Tuesday, January 20, 2009

Fraud in the Heartland



In yesterday's last post: "Hackers Affect Debit and ATM Networks" I provided information from a story published by "The Times Tribune" that the STAR debit network had seen some suspicious activity and in a response to the situation, STAR said "the debit card issue we were alerted to could affect not only STAR but also other debit networks." 

Earlier this morning, came news that one of the nations bigger processors, Heartland Payment Systems has been breached.  Are they related or was Avivah Litan, distinguished analyst with Garnter spot-on when she said, "
payments and funds transfer processors, rather than retailers are now the one's being targeted by hackers." 

Is the "Mother of All Hacks" coming?  In that post, when speaking of the recent Royal Bank of Scotland breach, I said: "There is a disturbing development brewing in the payments world.   It's bad enough when a retailer's computer  security is breached but now we've got us a completely different ballgame.  When hackers penetrate the computer systems of major acquirers and processors, well to use a famous quote, "We've got a problem Houston." 

This could turn out to be a "Royal pain in the ***" for Visa and Mastercard themselves because acquirers like Royal Bank of Scotland link directly into their networks. On the surface, this appears to be "one small step for hackers but it's "one giant step" for hack-kind."  

In that post I quoted Ms. Litan as saying:

“It’s very bad news,” says distinguished analyst Avivah Litan. Unlike retailers’ computer systems, processors’ systems connect directly to the networks of Visa Inc. and MasterCard Inc. “An attacker that breaks into a processor conceivably can get into the heart of the system,” and attacks on acquirers and processors are increasing."

Did she say "get into the Heart of the system?..." Man, she's like the Nostradamus of the payments world...stay tuned...

Heartland Payment Systems Uncovers Malicious Software In Its Processing System
No merchant information or cardholder Social Security numbers compromised.

PRINCETON, N.J., Jan. 20 /PRNewswire-FirstCall/ -- Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained.


"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

After being alerted by Visa(R) and MasterCard(R) of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland's network.

Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

Heartland has created a website - www.2008breach.com - to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.


"Heartland apologizes for any inconvenience this situation has caused," continued Baldwin. "Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective."






Reblog this post [with Zemanta]

Disqus for ePayment News