Zeus Tracker Flips the Kill Switch on 100,000 PC's

ZeusTracker and the Nuclear Option

Computer viruses seem to be getting more destructive, in part because criminals are trying to make it harder for people to spot account takeovers

Brian Krebs, who blogs for the Washington Post in his "Security Fix" columns writes about the Zeus Tracker, a botnet which recently was responsible for flicking the "kill switch" on 100,000 PC's.  Here's an excerpt from his article:

"One of the scarier realities about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker, who could simply decide to order all of the infected machines to self-destruct.

Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control.
But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.
Hüssy oversees Zeustracker, a Web site listing Internet servers that use Zeus, a kit sold for about $700 on shadowy cyber criminal forums to harvest data from computers infected with a password stealing Trojan horse program. One of Zeus's distinguishing features is a tool that helps each installation on a victim PC look radically different from the next as a means to evade detection by anti-virus tools.
According to Hüssy, among Zeus's many features is the "kos" option, which stands for "kill operating system." The help file distributed with Zeus kits includes the following Google-translated explanation of this feature:

kos - incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE. If you have sufficient privileges - fly to "blue screen", in other cases creates the brakes. Following these steps, loading OS will not be possible!

In early April, Hüssy began tracking a Zeus control server used to receive data stolen from a botnet of more than 100,000 infected systems, mostly located in Poland and Spain. While investigating this newfound Zeus control server, he noticed something unusual: the "kill operating system" had just been issued to all 100,000 infected systems.
Hüssy said he has no idea why the botnet was destroyed.
"Maybe the botnet was hijacked by another crime group," he offered in an online chat with Security Fix. Then again, maybe the individuals in control over that ill-fated botnet simply didn't understand what they were doing. "Many cyber criminals...using the Zeus crimeware kit aren't very skilled," Hüssy said.
Researchers at the S21sec blog have their own theory: that maybe attackers wield the nuclear option to buy themselves more time to use the stolen data.
"The point more probably for a phisher is to earn time," writes S21's Jozef Gegeny. "Taking the victim away from Internet connection - before the unwanted money transfer is realized and further actions could be taken."

As one might imagine, bad guys who control these Zeus crimeware servers aren't always too happy about having their networks called out. Since my interview with Hüssy on Wednesday, his site has come under a fairly massive distributed denial of service (DDoS) attack, no doubt from systems under the control of Zeus botmasters. "

Continue Reading at Brian Krebs Security Fix on the Washington Post

Related articles

• Torpig: "One of the Most Advanced Pieces of Crimeware ever Created".' (pindebit.blogspot.com)
• Botnet master hits the kill switch, takes down 100,000 PCs (arstechnica.com)
• Cybercrime (pindebit.blogspot.com)
• When Hacked PCs Self-Destruct (it.slashdot.org)
• Torpig Sinowa Botnet Harvests Online Banking Credentials (pindebit.blogspot.com)
• Conficker Attacks ANZ Bank (pindebit.blogspot.com)
• Americans Have a False Sense of PC Security (pindebit.blogspot.com)
• If "Https://" is Really "Httbs//" Then How Do You Secure Online Transactions? (pindebit.blogspot.com)

Security Risks Inherent with Online Shopping

Listed below are just a "few" of the risks when you shop online without HomeATM's PCI 2.0 Certified PED

Shopping online without a HomeATM PCI 2.0 Certified SafeTPIN leaves you vulnerable to cyberthieves. There are many ways in which hackers can steal your sensitiveinformation without you knowing it. Here is a list of some of thepotential threats you face when shopping online without our SafeTPIN: Privacy-invasive software – This is software thatmonitors your computer with the intent of stealing sensitiveinformation and is often of a commercial nature. Spyware – Softwarethat could be on your computer without you knowing it. Not only canSpyware monitor what you are doing (including watching you type in yourcredit card number), but it can actually change how you interact withyour computer. Crimeware – Softwaredesigned specifically for the purposes of identity theft so theattacker can access your online banking or online shopping accounts. Man-in-the-middle attack (MITM) – An attacker sitsbetween your computer and the computer you are trying to communicatewith (the shopping site), intercepting, and even changing, theinformation. Trojan – You install software that apparentlyperforms a useful function, but it actually has a hidden agenda. Onceinside, the attacker can watch your screen, save their files to yourcomputer and even control your computer. | Keystroke logging – A method of recording yourkeystrokes. This is a very common way to monitor mouse operations andobtain screen shots or monitor what is typed on your keyboard. Phishing – You get an official looking email froma trustworthy source (like a bank or PayPal) asking for information ofsome kind (usually passwords, SIN numbers, credit card numbers etc.).Of course, the email is actually from a fraudster posing as someonelegitimate. Memory sniffing – A program that effectively “sniffs” out your memory, revealing passwords, credit card data and other such information. Exploits – Software or a sequence of commands that take advantage of a bug or vulnerability on your computer to take over your computer.

