Suspect ID'd in Heartland Breach

Heartland "Break In" News

Evan Shuman, editor of Storefront Backtalk, is reporting on his site that the Secret Service has identified the source of the Heartland breach and turned it over to the DOJ.   Or at the very least the SS has PINpointed their location...overseas.

You'd think this to be big news, considering all the attention being given to the breach.  You'd also think that since it took so long to discover the breach, it might take longer than 2 or 3 days to find the source of the breach. I've googled "heartland suspect" and apparently Mr. Shuman has quite the breaking story, because I can't find mention of the PINpointing of the suspect  anywhere else, which doesn't trackback to backtalk.  anywhere. 

From Storefront Backtalk:

"The Secret Service has identified an overseas suspect in the Heartland data breach case and the matter has been turned over to the U.S. Justice Department, according to someone close to the investigation.

Few additional law enforcement details were immediately available, other than that the government believes it has identified the cyber thief involved, has “pinpointed” that suspect’s location and that it’s outside of North America, the source said.

"Given the word that the Secret Service believes it has located the
prime suspect, it raises the possibility that law enforcement was
already on their trail long before the Heartland spyware was detected."

Continue Reading at StoreFront Backtalk


That's an interesting observation...they knew about the trail, but not about the nuts (and bolts) of their operation.   Then again, original reports did quote Heartland's president and CFO, Robert Baldwin as saying: "Our discussions with the Secret Service and Department of Justice give us a pretty good indication that this is part of a group that appears to have done security breaches at other financial institutions."


Evan Schuman also reports that Heartland is now saying it was first alerted by Visa and Mastercard in the late October, early November time frame.  (you'd think there'd be an exact date they were notified by V/MC)  A "timeframe"  applies to when they "think" the malware was  released into their system. 

Although there's no official word on when the malware was first introduced into Heartland's system, there  has been talk that the malware has been "present " since May, 2008.  That's 6+ months of MP (Malware Present") transactions. 

Evan also goes on to say that Heartland spokesman Jason Maloni advises that when the sniffer software was finally  identified by the outside forensic expert hired by the company, the malicious program was inactive, which means that the suspects may have been "on" to the forensic investigation, and turned it off. 

Related article

• Heartland reveal massive credit card scam
• Break-In News: Break in happened at unencrypted point - Storefront Backtalk
  

Heartland Fallout Continues

According to the St. Louis Journal, Heartland Bank and Bank of America said Friday they are issuing new credit and debit cards to their customers in response to the security breach at Heartland Payment Systems of New Jersey.

The Journal reports that "Heartland Payment Systems is not related to Heartland Bank." ... "confusion over the similar names has prompted 100's of calls to Heartland Bank in St. Louis this week."

Clarification: While this story makes it sound like the similarity of the Heartland names are purely coincidental, they are not.  The two entities may be unrelated today, but they are both involved in the formation what is now the nation's sixth largest processor.

When Heartland was formed, it was formed in union with Heartland Bank.  I remember going down to St. Louis and meeting with Bob Carr and Heartland's bank president back then.  (I think it was in early '97) If I remember correctly Heartland Bank and Bob Carr were the co-founders.

I think Bob Carr broke free from Heartland Bank in 2000.   So the confusion has merit.  To this day, even their logos share an iconic common denominator.

Anyway, getting back to the story, from SLBJ: "The security breach did get information on our cardholders," David Minton, Heartland Bank president and chief executive, told the Business Journal. "Like other banks all over the country, we got notices from MasterCard and Visa saying that our customers' cards have been compromised."

The two largest banks in St. Louis, U.S. Bank and Bank of America, as well as other banks nationwide received similar notices because the breach, revealed by the New Jersey payment processor on Tuesday, potentially impacts millions of credit and debit card accounts.

Bank of America is in the process of reissuing new credit and debit cards to customers, said Betty Riess, a spokeswoman. She declined to specify how many of Bank of America's customers were impacted.

continue reading at St. Louis Business Journal

Heartland CEO Talks

It took a couple day's but somehow Heartland's CEO was able to spin the breach into a positive for his company.  After all, they've added 400 merchants in the last few days, "because of our record of "candor" (first words in since Tueday) "fair dealing" (no free consumer credit reports like RBS Worldpay?) "transparency," (Oh, you must mean that "transparent" inaugural day hidden press release) and so...on...wait, make that, so off...in fact, way off. 

Remember Tylenol?  People still buy it right?  Yeah, they do, because it doesn't "remind them of the headache, it cure's it." 

Tylenol?  Please, accepting that analogy's a little tough to swallow (pun intented) considering that the Tylenol tampering resulted in multiple deaths.  Maybe that's the point...that nobody died?  Oh I guess it's not so bad then.  It could have been worse.   I buy Tylenol (I think), but this?  Maybe if it was less cheerleaderesque and more quarterbackescent.   Then again, maybe the PR did HPS some good.  The stock is up double digits (10.15% or .83 cents right now)  We'll know at the end of the day...and the Bad Ticker will track Heartland until February 14th.

