Heartland Sniffer Found in Unallocated Portion of Disk Drive

StorefrontBacktalk: Heartland Sniffer Hid In Unallocated Portion Of Disk

Evan Schuman, who first reported that the Secret Service has identified the person(s) responsible for the Heartland attack, writes more about the attack in his publication, StoreFront Backtalk. 

He says that the sniffer malware used in the Heartland attack was cloaked in an unallocated portion of Heartland's server, which is a well-known tactic.  What's unique in this type of attack is that it requires "tricking" the Operating System either by modifying the OS itself, or installing a modified device driver.  Either way, one consultant said that the fact the hacker(s) got around the OS itself is a "scary mother."

SFBT also says in the article that Robert Baldwin, President and COO of Heartland, says they were contacted by V/MC in late October.  It then took two weeks by two different forensic teams, (who , according to Heartland) were both about to issue a clean bill of health, to find some .tmp files in an unallocated portion of the disk drives, which turned out to  be a by-product of the malware. 

Finally, Evan Schuman addresses Heartland's decision to pursue End 2 End Encryption, questioning how feasible it is, given the cost, the amount of payment players that would have to participate, combined with the fact that it is the card brands themselves, who insist on dealing with unencrypted data.

This from StoreFront Backtalk:

The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.

Regarding end-to-end-encryption, Evan quotes Heartland CEO Bob Carr and explains the potential problem with it...

"Heartland CEO Robert Carr said in a statement. “Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed.” 

End-to-end encryption is far from a new approach. But the flaw in today’s payment networks is that the card brands insist on dealing with card data in an unencrypted state, forcing transmission to be done over secure connections rather than the lower-cost Internet. This approach avoids forcing the card brands to have to decrypt the data when it arrives."

Read Evan Schuman's complete article here

Related articles

• Debit-Card Processor Claims Data Breach (nytimes.com)
• Heartland reveal massive credit card scam (vnunet.com)
• US credit card payment house breached by sniffing malware (theregister.co.uk)

Related article in The PIN Debit Payments Blog:

Class-Action Suit Against Heartland ~ PIN Debit Payments Blog

2 hours ago In an article titled, "Banks, credit unions scramble in wake of Heartland breach," Jaikumar Vijayan writes for Computer World that several banks have begun reporting fraud and have been forced to issue replacement cards. ... HomeATM - http://pindebit.blogspot.com/

Heartland - End 2 End Encryption 2 End Hacking ~ PIN Debit ...

26 Jan 2009 Here's an update on Heartland Payment Systems. This is a better press release than the previous ones. It makes sense that transactions are encrypted at all times. I was miffed at the previous press releases, ... HomeATM - http://pindebit.blogspot.com/

Heartland Fallout Continues ~ PIN Debit Payments Blog

25 Jan 2009 According to the St. Louis Journal, Heartland Bank and Bank of America said Friday they are issuing new credit and debit cards to their customers in response to the security breach at Heartland Payment Systems of New ... HomeATM - http://pindebit.blogspot.com/ - References

The Bad Guys Are Very Good - Heartland President ~ PIN Debit ...

22 Jan 2009 by jfrank@homeatm.net (John B. Frank)   (Editor's Note: If Heartland was PCI certified, I highly doubt they'll be "cut-off" by Visa/MC, however, that's not to say that they won't lose a significant portion of their 250000 member base, especially considering ... HomeATM - http://pindebit.blogspot.com/

More on the Heartland Breach...a lot more... ~ PIN Debit Payments Blog

20 Jan 2009 That's scary enough but what's really scary here is that Heartland got breached as they unencrypted the information to get authorization from Visa, MasterCard, American Express and Discover. ... HomeATM - http://pindebit.blogspot.com/

Heartland's Bad Ticker ~ PIN Debit Payments Blog

22 Jan 2009 by jfrank@homeatm.net (John B. Frank)   We're going to follow Heartland's "Bad Ticker" from now until Valentines Day. Yesterday there was some murmur's, today started with some palpitations, and last time I looked, their was some severe chest pain. ... HomeATM - http://pindebit.blogspot.com/

Fraud in the Heartland ~ PIN Debit Payments Blog20 Jan 2009 by jfrank@homeatm.net (John B. Frank)  
Earlier this morning, came news that one of the nations bigger processors, Heartland Payment Systems has been breached. Are they related or was Avivah Litan, distinguished analyst with Garnter spot-on when she said, ...

HomeATM - http://pindebit.blogspot.com/