Outbreak of Bank Related Data Theft Trojans

Banking / Finance News
Source: ScanSafe
Complete item: http://www.scansafe.com/__data/assets/pdf_file/12368/1Q09_GTR.pdf

Description:
An outbreak of bank-related data theft trojans was observed during the first quarter of 2009. These outbreaks were traced to the Zeus botnet which was implicated in a $6 million dollar commercial account heist on 20 European banks in the summer of 2008.

In March 2009, the Zeus botnet began employing an exploit toolkit known as Luckysploit, which uses an asymmetric key algorithm (standard RSA public/private key cryptography) to encrypt the communication session with the browser. The exact origin of the Luckysploit toolkit is unknown, although the Zeus botnet is believed to be controlled by Russian cybercriminals.

E-Secure-IT
https://www.e-secure-it.com

Skimmers Steal $.5 Million from NYC ATM Users

Banking/Finance - ATM / POS
Source: FOXNews
Complete item: http://www.foxnews.com/story/0,2933,519845,00.html

Description:
A sophisticated band of thieves managed to steal personal information and more than half a million dollars from hundreds of New York City bank customers by rigging ATMs in what police say is further evidence of the continued assault on personal data by identity thieves.

Police said the identity thieves installed devices on ATM machines at Sovereign Bank branches in Staten Island that enabled them to collect account and PIN numbers, the New York Daily News reported Monday.

First they placed skimmers on the slots where customers inserted their bank card that could read and store the information. Then a tiny camera was hidden in the lighted sign on the ATM that filmed customers typing in PIN codes, the Daily News reported.

"This crew is sophisticated," Deputy Inspector Gregory Antonsen, head of the NYPD's special investigations division, told the Daily News. "And they are coming up with new ways to steal your identity every day."

The ATM-riggers managed to steal more than $500,000 from more than 250 victims. They also created fake ATM cards with the same magnetic codes as the victims and used the cards at different banks, police said.

E-Secure-IT
https://www.e-secure-it.com

Related articles

• High-Tech Criminals Target ATMs to Steal Vital Personal Financial Information From Customers (pindebit.blogspot.com)
• ATM Card Skimming & PIN Capturing Guide (pindebit.blogspot.com)
• HomeATM Featured in American Banker (pindebit.blogspot.com)
• New York ATM Skimmer Crooks Stole $1.4 Million [Crime] (consumerist.com)

ANZ CEO Uses Twitter to Announce Resignation

I heard (or read, don't remember which) that it's common place to send a text message to one's boy or girlfriend telling them it's time to move on...apparently Twitter is the today's new vehicle used to tell people when it's time to move on to another job.

Last week, Brian Hartzer, CEO of ANZ's Australian operations announced his resignation on Twitter.  Hartzer said: "Folks, this is my last tweet as I've resigned to pursue an overseas opportunity. Thanks for your continued support for ANZ. All the best."

According to Finextra,

"The smart money says Hartzer is joining RBS as its retail operations chief, taking over from Gordon Pell.  It's a key position that would put him in the running as a potential heir apparent to current CEO Stephen Hester. 

"Will Hartzer's appointment usher in a new era of Twitter-inspired transparency at RBS?

Let's hope so. After the Fred Goodwin saga, RBS needs all the goodwill it can get."

FinovateStartup09 Crowd Chooses HomeATM to Demo

HomeATM was one of the companies that participated in FinovateStartup09 on April 28th.  

We arrived just a bit concerned on account of how Acculynk, our semi-competitor (they don't do TRUE PIN Debit) was preselected as demo company whereas we had not been one of the pre-selected companies to perform a live 7 minute demo.  

However, we were aware of the fact that after the lunch break, attendees would be enabled to vote for 3 companies whom they wanted to see perform a live demo.  So at least available to us the potential opportunity to do so.

Meanwhile, our booth downstairs in the exhibitor hall was lined with our PCI 2.0 personal swiping devices, including one attached to the USB port on a laptop in order to perform live demo's to interested parties who dropped by our booth during the 90 minute lunch break. 

It was a busy 90 minutes to say the least.  We performed live (in real-time) person to person money transfer demo's for several interested parties including, but certainly not limited to: Amazon Payments, Wells Fargo and several very interested key representatives from PayPal.

You see, what makes our offerinig unique is that we eliminate third party products.  We move money from any bank card to any bank card.  There's no need for a PayPal debit card or a Amazon reloadable card.  We use the bank-issued card along with the bank-issued PIN to transfer money to and from ANY US bankcard.  As a reviewer states below, it's prettty slick.

Anyway, the lunch break, which provided time for attendees to visit booths and find out more information about participating companies, ended and it was time for them to select the companies they wanted to see demo.     

The votes were tablulated and first up to perform a live demo was...HomeATM.  Our COO Mitch Cobrin thanked the attendees for choosing HomeATM and we performed our 7 minute (alloted-time) demo in 6:59. 