Company Reports Continued Growth of Merchant Base

PRINCETON, N.J., Jan. 23 /PRNewswire-FirstCall/ -- Heartland Payment Systems added more than 400 merchants to its client base in the past few days - exceeding results for the same period from last year.

"Our organization and business model founded on fair dealings, transparency and merchant advocacy have paid off these past few days," stated Robert O. Carr, Heartland's founder, chairman and chief executive officer. "This is demonstrated in the continued organic growth of our merchant base. Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning. Our record of candor, fair dealing, no arbitrary rate increases since our formation almost 12 years ago and superior customer service is highly valued.

"Merchants continue to respect Heartland for the manner in which we do business. They appreciate our ongoing efforts to help them manage the costs and complexities of payments processing," Carr continued. "Our energized organization called on the owners of more than 150,000 business locations these past three days to help them understand the breach and what it means to them. I couldn't be prouder of our entire organization for the way everyone has pulled together to help."

No confidential merchant data, Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation. Heartland does not yet know how many card numbers were obtained. Many reports in the press are speculative.

Consumers will know if their card account numbers have been used by reviewing their monthly statements. Cardholders should report suspicious activity to their issuing banks (the bank that issued the card, not the card brand). If unauthorized use is confirmed, cardholders are reimbursed for the fraudulent purchases and are not held financially responsible.

Over the past few days, Carr has been talking to many industry leaders about working together to fight the cyber criminals who victimized Heartland and continue to jeopardize companies, consumers and data worldwide.

"I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks," Carr noted. "Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Heartland's goal is to turn this event into something positive for the public, the financial institutions which issue credit/debit cards and payments processors.

Carr concluded, "Just as the Tylenol(R) crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data - and therefore businesses and consumers - much more effectively."

For the past year, Carr has been a strong advocate for industry adoption of end-to-end encryption - which protects data at rest as well as data in motion - as an improved and safer standard of payments security. While he believes this technology does not wholly exist on any payments platform today, Heartland has been working to develop this solution and is more committed than ever to deploying it as quickly as possible.

Source: Company Press Release

Related articles by Zemanta

• Heartland reveal massive credit card scam
• Heartland Credit-Card Breach Could Be Largest Ever
• Heartland data breach could be bigger than TJX's
• Payment Processor Heartland Reports Breach
• Credit Card Processor Says Some Data Was Stolen
• US credit card payment house breached by sniffing malware
• Credit And Debit Card Breach May Affect Over 100 Million [Record Breaking]
• Hackers attack credit card processor in massive security breach
• Payment processor Heartland reports breach
• Another day, another 100 million credit cards compromised

Alternative Payment Market Report

Image via CrunchBase

Packages Facts Releases Alternative Payments Market Report

Description

Online shopping, peer-to-peer connections and safer, more secure online services are the fundamentals driving the growth of consumer online alternative payments in the United States. In this all-new Packaged Facts report, the current and future market landscape is analyzed, which Packaged Facts estimates at $37.3 billion in 2007, up 33% over 2006.

Packaged Facts presents the market for alternative payments in relation to both the business-to-consumer (B2C) ecommerce market and the total "consumer" payments market. The report presents the size and growth of the market using several key metrics, including paper payments, card payments and electronic payments, as well as trends and factors that affect the industry. Special regard is given to the activity of top players and the varied upstarts, particularly in mobile payments, hoping to steal share and further alter the old school payments paradigm. Major key competitors are profiled, along with a focused analysis of consumer payment demographics and preferences.

Note: Packaged Facts defines alternative payments as entirely electronic and predominantly conducted over the Internet (though not all are conducted through the ACH network). Generally, alternative payments exclude all forms of paper and any debit or credit card where the purchase or remittance is made directly with that medium. The most common alternative payments are consumer-to-business purchases and peer-to-peer, also referred to as person-to-person (P2P) payments.
 Alternative Payment Systems Industry in the U.S., The    

    Publish at Scribd or explore others:          Academic Work                report            misc. banking & fina         

PIN Debit Payments Blog

Related articles by Zemanta

• Creating an Advantage in the Alternative Payments Space
• Will NFC Answer the Call?
• Traditional Payment Cards for Online Transactions Continue to Decrease
• "Amazon" Thanksgiving Day Parade?

Cards Replacement Task Begins...

A significant number of First Commonwealth Bank customers soon will receive new debit cards.

The Indiana, Pa.-based bank recently was notified by the Fraud Management Department of MasterCard International of a data security breach of a U.S.-based merchant which has since been identified as a card processor, Heartland Payment Systems of Princeton, N.J.

Affected customers soon will receive a new debit card but will keep their same PIN number.

"This was a payment processor so this is pretty unusual," Fulgenzio said. "MasterCard and Visa do a good job enforcing their rules and regulations. I think the situation is getting better because Visa and Mastercard are getting stricter with penalties for the compromise of data."

However, when breaches occur, customers are protected. "Any time there is an unauthorized transaction, the customer is protected by the Electronic Fraud Transaction Act," Fulgenzio said. "The customers are covered by these kinds of transactions, but it does create a hassle. They will not lose their money."


Platte Valley Companies and First State Bank have canceled bank cards for nearly 600 customers after learning the records of a third-party credit card processor were compromised.

