Wednesday, January 21, 2009

In God We Trust...Visa/MC is Another Issue(r)

We're Not in Kansas Anymore...the Heartland has been breached and the ROI on PCI may be sucked up by the tornado that is hackers...

In fairness  to Heartland Payment Systems,  I want to add this addendum to my  previous post.  Unlike CardSystems, which PBT bought after their 40 million card breach, Heartland was PCI certified.

Then again, so was Hannaford at the retail level. So what does this mean?  Since hackers have shifted their attention from retailers to, at least in this case, acquirers, where does it end?   It doesn't end here, that's for sure.

I'll tell you where it "ends at the beginning", and the "beginning of the end" of a transaction is at the Visa/MC network level.

Therefore, Visa/MC and their PCI, which has cost retailers and processors over $2 billion dollars to implement...needs to take some of the blame.  Heartland played by "their rules."  The hackers were the ones that breached them.   So who's really to blame?  Sure the hackers would be the first answer, but second to none is Visa/MC.

After all, if you need to "unencrypt" encrypted information, which is where the HPS breach occurred, and it took 4+ months for Visa/MC to determine suspicious activity, then maybe the hackers have gotten to the Point of No Return.
The "Mother of All Hacks" will never be Heartland Payment Systems.  It will be the electronic payments system at it's very core.  Whether it's Visa, MasterCard or NACHA, if any of these systems are breached, it's the end of e-payments as we know it.  Do they know it?

With TJ Max, it was the retailers fault (storage), with CardSystems, it was non PCI compliance.   (Also storage anomalies) but with Heartland, where does the fault lie?  Can it be a PCI certified acquirer's fault?  They complied...yet they are going to take the fall.  I say that unless new information comes forward...they shouldn't. 

So the way I see it, PCI, not Heartland has been breached.  And not for the first time. 

Hackers may very well have gotten to the very "core" of payment transaction platforms...the point where encrypted info needs to be "unencryped" in order to complete authorization.  I'm no security expert, but what good is encryption if it needs to be "unencrypted" ANY point in the process? 

Does V/MC think their systems are beyond attack?  If I was a hacker and I knew the weak point was where unencryption occurs, then it "occurs" to me that point should be the must vulnerable point of attack.

What if ,as  I stated in a previous posts the bad guys (darkhats) Ireally know more than the good guys?  (the whitehats)  Then, is all the money spent to protect data at the "point of sale" morphing into a "point of no returrn" on the investment.  If so,  what's  the point?

In God we Trust...but what about Visa/MC?

Want to "charge" something?  Then use Visa/MasterCard.  For secure payments, I'll continue to put my faith in the Debit/ATM networks.  Heartland admitted, that although all the information on the magnetic stripe was hacked, no PIN's were. That seems to be something the hacker's can't quite PIN down.

PIN Debit Payments Blog

Reblog this post [with Zemanta]

More on the Heartland Breach...a lot more...

Clarification:  In a Monday post, "Hackers Affect Debit and ATM Networks" I alluded to the fact that 8500 debit cards were disabled by Forcht Bank because they were compromised. "The cards were comprised when a retail merchant’s computer system was hacked, Forcht's COO Eddie Woodruff said. The breach affected customers of multiple banks and multiple debit and ATM networks".  Woodruff went on to say: “Our debit card processor, which is a company called STAR, they had a retail customer, we’re not exactly sure who the retail customer was, and the information we believe may have been compromised,” he said.  Well this this is not entirely true. 

In fairness,  I also reported that First Data Corporation, which operates the STAR Debit and ATM Network, would not comment on how many other banks were affected, but did release in a statement Monday that "the debit card issue we were alerted to could affect not only STAR but also other debit networks."  They also said: "this situation is not related to any First Data processing systems or practices."
It now seems like the "hackers affecting the debit and ATM Networks was related to the Heartland Payment Systems (HPS) breach.

I would look for the Heartland breach to get bigger. From everything I've gathered,  it looks to me like the malicious software went undetected for  about 6 months. 

Right now, the conjecture is that  100 million cards have been breached,  making it the largest breach ever, blowing away TJ Max (45 million, later bumped to 92 million in court papers) and CardSystems. (40 million)

But 100 million is HPS' "monthly" volume.  As I said,  this went undetected for months.   So, as did the numbers for TJX, expect that "100 million" number to rise.Heartland had 600 million cards go through from May through "late fall" when they discovered the breach.  So the final numbers will come in between 100 and 600 million.
That's scary enough but what's really scary here is that Heartland got breached as they unencrypted the information to get authorization from Visa, MasterCard, American Express and Discover.   Another words, encrypted information needs to be unencrypted in order to complete the transaction.  Heartland's COO, Robert Baldwin stated, “We have industry-leading encryption, but the data has to be unencrypted to request the information, the sniffer was able to grab that authorization data at that point.”