Fincision live blogged the event.  I've included two posts on his reaction to the demo's, one on Acculynk and one on HomeATM below.  To see his entire post on FinovateStartup09, click the following link: http://fincision.com/2009/04/live-from-finovate-startup-2009/

10:31 PM mikelinskey - Acculynk are up next; hope they’re a bit clearer than the last presenter! Here’s another debit card play. Acculynk demo is a bit cumbersome. Very slow & painful. Still have no idea what this is all about. Aaaah, here it comes. Ajax window appears over the shopping cart and a pin pad appears. Entering a pin, and the pin pad re-scrambles after each digit is input. “That’s it”. Uh? I just don’t get this. What is the point? How is this any better than ‘Verified by VISA’?

11:38 PM mikelinskey - HomeATM are on. This is all about real time money transfer. A small company with a big technology, they have a secured patent for their PIN-related technology. It involves swiping your debit card in a USB-connected hardware device on which you also enter your PIN. This looks very slick. They haven’t mentioned their business model. Interesting, though.

Related articles

• Chase Paymentech Predicts: PIN Debit Ubiquitous on Web by 2012 (pindebit.blogspot.com)
• Torpig: "One of the Most Advanced Pieces of Crimeware ever Created".' (pindebit.blogspot.com)
• Debit Surpasses Credit for the1st Time in Visa History (Volume & Transactions) (pindebit.blogspot.com)
• Visa & Interlink Interchange Rates (Reimbursement Fees) (pindebit.blogspot.com)
• Merchants On "Warpath" Against Interchange (pindebit.blogspot.com)
• Software PIN Debit Doesn't Exist (pindebit.blogspot.com)
• Privacy is Dead, Long Live the PIN (pindebit.blogspot.com)

LBS Used to Cut Down on Credit Card Fraud

Mobile phone technology developed to cut down credit card fraud - SC Magazine UK

Mobile phone technology that can locate a person and determine if a credit card transaction is fraudulent has been developed by Ericsson IPX.

Following incidents where members of the IPX team had been victims of credit card fraud and had their cards blocked due to ‘unusual activity', IPX has developed the technology that can determine where a user is geographically in around two seconds.

Donya Ekstrand, head of marketing for IPX, claimed that she was called by her credit card provider and told that her card had been used in Tokyo while she was in Stockholm, and the card continued to be used for 30-35 minutes even after the activity was detected, with the criminal spending around €3,200.

Ekstrand said: “I started to think how can this happen? This is a global solution, we can reach any credit card owner in the world and we can reach about 96 per cent of the world's mobiles. It takes two seconds to check where a mobile is – it is an easy query.”

Peter Garside, IPX UK and Ireland director, claimed that the technology allows the location of which country the users' mobile phone is in, and guess the probability of where the person is.

Garside said: “Generally everyone who has a credit card has a mobile phone, so it is easy to marry the two to a bank to say that the subscriber is ‘here'. The technology in the phone is available on a raw level; it is an application that we are exploiting.”

Ekstrand further claimed that there is the potential for an SMS message to be sent to the user once a suspicious action has been made, and it would be more popular with customers as an SMS is a lot less intrusive than a call.

“We have talked to banks on how to use SMS, this is the first time it has been used globally and we need to make sure that it works with the infrastructure”, said Ekstrand.

Microsoft Seeks $3.75B Cash Infusion

E-Commerce News: Wall Street: Microsoft Seeks $3.75B Cash Infusion From First-Ever Debt Offering

Microsoft (Nasdaq: MSFT) Save 50% on Microsoft Office for Mac 2008. Click here to learn more. More about Microsoft priced a US$3.75 billion debt offering on Monday, a first for the world's largest software maker.  Microsoft said in a Securities and Exchange Commission More about SEC filing that it is offering five-, 10- and 30-year senior unsecured notes.

In a press release, the company said it will sell $2 billion of 2.95 percent notes due June 1, 2014; $1 billion of 4.20 percent notes due June 1, 2019; and $750 million of 5.20 percent notes due June 1, 2039.  The software maker said it will use proceeds from the sale for general corporate purposes, including possible acquisitions and stock buybacks.

Authorized Before Rate Hike

Last September, Microsoft's board authorized it to take on up to $6 billion in debt. Standard & Poor's Rating Services gave Microsoft an "AAA" corporate credit rating.  The authorization came just before interest rates soared.  Microsoft, which is sitting on more than $25 billion in cash, could afford to wait until rates came down to make a move.

Continue Reading at eCommerceTimes.com

94% of Payment Card Fraud Due to Network Probs

Mass network compromise cause of most online fraud

Ninety-four percent of payment-card fraud due to network problems

By Ellen Messmer , Network World , 05/12/2009

Mass compromise of merchant networks and card processors is viewed as the main cause of payment-card fraud, according to a survey of 113 financial services firms, which was published Tuesday.

In contrast, online attacks -- such as phishing -- are seen as a far less-significant cause of card fraud by the survey's respondents, who are management executives and antifraud or security managers at financial institutions in the United States, Europe and Asia.  According to the survey, sponsored by security firm Actimize, 94% of the 113 financial-services firms could trace some percentage of payment-card fraud they experienced directly back to mass compromises of networks. In the survey, several examples of mass compromise events were given, including those known to have occurred at Heartland Payment Systems, grocery retailer Hannaford Brothers, retail-store chain TJX, as well as HNRC. RBS, BJs, DSW and Countrywide.