"Upon notification by the VISA Alert and its high risk level, Platte Valley Bank made the decision and took immediate steps to block the cards affected, to prevent fraud and safeguard its cardholders. Platte Valley Bank began notifying its VISA Debit Card customers of the data breach and status of their cards. New cards will be issued upon receipt of application from those customers affected."

Forcht Bank - Kentucky's Forcht Bank has canceled more than 8,500 debit cards, and it's likely other banks will soon be taking similar steps. Forcht disabled 8,500 debit cards after learning hackers accessed data belonging to a company that processes debit card transactions from merchants. New cards will be sent to those customers in the next week to 10 days.

Editor's Note: So that's 600 + 8500 + "significant.  Assuming  significant is 90,000 cards, then Heartland only has to pay for the remainder of the the 99 million plus cards that need to be replaced...

Update:  Heartland has no plans of closing its doors, as eventually was the case with payment processor CardSystems Solutions, which itself suffered a devastating breach in 2005. "We're going to be a better company for it," a Heartland spokesman said.   (Yeah, and college cheerleaders still jump up and down with their team down 51-0, let alone 100 million to nothing.)

For those who are interested in reading more...there's a good story on the banks start of their card replacement triggered by the Heartland Breach at:  www.digitaltransactions.net

Related articles by Zemanta

• Heartland data breach could be bigger than TJX's
• Possibly largest data privacy breach, ever
• Hackers attack credit card processor in massive security breach
• Another day, another 100 million credit cards compromised
• Heartland reveal massive credit card scam

Tom Ridge at MRC

TOM RIDGE TO ADDRESS E-COMMERCE LEADERS IN LAS VEGAS

FIRST SECRETARY OF HOMELAND SECURITY TO SPEAK AT MERCHANT RISK COUNCIL’S ANNUAL E-COMMERCE PAYMENTS AND RISK CONFERENCE

(Seattle, WA - January 23, 2009) The Merchant Risk Council (MRC) is pleased to announce the addition of former US Congressman, Governor of Pennsylvania and the nation’s first Secretary of Homeland Security, Tom Ridge, as a special keynote speaker for the MRC’s 7th Annual e-Commerce Payments and Risk Conference at the Wynn Las Vegas Resort on March 10-12, 2009.

Ridge will address e-Commerce security, fraud, risk and payments experts on growing cyber security issues that affect both US security and the US and global economies.

We know that there are connections between e-Commerce fraud risk and national and economic security, says Tom Donlea, MRC executive director. The issues that retailers face and the crime groups that target them are often the same threats that Homeland Security is tracking. Governor Ridge's insights on the topics of global risk and emerging threats will prove an invaluable asset for the world leaders in e-Commerce.

The primary themes of the 2009 conference are: Fighting New Patterns of Fraud and Cybercrime; Emerging Risk Management Trends; and Global Online Payment Strategies.

The MRC Annual Conference includes more than 40 speakers and panelists, 30 unique sessions and 40 payment and risk industry exhibitors all delivering valuable insight and information on the growth, diversity and risks associated with e-Commerce.

The Honorable Tom Ridge is currently the president and CEO of Ridge Global LLC. As the company's chief executive, he leads a team of international experts who help businesses and governments address a range of needs throughout their organizations, including risk management and global trade security, strategic business generation, technology integration, event security, crisis management, campus security and other issues that encompass a diverse portfolio.

Governor Ridge's presentation is sponsored by Ethoca, a leader in collaborative fraud management and an MRC Signature Sponsor Member.

We are excited to sponsor Secretary Ridge's presentation at the MRC Annual Conference, states Andre Edelbrock, Ethoca's CEO. The MRC is all about online merchants working together to mitigate risk and stay on top of new and growing threats, and Mr. Ridge's insights into global risk and security issues, dovetails with the MRC’s vision of creating a safer and more profitable e-Commerce environment for all stakeholders.

Travelocity.com founder Terry Jones will deliver the conference’s official opening keynote speech, focusing on the business of innovation. The conference’s closing keynote will be delivered by Dateline NBC correspondent Chris Hansen, sharing his findings on the rapidly maturing underworld of cybercrime.

For full conference schedule, registration and exhibition information, please visit the MRC website at www.merchantriskcouncil.org.

About the MRC Annual Conference
The Merchant Risk Council 7th Annual e-Commerce Payments and Risk Conference will be held at the Wynn Las Vegas Resort on March 10-12, 2009. The 7th Annual e-Commerce Payments and Risk Conference unites the world's top Internet merchants, credit card companies, risk management providers, law enforcement agencies and various consultants and educators in discussing how to make shopping on the internet easier, safer and more profitable for all involved.
Conference Sponsors include:

* Chase Paymentech: Primary sponsor of the 2009 General Conference
* Accertify: Co-sponsor of the MRC Platinum Meeting and Platinum Party
* iovation: Co-sponsor of the MRC Platinum Meeting and Platinum Party
* Clear Commerce/Certegy: Sponsor of the Opening Night Welcome Reception
* Ethoca: Sponsor of Speaker Tom Ridge
* Experian: Sponsor of Speaker Terry Jones
* Discover: Sponsor of Closing Speaker Chris Hansen and the Closing Conference

Reception
For registration or exhibition information at this conference, please visit the MRC’s website at www.merchantriskcouncil.org.

