyst Avivah Litan, this could be the beginnings of the mother of all hack attacks...

“It’s very bad news,” says distinguished analyst Avivah Litan. Unlike retailers’ computer systems, processors’ systems connect directly to the networks of Visa Inc. and MasterCard Inc. “An attacker that breaks into a processor conceivably can get into the heart of the system,” and attacks on acquirers and processors are increasing."

Here's the press release:

RBS WorldPay Announces Compromise of Data Security and Outlines Steps to Mitigate Risk

ATLANTA, Ga. – December 23, 2008 – RBS WorldPay (formerly RBS Lynk), the U.S. payment processing arm of The Royal Bank of Scotland Group, today announced that its computer system had been improperly accessed by an unauthorized party.  RBS WorldPay has urgently taken a number of important steps to mitigate risk in response to this situation.

The issue, which affected pre-paid cardholders and other individuals, was identified on November 10 and law enforcement agencies and federal regulators were notified by RBS WorldPay shortly thereafter. RBS WorldPay’s internal security professionals and outside experts are working with federal and state law enforcement authorities in an investigation of this event.  The affected pre-paid cards include payroll cards and open-loop gift cards. Personal information associated with certain payroll cards may have been improperly accessed. PINs for all PIN-enabled cards have been or are being reset.

Affected individuals are being notified and information has been posted on the RBS WorldPay Web site, www.rbsworldpay.us.
The fraud that has been identified to-date is associated with RBS WorldPay’s computer system supporting its U.S. pre-paid and open-loop gift card issuing business. Actual fraud has been committed on approximately 100 cards. Cardholders will not be responsible for unauthorized activity associated with this event. Certain personal information of approximately 1.5 million cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1 million people may have been accessed.

RBS WorldPay is offering impacted individuals whose Social Security numbers may have been affected a complimentary one-year membership in a national subscription credit monitoring service that provides access to individuals’ consumer credit reports and daily monitoring of their credit files from all three national consumer reporting agencies.

Gift cards that have already been purchased retain their value and can be used wherever they are accepted by merchants. Those gift cards that had not been purchased have been deactivated and are being removed for destruction from stores as an additional precaution.

Ben Barone, president and CEO of RBS WorldPay, said, “Privacy is important to RBS WorldPay and we regret any inconvenience this may cause affected individuals. We have taken important, immediate steps to mitigate risk and none of the affected cardholders will be responsible for unauthorized activity on their account resulting from this situation. We are working closely with leading computer security firms to further safeguard our system, and with law enforcement agencies, which we hope will result in the criminals being brought to justice.”


Reblog this post [with Zemanta]

Disqus for ePayment News