When asked the question: "Do you believe you have seen stolen data from the mass-compromise events used in fraud attacks?", 55% of the respondents answered "none", but the remainder pointed most frequently to TJX and Heartland. 

About 85% of the respondents said they decided to reissue payment cards to between 1% to more than 20% of their cardholder population in response to news of a mass compromise although there was no immediate indication of fraud losses. In contrast, online scams are seen as having much more minimal impact in terms of card fraud. About 36% of the survey respondents said that less than 1% of card fraud they experienced was due to online scams such as phishing. About 40% blamed online card scams for 1% to 4% of card fraud they witnessed, and only 1.67% blamed online scams for more than 20% of the card fraud they experienced.

The survey also asked about ATM/debit card fraud claims specifically. More than 69% of survey respondents said their organizations had seen an increase in ATM/debit-card fraud last year in comparison to the prior year, with the majority citing between 5% to 49% increase.

In addition, more than 73% of the financial institutions indicated they had no technology in place to stop fraudulent transaction in real time. The amount of losses in 2008 due to ATM fraud cited by institutions ranged from $744,321 to $12 million.

"IT" Reap Gains from Increasing Web Attacks

Business ICT Risks - General
Source: The Economic Times
Complete item: http://economictimes.indiatimes.com/Infotech/Internet-/IT-security-firms-to-reap-gains-from-increasing-Web-attacks/articleshow/4505580.cms

Description:
Firms like Symantec, Quick Heal and Trend Micro are looking at riding the growth in the IT security sector as more and more enterprises are turning to these firms for solutions in view of increasing Web attacks.

India's IT security market, in the enterprise segment, is pegged at about USD 130 million, and research firm Frost and Sullivan (F&S) has estimated that it would grow at a CAGR of 19.21 per cent over the next few years.


E-Secure-IT
https://www.e-secure-it.com

Related articles

• Corporate Security Threatened by Converged Risks (pindebit.blogspot.com)
• Facebook a Conduit for Viral Surges (pindebit.blogspot.com)
• Conficker Attacks ANZ Bank (pindebit.blogspot.com)
• This is So Scary "It's Frustrating"...Too! (pindebit.blogspot.com)
• I LOVE This Article!!!!!! (pindebit.blogspot.com)
• Survey Says! Jail for CEO's of Breached Companies (pindebit.blogspot.com)
• Americans Have a False Sense of PC Security (pindebit.blogspot.com)

Twitter Photo Sharing Now Available

Linkbee.com Adds Twitter Photo Sharing

Linkbee.com, the pioneer in monetizing short URL's has added photo sharing functionality for Twitter users.

San Francisco, CA (PRWEB) May 12, 2009 -- With Twitter.com becoming popular around the globe, Linkbee.com has been a pioneer in allowing users to monetize their Twitter accounts. Linkbee started off by offering users multiple options to monetize short URL's and has paid out over $25,000 since its inception back in 2008. As of today, Linkbee has happily announced the launch of Twitter Photo Sharing directly on Linkbee.com.

"Competitors such as Bit.ly have experienced solid recent growth mainly because of Twitter, so it's no coincidence that we are targeting Twitter users with our latest developments," says Aleks Dugonjic, co-founder of Linkbee.com.

Linkbee's Photo Sharing technology allows users to post photos to their Twitter accounts directly on the Linkbee.com website. In addition, Linkbee has given users two options in monetizing these photos; first being the standard interstitial before the photo page loads, and the second allows users to place their Google Adsense code directly on the page where the photo resides.

"We are moving into an age where webmasters, bloggers and even tweeters need to be rewarded for their work. The user is our concern and it only makes sense that they get a piece of the pie," says Chris Pavlovski co-founder of Linkbee.com.

The photo page holds two ad spots, a 468x60 banner above the main photo and a 300x250 rectangle beside the photo. The user gets the banner spot using Google Adsense while Linkbee will use the rectangle spot for handling their costs. In order to maintain the integrity of the photo sharing program, Linkbee will not allow both interstitials and banner sharing simultaneously.

Linkbee.com was developed by JMG - Jolt Media Group and founded by both Chris Pavlovski and Aleks Dugonjic. The website receives over 1 million hits daily and is the pioneer in monetizing short URL's and photos for Twitter.

Heartland to MasterCard...Fine...Let's Fight!

This is really a desperate act.  Both Visa and MasterCard have already stated that Bobo's (Bob O.Carr) Heartland Payment Systems was NOT PCI compliant when the breach occurred and Bobo waited until he could unload a bunch of stock before he announced the breach under the cover of BO's inauguration.  From Finextra:

Heartland Payment Systems says a fine of over $6 million imposed on it by MasterCard in relation to the massive data breach it suffered last year is illegal and will be contested.