About the Merchant Risk Council
The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments globally.╩ The MRC leads industry networking, education and advocacy programs to make electronic commerce more efficient, safe and profitable.

Today, with the power of our member-base, the MRC is the leading trade association for managing payments, preventing online fraud and promoting secure e-Commerce. The MRC is dedicated to working with e-Commerce and multi-channel merchants, credit card issuers, credit card companies, alternative payment providers, risk management experts, and law enforcement to make the Internet a safer and more profitable place to do business.

The MRC Board of Directors and Advisors includes: Expedia, Inc., Adobe Systems, Inc., Neiman Marcus Direct, 41st Parameter, Apple, BestBuy.com, Bill Me Later, Blizzard Entertainment, Chase Paymentech, CyberSource Corporation, Dell, Inc., Discover Network, Gap, Inc. Direct, iovation, Microsoft, Trustwave, and Visa, Inc.

The MRC is headquartered in Seattle, Washington.

About Ethoca
Ethoca is making e-commerce safer and more profitable through technology that enables and empowers the Global Fraud-Fighting Community ╨ a partnership of e-commerce businesses, law enforcement organizations, fraud solution vendors, credit issuers and payment processors.

By providing a global platform for cross-industry collaboration, Ethoca enables businesses that operate in customer-not-present environments (Internet, phone, fax or mail) to make more informed decisions about their customer transactions, by pooling transaction experience data from the community in a way that is secure, automated, effective and ethical. Community members see reduced fraud, lower fraud-related costs, increased revenue from fewer wrongly rejected orders and improved customer satisfaction rates.

Source: Company Press Release

Data Isn't but V/MC's Protected

In my last post, I ended it by saying that Heartland's only chance for survial is getting the dynamic duopoly, a.k.a. V/MC, to cover the costs incurred by the banks having to replace consumer cards.  I thought they had a decent argument, given the fact that they were PCI compliant.

Well, I just got done reading an article  which contained a statement from Visa regarding PCI assessments...it seems to thwart any legal argument Heartland may have.  

You see, apparently the data might not be protected, but V/MC has certainly made sure that they are.

Information Week's Andrew Conry-Murray, in an article titled, "PCI is Meaningless, But We Still Need It", points out:

Assessments "do not guarantee that those security controls remain in place after the review is complete."  In other words, a company is only compliant with PCI's security standards during the time of review. Once the assessors leave the building, all bets are off.

He goes on to say: "I believe PCI was constructed this way for two reasons.

First, it absolves the assessors and the card brands of any liability should a compliant company get breached.  The issue of liability is critical, because breaches attract lawsuits the way roadkill attracts crows."

Yes, and it looks like Heartland gets to play the part of roadkill...the banks/V/MC get to pick their part,  scratch that, pick-a-part  in their role as a "murder of crows."

Heartland's tough battle just got tougher...and the prognosis isn't good.  Lizbith...dis is da big one!

PIN Debit Payments Blog

Related articles by Zemanta

• Security is not the same as compliance

Questions About PCI Effectiveness - Network World

I saw an interesting article in Network World, which basically questions PCI's effectiveness in the wake of the RBS and Heartland breaches. In a post I wrote earlier this week, "In God We Trust, Visa/MC is Another Issue(r).  I wrote:

The "Mother of All Hacks" will never be Heartland  Payment Systems.  It will be the electronic payment system at it's very core.  Whether it's Visa, MasterCard or NACHA, if any of these system are breached, it's the end of e-payments as we know it.  Do they know it?"

I'm aware of someone else who knows it....in this article, Avivah Litan points out some very interesting facts, some of which I've included below.   To read the entire article, click the Network World link below:

Heartland breach raises questions about PCI standard's effectiveness - Network World

It's not yet known if Heartland Payment Systems' newly disclosed data breach will count as the largest card heist ever. But some analysts say what is clear is that the Payment Card Industry data security standard that Visa and MasterCard require isn't sufficient to ensure cardholder data is safeguarded.

"Billions is being spent on PCI compliance, but it isn't really working," says Gartner analyst Avivah Litan.  "PCI's dirty little secret is that it doesn't mandate encryption inside a private network because then all the processors would have to encrypt."

Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered, in which cyber-criminals tapped into a monthly stream of 100 million debit and credit cards for several months using malware installed on processing computers.

"The processors are definitely being targeted," Litan says, noting that once a breach occurs, it can have a terrible impact on business. CardSystems, which suffered a data breach in 2005, was basically put out of business as a result of it.

Editor's Note:  Speaking of impact, will Heartland ever recover from this nightmare?  There's definitely a black cloud hanging over it.  Yesterday their stock went into a free fall, ending 42% lower than it started out.  I expect a significant merchant attrition impact, so even if they do come out of it, it won't be as the nations 6th largest acquirer.  At the end of the day, I believe what determines Heartland's survival, is whether they (or their lawyers) can get Visa/MC to cover the banks cost of replacing all the debit/credit cards. 