So if that's the point that the sniffer was capable of sniffing, then this is nothing to sneeze at.. Hackers have taken another "giant step" for hack-kind...  This very well may go down in the payments industry as "The Mother of All Hacks.  Heartland is sure to take a huge financial hit.

"I'm shocked that their stock was only down 7 cents today.  I really thought their "inauguration day" "non"-announcement would rub people the wrong way and it would be way down.   As people start to realize the magnitude of the breach, and therefore the losses associated with them, I expect HPS stock get "massacred" by...ironically, "Valentine's Day."   

And'm not "heartless" just cynical...we (Pay By Touch) bought CardSystems after their humongous 40 million card breach and the aftermath, including, but not limited to expenses revolving  around:  losing customers, losing ISO's, dealing with FTC, Visa,  MC, MasterCard and Discover bled us dry.  Don't believe me?  Ask anyone there.  Acquiring CardSystems after the breach was a huge mistake.  Dealing with the breach was expensive and time consuming.  (Click here for FTC reports related to CardSystems)

Don't believe about Avivah Litan?

Avivah Litan, a data security analyst, said that the Heartland breach could result in hundreds of millions in losses and other expenses. “If you add it all up, including legal costs, it could be as much as half a billion dollars in losses — or twice as big as TJX,” she said.

Heartland has a tough road ahead of them...wonder how many shares of HPS stock Bob Carr sold, if any, after May 1st and prior to yesterday... 

PIN Debit Payments Blog

Reblog this post [with Zemanta]

Safest Way to Pay Online...

In the wake of yesterday's announcement by Heartland, what some are calling the biggest card breach ever, I thought I'd bring you this. 

A new web-site launched yesterday, is a place where people can go for expert advice on topics such as Internet security, online payment, password management, credit card fraud, cell phone usage, identity theft and more. Until now, no onesite has gathered all these different topics in one place. As the use of our digital information spreads, we as individuals have a role in safeguarding it more than ever. 

The site answers questions such as:

What’s the safest way to pay online? 

Editor's Note:  I'm going to share their answer right now, because it is exactly what we've been  saying about our HomeATM SwipePIN device.  This, from their

What is the safest way to pay online?
    "The safest way to pay online is with some sort of personal digital security device to prove it is really you making the purchase and that the site you are purchasing from is authentic."  (Editor's Note: Touche!)

    "This could be a smart bankcard you put into a small USB reader when you pay online."  Editor's Note:  Or it could be your own personal SwipePIN device, such as the SLIDER manufactured by HomeATM...

    "This makes online payment much more secure, similar to when you make an ATM withdrawal, because it requires both a card and a PIN code."

    Bankers call this “two-factor” authentication. One factor is something you know, the PIN, and the second factor is something you have, the card or token.

    However, smart bankcards, like those used in Canada, Latin America, Europe and Japan, are not available in the United States. (Editor's Note:  No, they're not, so if you want two-factor authentication, here in the U.S. you'll want to utilize HomeATM's SwipePIN device.  Swipe your card (something you have) and  Enter Your PIN,  (something you know)

    One example is how a leading U.K. bank, Barclays, used smart bankcards to stop online fraud. (Editor's Note:  Yes, they used their PINSentry device, (click picture on left to enlarge and read) and according to Barclay's demand for the device was higher than expected, it cut fraud and is now asked  for by name for new online users,  thus generating online sales growth.)  I would say it's safe to assume the same results for our SLIDER...thanks  for the pilot Barclays!

    Other questions currently addressed at the site include:
    • What is a hotspot and is it safe to use my laptop at the airport?
    • How does music and video file sharing work?
    • I hear about 3G networks in iPhone ads, what is that?
    • If I have a secure connection to a Web site, does that mean I can trust the site?
    • Do U.S. electronic passports use RFID?
    • Can my neighbor steal data from my Wi-Fi network?
    • How do I get an emergency replacement passport if I am traveling?
    • I want to get a phone that works outside the U.S., what should I look for?
    • Five things you should do when traveling abroad
    The Web site also presents informative articles and short videos. is part of a broader business and consumer education initiativeundertaken by $2 billion digital security leader Gemalto, to help guideinformed choices and practices.

    Reblog this post [with Zemanta]

    Disqus for ePayment News