Reporting first quarter results, the firm revealed it incurred $12.6 million in expenses and accruals attributable to the massive data breach, which saw malicious software in the firm's processing system potentially compromising the card data of millions of people.  The costs contributed to a first quarter Gaap net loss of $2.5 million.  In an earnings call, Heartland CEO Robert Carr says over 50% of the $12.6 million expense relates to a fine MasterCard assessed against the processor's sponsor banks.

The fine was imposed because of an alleged failure by Heartland to take appropriate action once it learned that its systems may have been breached.

Carr says the company responded appropriately and "upon discovering the intrusion it took immediate and extraordinary action to address the intrusion" and also "fully co-operated" with MasterCard's investigation into the breach. 

Editor's Note:  Bullcrappola!  BobO waited until he could sell as much stock as possible and announced the hack on the day Barrack Obamo was inaugurated.  That's neither immediate, nor extraordinary action.  Once again the room permeates with the smell of "my shit don't stink-iness." Wait until you get the results of the SEC investigation BobO.  

"Heartland therefore considers the MasterCard fine to be in direct violation of both the MasterCard rules and applicable law and it intends and is prepared to vigorously contest and it has recommended to its sponsor banks that they vigorously contest, through all means available including litigation if necessary any liability that may be asserted or imposed upon Heartland or its sponsor banks by reason of this fine," says Carr.

Continue Reading at Finextra

permeates the room with the smell of my shit don't stink-iness

Western Union Scam Alert

Scam / Fraud / Hoax Alerts
Source: E-Secure-IT Honey pot
More info: https://www.e-secure-it.com/upload/354821.pdf

Description:
For full details, Whois, Header, website screenshots  etc.; see the PDF in the E-Secure-IT database.

Target: Global
Notes:  This may be a phishing scam, although  the attached file ( MTCN_INVOICE.zip) is most likely downloading a Trojan.
Subject:  Western Union Transfer MTCN: 2704897818
From:  "Western Union" <apppz@gmail.com>

Dear customer!

The money transfer you have sent on the 5th of March hasn't been collected by the recipient.  Due to the Western Union regulation the transfers which are not received in 30 business days are to be returned to sender.  To collect your cash you need to print the invoice attached to this email and visit the nearest Western Union office.

Thank you!


E-Secure-IT
https://www.e-secure-it.com

Related articles

• BofA Targeted by Malicious Code Phishing Attack (pindebit.blogspot.com)
• Congratulations! You Just Won A Scam! [Scams] (consumerist.com)
• Western Union to Pilot Mobile Bill Payment (pindebit.blogspot.com)

BIS Guidance on Cross Border Wire Transfers

TheBank for International Settlements has provided final guidance (PDF) on duediligence and transparency regarding cover payment messages incross-border wire transfers.

The new rules are intended to clampdown on the use of cover payments to hide the identities of wiretransfer recipients in support of regulatory initiatives on anti-moneylaundering and terrorism financing.

In January Lloyds TSB wasslapped with a $350 million penalty by the US Justice department fordeliberately falsifying wire transfers destined for countries orindividuals on US sanctions lists.

According to court documents,Lloyds deliberately removed material information - such as customernames, bank names and addresses - from payment messages so that thewire transfers would pass undetected through filters at US financialinstitutions.

The stripping of information allowed more than$350 million in transactions to be processed by US correspondent banksthat might have otherwise been blocked or rejected due to sanctionsregulations or for internal bank policy reasons.

Continue Reading at Finextra

Heartland NOT PCI Compliant When Breached!

Both Visa and MasterCard have officially gone on the record saying the Heartland Payment Systems was NOT PCI compliant at the time of the breach. 

When you take that into account and add the following 9 items, things don't look so good for Heartland Payment Systems:

1. MasterCard has levied a $6 million dollar fine against the company
2. Visa has not yet announced the amount of their fine.
3. The breach (so far) has cost Heartland $12.6 million dollars
4. HPY has seen a $100+ million drop in their market cap
5. Shareholders have filed a class-action lawsuit
6. Consumers have filed class-action lawsuit
7. Banks have filed a class-action lawsuit
8. Robert O. Carr is being investigated by the SEC for possible stock trading improprieties
9. The last processor (CardSystems) to be breached went belly-up
   
   Heartland wants to talk about "end-to-end-encryption" (E2EE) but it's too late.  If they were NOT PCI compliant, the end-to-end is over...what begins now is the "beginning of their end.  Any guesses as to how they'll end up?  Hint: This does not get categorized as "Tales from Encrypt."  Back to plain ol' Crypt.
   
   Here's why they are dead in the water.  Attorneys fees and potential for treble damages on not one, not two, but THREE class-action lawsuits will "definitely" take their toll.  But, of more immediate concern is the cost to reimburse the banks for having to reissue all those new bank cards.  Some have estimated that cost is upwards of $200 per replacement.  Some have estimated that 100 million accounts were breached.  One-million reissued cards would cost Heartland $200 million.     
   