You might think that the fact that they were PCI certified and that the data was encrypted when it left the building, but unencrypted at the V/MC level would provide fodder for a good argument.  I have the sneaky feeling that the "dynamic duopoly"  will hold that Heartland is liable.   It's going to messier before it gets prettier, no doubt.

Related articles

• Hackers attack credit card processor in massive security breach
• Payment Processor Heartland Reports Breach
• Heartland data breach could be bigger than TJX's
• Another day, another 100 million credit cards compromised

Inauguration Day Fraud

Heartland's Bad Ticker took a blow today as their stock dropped $5.93 to close at  $8.18. 

That's a devastating 42% decline! 

Can't say I didn't see it coming. Just didn't think it would happen this quickly.  Maybe their attempt to sway exposure by announcing the hack on inauguration day backfired on them...big time.  Here's a screen shot of the final day's numbers.  (still dropping in after-hours trading)  Click the graphic to enlarge.

In another development, one of our readers, the founder of  a site called InsideIDTheft.info, (it looks like a great site, take a peek!)  forwarded me a video his site put together, which criticizes Heartland, for releasing news of the breach on inauguration day.

As I mentioned in the Tuesday's afternoon post, entitled: Largest Breach Ever? Deception Involved?, some people questioned the inauguration day release of Heartland's breach, a simple 1 page news release. One even stated: "that seems very deceptive" 

Apparently it seemed rather deceptive to the folks at InsideIDTheft as well. Here's their video, which puts a rather daunting perspective on the timing of the news release: 

Enjoy, and thanks Keith for sharing!

PIN Debit Payments Blog

Related articles by Zemanta

• May Have A New Winner In The Largest Security Breach Ever Department

Heartland's Bad Ticker

We're going to follow Heartland's "Bad Ticker" from now until Valentines Day.  Yesterday there was some murmur's,  today started with some palpitations, and last time I looked, their was some severe chest pain.  So there's definitely been a Heartland Attack.

As Sanford used to say, "Lizbith...it's the big one..."   Rush them to the ER cause the last time I looked their stock was down $2.98 or 21.12%.

Update:  3.33 pm ET.   Well it doesn't look like they're gonna make it.  Stock is down $5.32 or almost 40%!  

To make it easy to follow, I've placed Heartland's Bad Ticker, complete with bad news,  just below the search button on the right.

The Bad Guys Are Very Good - Heartland President

Yes, that's what he said.  I know what he meant, but nonetheless, it's the kind of line that both Norm Crosby and Yogi Berra would be proud of.

According to Newsday.com Heartland has closed the security hole that ultimately may lead their own extinction...especially considering how bad their ticker looks today.

I've posted comments throughout.

"Heartland says it has closed the security hole that allowed criminals to infiltrate their systems, but the matter is far from settled.

The company will likely have to pay big penalties to banks to reimburse the cost of issuing new cards, and analysts say the intrusion could even threaten the company's survival if the big card brands decide to cut off Heartland from connecting to their networks.

One big payment processor, CardSystems Solutions, went under after a 2005 data breach in which 40 million credit card accounts were compromised and the big card brands stopped doing business with CardSystems. Representatives for Visa Inc. and MasterCard Inc. declined to comment" 

(Editor's Note: If Heartland was PCI certified, I highly doubt they'll be "cut-off" by Visa/MC, however, that's not to say that they won't lose a significant portion of their 250,000 member base, especially considering that these merchants may be subjected to very expensive fraud-related remedies.  The merchant's will look to Heartland when the bills come.  I was surprised Heartland is not offering free credit report monitoring, so I won't be when they tell merchants to "deal with it."  Sounds like the clock is running for Heartland...also  sounds like they've got a bad-ticker...)

Speaking of tickers...I see that HPS is down almost 20% today.  (see live chart at end of this post)

Yesterday, I said in a post,  "As people start to realize the magnitude of the breach, and therefore the losses associated with them, I expect HPS stock get "massacred" by...ironically, "Valentine's Day."    Maybe that "Valentine's Day Massacre" might be come earlier than I thought...

Getting back to the newsday.com story, "the industry's security requirements call for payment processors to have separate networks — one for the financial transactions, and another for their general corporate tasks. Heartland wouldn't say how the malware got into the network that processes financial transactions or when it was planted there. (Why would that be?)

"If you're actually able to compromise that protected network, you're in, man — you have the keys to the kingdom," said Mike Rothman, senior vice president of strategy for security software vendor eIQnetworks Inc. "I presume they were able to sniff a large part of the payment traffic at the time the network was compromised."

Robert Baldwin, Heartland's president and chief financial officer, said the thieves accessed a part of Heartland's network that handles transactions for 175,000 of the 250,000 merchants the company works with. He said the program slipped past Heartland's antivirus software and was able to read data in unencrypted form as it was passed from Heartland to the card brands.  Baldwin said Heartland uses heavy encryption, which means its data is cloaked in special computer coding so unauthorized computers can't read it, but added that the data has to be sent in unencrypted form to the card brands, which is where the criminals were able to spot it. (Editor's Note:  "and  therein lies the problem)

"Baldwin emphasized that no PIN codes were believed stolen. Baldwin added that the company passed an industry-mandated security inspection in April."  (about which much will be written in coming days/weeks/months)

"Unfortunately the bad guys are very, very good," he  said. "The malware we encountered did not, and does not, get very well captured by antivirus software, (ya-think?)) so it's a challenge we're going to have to keep working as an industry to combat." 

