Wednesday, January 28, 2009

Heartland Sniffer Found in Unallocated Portion of Disk Drive

StorefrontBacktalk: Heartland Sniffer Hid In Unallocated Portion Of Disk

Evan Schuman, who first reported that the Secret Service has identified the person(s) responsible for the Heartland attack, writes more about the attack in his publication, StoreFront Backtalk. 

He says that the sniffer malware used in the Heartland attack was cloaked in an unallocated portion of Heartland's server, which is a well-known tactic.  What's unique in this type of attack is that it requires "tricking" the Operating System either by modifying the OS itself, or installing a modified device driver.  Either way, one consultant said that the fact the hacker(s) got around the OS itself is a "scary mother."

SFBT also says in the article that Robert Baldwin, President and COO of Heartland, says they were contacted by V/MC in late October.  It then took two weeks by two different forensic teams, (who , according to Heartland) were both about to issue a clean bill of health, to find some .tmp files in an unallocated portion of the disk drives, which turned out to  be a by-product of the malware. 

Finally, Evan Schuman addresses Heartland's decision to pursue End 2 End Encryption, questioning how feasible it is, given the cost, the amount of payment players that would have to participate, combined with the fact that it is the card brands themselves, who insist on dealing with unencrypted data.

This from StoreFront Backtalk:

The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.

Regarding end-to-end-encryption, Evan quotes Heartland CEO Bob Carr and explains the potential problem with it...

"Heartland CEO Robert Carr said in a statement. “Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed.” 

End-to-end encryption is far from a new approach. But the flaw in today’s payment networks is that the card brands insist on dealing with card data in an unencrypted state, forcing transmission to be done over secure connections rather than the lower-cost Internet. This approach avoids forcing the card brands to have to decrypt the data when it arrives."

Read Evan Schuman's complete article here

Reblog this post [with Zemanta]

Banks Not HPY with Heartland

It appears some financial institutions aren't very HPY with Heartland Payment Systems...

The Washington Credit Union League (WCUL) in Federal Way, Washington is seeking to revive legislation that would mandate specific data protection controls on all merchants and third parties, such as Heartland.  The bill (HB 1149) received its first hearing last Thursday in the Washington State House Committee on Financial Institutions and Insurance, according to a statement released by the WCUL. 

But in reading between the lines, or  actually reading the yellow highlighted one's below, it looks like the beginnings of a class-action lawsuit against Heartland in order to recoup "$20 per issued card," the "30 minutes of staff time" it takes to get it done, and monetary damages to reimburse the "reputational damages" incurred by the Financial Institution.  They also state that "if someone's careless actions result in financial loss, they should have to pay for it" and that some institutions are reporting that "more than 50% of their card base has been affected" by the Heartland breach.  All bad news for Heartland's ticker...and like they say, this may just be the tip of the iceberg...


Contact:    David Bennett - Washington Credit Union League
                 Office: 206.340.4828  Mobile: 425.221.1237

Latest Data Breach Causing Significant Harm to  Washington’s Consumers, some Financial Institutions
A credit union-written bill now before the state legislature encourages all financial institutionsto take extraordinary measures to protect consumers from identity theft and fraud.

FEDERAL WAY, WASH—The state’s credit unions have been prepared for tough times on behalf of their members for more than 75 years, but the latest whammy leveled on them may cause as much harm to some as the current national financial meltdown.

Last Tuesday’s revelation by third-party credit and debit card processing company and Princeton N.J.based Heartland Payment Systems, a company that completes about 100 million transactions per month on behalf of more than 250,000 merchants, disclosed that it had begun to receive fraudulent activity alerts last year from MasterCard and VISA. According to reports, all of the unauthorized transactions were applied to cards that rely on Heartland to process payments.

Heartland still does not know how long the breach occurred prior to its discovery and refuses to release the names of the merchants that contract with them, which deprives consumers who patronize those merchants the ability to be more vigilant in monitoring their credit and debit card accounts.

Some of the Washington’s financial institutions have reported that more than half of their card base has been affected by the breach.

Most credit union leaders believe that the effect during the initial days is just the “tip of the iceberg,” and have already begun to notify members, block accounts, reissue cards and numbers and provide ongoing fraud monitoring.

According to some industry insiders, fraudulent activity alerts began to arrive in mid-November, however because of liability reasons the alerts did not mention where the breach occurred. At least one has confirmed that counterfeit cards have been created from the stolen information and so far used in Florida and Mexico.

“The state’s credit union community is appalled, but unfortunately not very shocked by the immense size of the Heartland data breach,” said Washington Credit Union League President/CEO John Annaloro.

“In far too many cases, negligent data breachers do business as if they were immunized from liability when they fail to protect their customers’ personal information. In our view, if someone’s careless actions result in a financial loss to others, they should have to pay for it.”