   But is Robert O. Carr done?  At least Bobby O. made millions from the sale of his shares between the time the breach occurred and the time it was announced.  (To refresh your memory, Heartland displayed the utmost in transparency when deciding to announce the "biggest breach" in the history of the United States during Barrack Obama's inauguration. 
   
   Gee, what a coincidence, eh?  As coincidental as selling hundreds of thousands of shares of stock after the breach occurred. 
   
   Some of you might be wondering why I'm so hard on poor poor Robert (Bob) O. Carr.  I know it's noticeable to those who read my Heartland posts, but I'm not quite sure if  I ever did explain my sarcastic disdain.
   
   Let me tell you about the time I met Bob Carr face to face.  It was down in St. Louis, in 1997 I believe, the weekend he was recruiting his initial influx of ISO's for Heartland Payment Systems. I talked with him about 15-20 minutes and stood around for another 25 or so listening to him talk to others and...suffice it to say that he was one of the most brutally arrogant SOB's I've had the displeasure to meet in my life.  Now let me be clear.  I don't mind the "self-confident" arrogance.  I'm talking the condescending, "I'm better than everybody" arrogance.  You know, the kind of arrogance that permeates the room with my shit don't stinkedness?  The kind of arrogance that screams"rules don't apply to me?"  Speaking of which, I  for one, won't be surprised in the least if the SEC investigation turns up evidence of "rules don't apply to me" behavior.
   
   He may have changed since 1997 however...Press Releasing the breach on Inauguration Day says differently.   Where was the end-to-end-encryption before the breach?  Too late now.  You've lost millions Bobo...and in my humble opinion, it couldn't have happened to a better (than everybody) guy! 
   

Heartland Data Breach: Is End-to-End Encryption the Answer? (Editor's Note: Not if the question is "Will Heartland Survive?

Experts Say New Measure is a Start, but Industry Standards are Needed

The announcement by Heartland Payment Systems (HPY) that it will offer its merchants end-to-end encryption capabilities is seen as a positive step by industry experts. Yet, these same experts also warn that this measure will not solve all of the security issues that Heartland and other payment processors face from hackers. In Heartland's first-quarter earnings call last Thursday, company officials said so far last year's well-publicized data breach has them $12.6 million. The amount includes legal costs and fines from Visa and MasterCard, both of which have stated the payment processor wasn't compliant with PCI standards at the time of the breach. Read Entire Article

Related articles

• Data Sniffing Costs Heartland Bigtime (pindebit.blogspot.com)
• Heartland Reinstated to Visa's List of PCI DSS Providers (pindebit.blogspot.com)
• On to the Next Breach... (pindebit.blogspot.com)
• Banks File Class Action Against Heartland (pindebit.blogspot.com)
• Mystery Processor's Breach Timeline (pindebit.blogspot.com)
• Visa Yanks Heartland/RBS Compliance Status - BTN (pindebit.blogspot.com)
• Heartland CEO Forced to Sell Stock to Pay Back Loan (pindebit.blogspot.com)
• Heartland Threatening Legal Action (pindebit.blogspot.com)

Twitter This...Twitter That...

twitter.com/homeatmTwittering is all the rage, and many banks have taken note.  But is there a business case behind Twittering? 

Twitter now ranks as the third most trafficked social networking site, behind Facebook and Myspace, and has achieved a certain cultural stature. With that said, FaceBook and Myspace still don't really have a business model either. 

American Banker reports than more than a dozen banks have set themselves up on Twitter.  Right now it's a hot commodity.  Think about it.   It's very name, like Google, is now a verb!  I have to admit.  I don't get it.  Sure I "tweet" these blog posts, and have watched in amazement as people start "following," but I still don't get it. 

Next thing you know Twitter will be everywhere.  I can see it now...

Twitter me This!

Is is true that the script for the new Batman Forever movie calls for plans to introduce a new character called "The Twitterer"

Scary!  Speaking of which, come next October are kid's going to come to our door and say Trick or Tweet? 

Will people then develop a Tweet Tooth?   

God I hope not.  Nobody asked, but here's my opinion: "If I was the "King Tweety Bird" I'd take $700 million for that business in a "heartbeat"  

I heard from a little birdy  that's what they were offered.  If so, it's not worth it to place a $700 million bet on whether or not this is a passing fad.  Banking $700 million is all the rage.  Speaking of Facebook, does anybody know their business model?  How about myspace?  YouTube's business model is apparently to lose 2 million per month.    

If you're "bent" on following breaking payments industry news, sign up for our newsletter...or visit often.  If you are hell bent on Twitter and want to follow the PIN Payments News Blog (even if it's just for the pictures)  click the graphic above right! 

Getting back to business models:  If you're King Tweety Bird, (a.k.a. Jack Dorsey) either sell it for $700 million...or call HomeATM to discuss your payments idea...which you aptly code-named "Squirrel."  It's a good idea.  It can make Twitter a ton of cash.  So call us...we can help!

But be aware...we had previously code-named that very same idea "patent pending".  Let's compare notes!