Continue Reading at Newsday.com

Related articles by Zemanta

• Credit And Debit Card Breach May Affect Over 100 Million [Record Breaking]
• Payment Processor Heartland Reports Breach
• Hackers blamed in massive cyber fraud scam

SUBASE Command Members Cloned

According to the SUBASE website, "The U.S. Navy's submarine force has the world's most capable submarines, manned by the world's best trained and motivated submariners. During a political or military confrontation, anypotential adversary must assume that United States Navy submarines "are present" and consider the consequences."

However, according to the story below, there's a different kind of adversary out there, and they count on them being "not present."   You think some people were up in arms when Dolly was cloned...when they catch these guys, I don't think they'll be sending them up river...they are going "down."


The Dolphin - Credit card cloning on the rise

GROTON, Conn. - Over the last few months, SUBASE command members have reported unauthorized credit card purchases on their personal credit card accounts occurring at retail stores and service stations throughout the country.

None of the naval members were "physically present" in these states and all were in possession of their personal credit cards. Based on this information, it appears that the naval members had their credit cards skimmed and subsequently cloned. Although cloning of credit cards in not considered new, over the last several years, this type of fraud is becoming increasing common with numerous incidents being reported.

Cloning is accomplished by unscrupulous individuals using a cell phone-sized device known as a "skimmer" wherein they are able to swipe the credit card or the leaked credit card information which captures the data on the magnetic strip of the card. The criminal can utilize this information to transfer the data and create a "new" credit card or activate an expired old credit card. The skimming device, costing less than $300 can hold numerous credit card/debit card numbers allowing a thief to later make a duplicate version of the credit or debit card.

Continue Reading at the Dolphin

Related articles by Zemanta

• Hackers blamed in massive cyber fraud scam
• Payment Processor Heartland Reports Breach

Canadian Payments Forecast

Technology Strategies International has released a report titled "Canadian Payments Forecast - 2009" forecasting that the Canadian debit and credit card market will be hit by the decline in personal expenditure on consumer goods and services as a result of the economic downturn, but over the long term both forms of payment will command a greater share of all consumer expenditure.

According to the report, "credit card payments will account for 38% of personal consumer expenditure by 2013, approximately double the share predicted for debit card payments."

“By 2013 we expect there to be about 130 million payment cards in circulation in Canada, with card based payments being accepted at about 720,000 merchants”, notes Christie Christelis, President of Technology Strategies International.

“There are a number of high growth segments in the Canadian payments market, the ones with the most promise being mobile contactless payments, cross-border debit and alternative methods for paying online,” he says.

Key findings of the study are:

• The recession in Canada will result in lower growth for debit and credit card payments as consumers cut back on their expenditure
• Credit card payments will be hit the hardest by the recession
• Contactless payments will be the highest growth segment over the next five years, exhibiting phenomenal growth and encroaching on the areas currently dominated by cash and debit cards
• Card issuers will use the EMV implementation card reissue cycle to issue cards with contactless payment functionality
• Cross border payments will grow by 70% per year over the next five years
• Alternative payment mechanisms for online payments (i.e. non-credit card payments) will account for one third of all online payments made by Canadians by 2013
• Cash will remain the most frequently used form of payment in Canada

The 110 page report provides a comprehensive review, analysis and forecast of consumer payments in Canada. It identifies high growth segments in the Canadian payments market in the context of some important recent developments in the economy and the industry, including duality in the credit card market, the emerging battleground around merchant discount rates and Interac’s application to the Competition Bureau to convert to a for-profit organization. Detailed forecasts are presented for credit card payments, debit card payments, cash payments, cheque payments, contactless payments, cross-border payments, online payments, ABM installations and POS terminals.

Source: Company press release

Related articles by Zemanta

• Canada's EMV Transition Numbers
• A battle over fees may be in the cards
• Canada Keeps Fighting to Change Interchange
• PIN Debit on the Web
• 100 Million Credit Cards Stolen in Largest Cyber Crime Ever
• Interac Chip and PIN Transition Rollout Begins
• Payment Processor Heartland Reports Breach

Follow PIN Debit Payments Blog on Twitter

I still don't understand the Twitter thing, but what the heck, maybe you can "tweet" me and explain it's attraction.   In the meantime, for those who partake, here's the new HomeATM PIN Debit Blog "Twit Cam."

I've also included it in the sidebar...didn't get prime time...down about 7 gadgets...



PIN Debit Payments Blog

Related articles by Zemanta

• "Amazon" Thanksgiving Day Parade?

In God We Trust...Visa/MC is Another Issue(r)

We're Not in Kansas Anymore...the Heartland has been breached and the ROI on PCI may be sucked up by the tornado that is hackers...