In the past, it has been standard operating procedure following a data breach for credit unions to block accounts, reissue cards and numbers and provide ongoing fraud monitoring.

However, taking those aggressive steps to protect members from financial fraud and identity theft is becoming cost prohibitive because the frequency and size of data breaches is skyrocketing and costs the financial institution around $20 per card, depending on the extent of the action taken.

This number does not include costs associated with staff time, which can be as much as
30 minutes per card, or the negative reputational impact on the financial institution.

“While there are processes that are "supposed to provide" some reimbursement for fraud losses, the truth is that
these processes only recoup pennies on the dollar,” (translation:  we want more money) said Stacy Augustine, the Washington Credit Union League Senior Vice President in charge of government relations. “More importantly, the costs that are recouped don’t pay anything toward costs associated with a financial institution’s proactive steps to protect consumers from fraud and identity theft.”

Because of this, Washington’s credit unions have once again introduced legislation aimed at encouraging financial institutions to take extraordinary proactive steps to protect the state’s consumers from identity theft and financial fraud following a data breach. Like last year’s proposed bill, HB 1149 encourages financial institutions to take proactive measures to protect consumers by allowing them to sue negligent data breachers for the cost of aggressively protecting Washingtonians’ personal and private information.

Reblog this post [with Zemanta]

Class-Action Suit Against Heartland

In an article titled, "Banks, credit unions scramble in wake of Heartland breach," Jaikumar Vijayan writes for Computer World that several banks have begun reporting fraud and have been forced to issue replacement cards. 

In addition, the first class-action lawsuit has been filed on behalf of a woman in Woodbury,MN.

I would think this may just be the "tip of the iceberg" when it comes to lawsuits, as numerous credit unions and small banks will look for ways to recoup some of the exorbitant costs associated with a breach of this size.  Maybe Heartland Bank will lead the way.  Wouldn't that be a full circle and a half?

More likely it will be the Washington Credit Union League.  Based on the tone of their language in this document (Word) they are not very HPY with Heartland right now.

Here's a couple paragraphs from the ComputerWorld article.
"In the first real indication of the scope of the recently disclosed data breach at Heartland Payment Systems Inc., banks and credit unions from Washington to Maine have begun to reissue thousands of credit and debit cards over the past few days.

Several have also begun disclosing fraud associated with payment cards that were reported to them by Visa and MasterCard as having been exposed in the breach.

A Pennsylvania law firm today filed the first class-action lawsuit related to the breach. Chimicles & Tikellis LLP in Haverford, Pa., filed the lawsuit on behalf of Alicia Cooper, a resident of Woodbury, Minn., and others who might have been affected by the breach.

The complaint, filed in the U.S. District Court for the District of New Jersey in Trenton, alleges that Cooper, whose card was compromised in the breach, and others, were victims of Heartland's negligence in protecting cardholder data. The lawsuit, which calls for a jury trial, charged Heartland with breach of contract, breach of implied contract and breach of fiduciary contract for the breach..."

Looks to me like this is going to get rather messy for Heartland.  Click here to read the whole story at

Reblog this post [with Zemanta]

One in Four Brits Hit w/Card Fraud

The Press Association, is reporting that: "One in four Briton's are a victim of card fraud."  According to their story, "1 in 4 Britons have been the victim of credit or debit card fraud."  Research has shown that:

Around 26% of people have now had their card used fraudulently, up from 21% when the same research was carried out 12 months ago, according to life assistance group CPP.  (Editor's Note: Unless they lived in London, where nearly 40% of Brits were victims.)

On average, fraudulent transactions totalled around £650, but 6% of people reported losses of more than £2,000.  But despite the large sums of money involved, 42% of card fraud victims did not spot the rogue transactions themselves, and only found out about them when they were alerted by their bank.

London remained the country's credit and debit card fraud hot spot, with 38% of people living in the capital having been hit by the problem, a 10% jump on the number of people who had been affected last year.
  It was closely followed by Cardiff at 34%, Manchester at 29% and Brighton at 27%, where there was a 15% jump in the proportion of people hit during the year.

Nearly four out of 10 victims had their card used online, while 21% had it cloned when using a cash machine or chip and Pin device, with others losing money after their card was lost or stolen. 

Kerry D'Souza, card fraud expert at CPP, said: "The dramatic increase in card fraud shows no sign of abating which isn't surprising given the desperate measures some people will resort to during the recession.

"Fraudsters are becoming increasingly sophisticated, especially when it comes to online transactions which are a particular cause for concern."

"Cardholders need to remain vigilant with their cards and take the necessary steps to protect themselves - from checking statements more frequently to keeping sight of their card when paying for transactions. It might seem like simple steps but they will go a long way in preventing fraud."

Reblog this post [with Zemanta]

Disqus for ePayment News