Related articles

• 20 Twitter Words You Must Know (pindebit.blogspot.com)
• Apple to Buy Twitter? iTwit (pindebit.blogspot.com)
• Social Networking is a Security Risk - 2/3rd's of Businesses Say!! (pindebit.blogspot.com)
• Twit or Twitout You: The Numbers Grow (pindebit.blogspot.com)
• Twitpay out of Beta but is it Alpha? (pindebit.blogspot.com)

Heartland Starts It's Slow Climb Off the Canvas

Bank Technology News contributor, John Adams, writes that Heartland is still reeling from the left hook thrown by Hackers:

Heartland Starts its Slow Climb
off the Canvas

Bank Technology News | May 2009
By John Adams


Heartland Payments Systems is still taking its standing eight count after one of the worst data breaches in history, but with its Visa PCI DDS validation restored, the firm hopes to emerge with a sober lesson it can share with other firms to prevent future breaches.


“We now we have a greater appreciation for how brazen some of these organized cybercriminals are,” says Jason Maloni, a spokesman for Heartland in Princeton, NJ.

Count that as at least $12.5 million in appreciation—the amount the breach has cost the company thus far, including legal costs and fines from MasterCard and Visa. Heartland successfully completed its annual Payment Card Industry Data Security Standard (PCI DSS) assessment and has returned to Visa’s list of validated service providers. Visa had suspended Heartland, placing it on probation, though the firm was still allowed to process credit card transactions. Heartland, which reported a $2.5 million first quarter loss last week compared to net income of nearly $9 million in 2008, also faces a handful of class action suits connected to the breach.

Continue Reading at Bank Technology News via American Banker

Hackers on Campus

Who’s doing it and what’s being done to prevent it

by Zack Martin, Editor, Avisian Publications

Hacking can mean many things. The image it conjures for most is that of a young man in a dark room lit by nothing more than the glow of a computer monitor, trying to break into some top-secret government system or steal credit card numbers.

On college campuses hacking can mean a number of different things and threats can come from students as well as outsiders. Hackers attack university databases and systems but they also are targeting the student ID card.

Several high-profile incidents have hit close to home with the campus card community, but securing cards isn’t enough. Universities need to secure payment and IT networks as well or risk data falling into the hands of hackers.

What happened at Harvard is just about a campus card director’s worst nightmare. In July 2008 a Harvard undergraduate student was caught making fake Harvard University ID cards. Not just any cards, but duplicate cards of those belonging to the University President Drew G. Faust, Assistant Dean of the College Paul J. McLoughlin II, and Dunster House Superintendent H. Joseph O’Connor, according to the Harvard Crimson.

The student was able to replicate the magnetic stripe on the back of the card and gain access to buildings and gates across campus with only knowledge of the individual’s university ID numbers and a $200 card reader purchased on eBay. He was also able to make purchases using the individual’s Crimson Cash accounts, which are used to pay for items on and off campus.

The hack was the impetus for Harvard to launch new IDs for the students, faculty and staff in the Faculty of Arts and Science. The university rolled out iClass contactless smart cards from HID Global for physical access to facilities. The new card has two magnetic stripes on the back that are used for payments and other functions, according to the Harvard Crimson.

Mag stripe has its uses

At George Washington University in Washington DC, Ken Pimentel’s biggest fear is someone copying the mag stripe on the card and using it to gain access to a dorm or somewhere else they should not go. “There’s nothing wrong with mag stripe at the point of sale,” says Pimentel, director of the university’s GWorld Card Program.

Continue Reading at CR80News.com

Editor's Note:  In a developing and related story 160,000 University of California-Berkeley students and alumni have had their university records stolen by Hackers:  (See below)

DATA THEFT -- U.S.
160,000 University Records Stolen
Hackers have stolen the personal information of 160,000 current and former University of California-Berkeley students, reports the San Jose Mercury News. Health center records from as far back as 1999 were breached over several months, exposing names, Social Security numbers, immunization histories and other information. Associate Vice Chancellor for Information Technology Shelton Waggener said the thieves got in through the university's Web site. "You should think of it as a public building," he said. "They got into the building properly, but then they broke into secure areas." One law student said: "We're all young people and we don't have a lot of credit established. That's really frightening..."
Full Story

Related articles

• Hackers breach UC Berkeley computers (msnbc.msn.com)
• Hackers Break Into UC Berkeley's Database, Steal Nearly 100,000 Social Security Numbers [Crime] (gizmodo.com)

Payments News with Legal Ramifications

Week of May 4th - May 8th

Anti-Money Laundering (AML) Compliance — United States


The Financial Action Task Force (FATF) recently released a white paper on the vulnerabilities of casinos and the gaming industry.  (click graphic on left to enlarge)

This APG/FATF report considers casinos with a physical presence and discusses related money laundering and terrorist financing methods, vulnerabilities, indicators to aid detection and deterrence and international information exchange. The report considers vulnerabilities from gaps in domestic implementation of anti-money laundering/ combating the financing of terrorism measures. Online gaming and illegal gambling are beyond the scope of the linked study. The report is 1.20 MB pdf and requires Adobe Acrobat to view. There is a special section that covers credit and debit card usage.  I will follow up with a post regarding that section later today...