In fairness  to Heartland Payment Systems,  I want to add this addendum to my  previous post.  Unlike CardSystems, which PBT bought after their 40 million card breach, Heartland was PCI certified.

Then again, so was Hannaford at the retail level. So what does this mean?  Since hackers have shifted their attention from retailers to, at least in this case, acquirers, where does it end?   It doesn't end here, that's for sure.

I'll tell you where it ends...it "ends at the beginning", and the "beginning of the end" of a transaction is at the Visa/MC network level.

Therefore, Visa/MC and their PCI, which has cost retailers and processors over $2 billion dollars to implement...needs to take some of the blame.  Heartland played by "their rules."  The hackers were the ones that breached them.   So who's really to blame?  Sure the hackers would be the first answer, but second to none is Visa/MC.

After all, if you need to "unencrypt" encrypted information, which is where the HPS breach occurred, and it took 4+ months for Visa/MC to determine suspicious activity, then maybe the hackers have gotten to the Point of No Return.
 

The "Mother of All Hacks" will never be Heartland Payment Systems.  It will be the electronic payments system at it's very core.  Whether it's Visa, MasterCard or NACHA, if any of these systems are breached, it's the end of e-payments as we know it.  Do they know it?

With TJ Max, it was the retailers fault (storage), with CardSystems, it was non PCI compliance.   (Also storage anomalies) but with Heartland, where does the fault lie?  Can it be a PCI certified acquirer's fault?  They complied...yet they are going to take the fall.  I say that unless new information comes forward...they shouldn't. 

So the way I see it, PCI, not Heartland has been breached.  And not for the first time. 

Hackers may very well have gotten to the very "core" of payment transaction platforms...the point where encrypted info needs to be "unencryped" in order to complete authorization.  I'm no security expert, but what good is encryption if it needs to be "unencrypted"...at ANY point in the process? 

Does V/MC think their systems are beyond attack?  If I was a hacker and I knew the weak point was where unencryption occurs, then it "occurs" to me that point should be the must vulnerable point of attack.

What if ,as  I stated in a previous posts the bad guys (darkhats) Ireally know more than the good guys?  (the whitehats)  Then, is all the money spent to protect data at the "point of sale" morphing into a "point of no returrn" on the investment.  If so,  what's  the point?

In God we Trust...but what about Visa/MC?

Want to "charge" something?  Then use Visa/MasterCard.  For secure payments, I'll continue to put my faith in the Debit/ATM networks.  Heartland admitted, that although all the information on the magnetic stripe was hacked, no PIN's were. That seems to be something the hacker's can't quite PIN down.

PIN Debit Payments Blog

Related articles

• 100 Million Credit Cards Stolen in Largest Cyber Crime Ever
• Massive Credit Card Hack, Info Stolen
• Heartland data breach could be bigger than TJX's
• Payment Processor Heartland Reports Breach
• Heartland reveal massive credit card scam
• Credit Card Processor Says Some Data Was Stolen

More on the Heartland Breach...a lot more...

Clarification:  In a Monday post, "Hackers Affect Debit and ATM Networks" I alluded to the fact that 8500 debit cards were disabled by Forcht Bank because they were compromised. "The cards were comprised when a retail merchant’s computer system was hacked, Forcht's COO Eddie Woodruff said. The breach affected customers of multiple banks and multiple debit and ATM networks".  Woodruff went on to say: “Our debit card processor, which is a company called STAR, they had a retail customer, we’re not exactly sure who the retail customer was, and the information we believe may have been compromised,” he said.  Well this this is not entirely true. 

In fairness,  I also reported that First Data Corporation, which operates the STAR Debit and ATM Network, would not comment on how many other banks were affected, but did release in a statement Monday that "the debit card issue we were alerted to could affect not only STAR but also other debit networks."  They also said: "this situation is not related to any First Data processing systems or practices."

It now seems like the "hackers affecting the debit and ATM Networks was related to the Heartland Payment Systems (HPS) breach.


I would look for the Heartland breach to get bigger. From everything I've gathered,  it looks to me like the malicious software went undetected for  about 6 months. 

Right now, the conjecture is that  100 million cards have been breached,  making it the largest breach ever, blowing away TJ Max (45 million, later bumped to 92 million in court papers) and CardSystems. (40 million)

But 100 million is HPS' "monthly" volume.  As I said,  this went undetected for months.   So, as did the numbers for TJX, expect that "100 million" number to rise.Heartland had 600 million cards go through from May through "late fall" when they discovered the breach.  So the final numbers will come in between 100 and 600 million.

That's scary enough but what's really scary here is that Heartland got breached as they unencrypted the information to get authorization from Visa, MasterCard, American Express and Discover.   Another words, encrypted information needs to be unencrypted in order to complete the transaction.  Heartland's COO, Robert Baldwin stated, “We have industry-leading encryption, but the data has to be unencrypted to request the information, the sniffer was able to grab that authorization data at that point.”

So if that's the point that the sniffer was capable of sniffing, then this is nothing to sneeze at.. Hackers have taken another "giant step" for hack-kind...  This very well may go down in the payments industry as "The Mother of All Hacks.  Heartland is sure to take a huge financial hit.

"I'm shocked that their stock was only down 7 cents today.  I really thought their "inauguration day" "non"-announcement would rub people the wrong way and it would be way down.   As people start to realize the magnitude of the breach, and therefore the losses associated with them, I expect HPS stock get "massacred" by...ironically, "Valentine's Day."   

And no...no...no...I'm not "heartless" just cynical...we (Pay By Touch) bought CardSystems after their humongous 40 million card breach and the aftermath, including, but not limited to expenses revolving  around:  losing customers, losing ISO's, dealing with FTC, Visa,  MC, MasterCard and Discover bled us dry.  Don't believe me?  Ask anyone there.  Acquiring CardSystems after the breach was a huge mistake.  Dealing with the breach was expensive and time consuming.  (Click here for FTC reports related to CardSystems)

Don't believe me...how about Avivah Litan?

Avivah Litan, a data security analyst, said that the Heartland breach could result in hundreds of millions in losses and other expenses. “If you add it all up, including legal costs, it could be as much as half a billion dollars in losses — or twice as big as TJX,” she said.

Heartland has a tough road ahead of them...wonder how many shares of HPS stock Bob Carr sold, if any, after May 1st and prior to yesterday... 

PIN Debit Payments Blog
 

Related articles by Zemanta

• Heartland Credit-Card Breach Could Be Largest Ever
• Heartland reveal massive credit card scam
• Massive Credit Card Hack, Info Stolen
• Payment Processor Heartland Reports Breach
• Heartland data breach could be bigger than TJX's
• 100 Million Credit Cards Stolen in Largest Cyber Crime Ever
• Hackers attack credit card processor in massive security breach
• Credit Card Processor Says Some Data Was Stolen
• US credit card payment house breached by sniffing malware
• Another day, another 100 million credit cards compromised
• Payment Processor Breach May Be Largest Ever (Brian Krebs/Security Fix)
• May Have A New Winner In The Largest Security Breach Ever Department

Safest Way to Pay Online...

In the wake of yesterday's announcement by Heartland, what some are calling the biggest card breach ever, I thought I'd bring you this. 

A new web-site launched yesterday, www.JustAskGemalto.com is a place where people can go for expert advice on topics such as Internet security, online payment, password management, credit card fraud, cell phone usage, identity theft and more. Until now, no onesite has gathered all these different topics in one place. As the use of our digital information spreads, we as individuals have a role in safeguarding it more than ever. 

The site answers questions such as:

What’s the safest way to pay online? http://www.justaskgemalto.com/en/buying/tips/what-safest-way-pay-online 

Editor's Note:  I'm going to share their answer right now, because it is exactly what we've been  saying about our HomeATM SwipePIN device.  This, from their JustAskGemalto.com:

What is the safest way to pay online?

"The safest way to pay online is with some sort of personal digital security device to prove it is really you making the purchase and that the site you are purchasing from is authentic."  (Editor's Note: Touche!)


"This could be a smart bankcard you put into a small USB reader when you pay online."  Editor's Note:  Or it could be your own personal SwipePIN device, such as the SLIDER manufactured by HomeATM...

"This makes online payment much more secure, similar to when you make an ATM withdrawal, because it requires both a card and a PIN code."

Bankers call this “two-factor” authentication. One factor is something you know, the PIN, and the second factor is something you have, the card or token.

However, smart bankcards, like those used in Canada, Latin America, Europe and Japan, are not available in the United States. (Editor's Note:  No, they're not, so if you want two-factor authentication, here in the U.S. you'll want to utilize HomeATM's SwipePIN device.  Swipe your card (something you have) and  Enter Your PIN,  (something you know)

One example is how a leading U.K. bank, Barclays, used smart bankcards to stop online fraud. (Editor's Note:  Yes, they used their PINSentry device, (click picture on left to enlarge and read) and according to Barclay's demand for the device was higher than expected, it cut fraud and is now asked  for by name for new online users,  thus generating online sales growth.)  I would say it's safe to assume the same results for our SLIDER...thanks  for the pilot Barclays!


Other questions currently addressed at the site include:

• What is a hotspot and is it safe to use my laptop at the airport?
• How does music and video file sharing work?
• I hear about 3G networks in iPhone ads, what is that?
• If I have a secure connection to a Web site, does that mean I can trust the site?
• Do U.S. electronic passports use RFID? http://www.justaskgemalto.com/en/tips/do-us-epassports-use-rfid-technology
• Can my neighbor steal data from my Wi-Fi network?
• How do I get an emergency replacement passport if I am traveling?
• I want to get a phone that works outside the U.S., what should I look for?
• Five things you should do when traveling abroad

The Web site also presents informative articles and short videos. www.JustAskGemalto.com is part of a broader business and consumer education initiativeundertaken by $2 billion digital security leader Gemalto, to help guideinformed choices and practices.

Related articles

• Malware infestation responsible for credit card data breach
• More online shoppers aiding identity thieves
• Credit And Debit Card Breach May Affect Over 100 Million [Record Breaking]
• Gemalto Wants EMV in USA