Anti-Money Laundering Compliance — International
Canadian regulators have stated that financial services firms should maintain their efforts to fight money laundering despite the global recession and intense pressure to reduce expenses, according to an linked article on Investment Executive.


An article at ThisDay reports that the Bank of Tanzania lacks adequate strategies to combat terrorist funding and money laundering activities despite the existence of laws expressly prohibiting such activities in the country.

A French magistrate has recently opened an investigation against the leaders of Gabon, the Republic of Congo and Equatorial Guinea, in relation to a complaint filed by Transparency International, an international watchdog group, regarding investment derived from embezzled funds in property and other goods located in France. Apparently this has given Transparency the legitimacy it needs in order to press other claims against corrupt leaders, wherever they may be in the world.

Asset Forfeiture Watch reports that the U.S. Department of State has released its Country Reports on Terrorism for the year 2008. The overview which was made public last week praised Mexico’s President Felipe Calderón Hinojosa and his administration for demonstrating “an unprecedented commitment to address national security concerns” but criticized Mexico’s recent terrorist financing law for its lack of asset forfeiture provisions.
Identity Theft and Data Security

A feature article on Dark Reading demonstrates how researchers were able to hijack a notorious botnet in January for about 10 days, only to discover that it was even more dangerous than previously thought.

On May 5, 2009, the U.S. Government Accountability Office released a report on cyber threats and vulnerabilities that place federal systems at risk. This was in response to testimony before the Subcommittee on Government Management,
Organization and Procurement of the House Committee on Oversight and Government Reform.

MX Logic has released a new report that alleges the probability that Waledac and Conficker are working together to create a megabotnet, one that will contain tens or hundreds of millions of infected computers worldwide.

An organization that develops technical standards for the financial industry is working to develop a standard for protecting sensitive payment card data in transit as it moves from the point of sale terminal to the payment processor, according to this article on SearchFinancialSecurity.com. The organization in question, Accredited Standards Committee X9 Inc. is based in Annapolis, Maryland and is accredited by the American National Standards Institute. It has developed industry security standards for ATMs and other financial systems.

Digital Transactions Magazine
The May 2009 issue of Digital Transactions magazine is now available online. The magazine is 6.46 MB and requires Adobe Acrobat to view. Some articles that may be of interest include: (1) a field guide to alternative payments systems, (2) how health care payments could be more like retail payments, (3) how financial institutions are prioritizing payments management more cost-efficiently and (4) an in-depth look at how electronic payments are being integrated in mass transit systems across the United States.

Credit Cards
MasterCard Inc. is getting a big boost from The Travelex Group, a multinational distributor of travel-related prepaid cards. Under a recently announced deal, Travelex will convert its payment card network brand to MasterCard and process card transactions on MC’s year-old debit processing platform called Integrated Processing Solutions, or IPS.

Gaming
Spencer Bachus (R-AL), the ranking Republican member on the House Committee on Financial Services released a statement on May 6, 2009 on illegal Internet gambling legislation currently being considered by the House of Representatives.

The following articles and presentations may also be of interest:
* Here is a video presentation by 60 Minutes on the prevalence of such sites;
* Here are two reports each containing writeups that detail investigation on illegal offshore gaming websites.

Supreme Court Cases
By now you may have heard of the Court’s ruling in Flores-Figueroa v. United States (08-108) wherein the issue being argued before the Court was whether an individual who used a false means of identification without knowing it belonged to another person can be convicted of “aggravated identity theft” under 18 USC 1028A(a)(1). You can read the 8th Circ. opinion here, the petition for certiorari here, the brief for the United States here and the petitioner’s reply here. A New York Times article published on October 21, 2008 on this case can be read here.

On Monday, May 4, 2009, the Court issued its opinion in Flores.
The case called upon the Court to resolve a circuit split over the scope of the mens rea requirement in the federal aggravated identity theft statute, 18 U.S.C. A§ 1028A(a)(1), which imposes a mandatory two-year sentence on anyone who, during and in relation to certain predicate offenses, “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person.” The Court unanimously agreed with Flores-Figueroa that, to obtain a conviction under A§ 1028A(a)(1), the Government must show that the defendant knew that the “means of identification” he unlawfully transferred, possessed, or used, belonged to a real person.

FDIC Hearing
Here is a formerly live account of the hearing that took place on the morning of May 6, 2009 in front of the Senate Banking Committee.

Witnesses included: FDIC chairperson Sheila Bair, Federal Reserve Bank of Minneapolis President Gary Stern, American Enterprise Institute’s Peter Wallison, University of Chicago Finance Professor Raghuram G. Rajan and The Brookings Institution’s Martin Baily.

You can read Part 1 here and Part 2 here.

Upcoming Legislation

Rep. Barney Frank (D-MA) released a statement on Thursday, May 7, 2009 relating to passage of HR 1728, the Mortgage Reform and Anti-Predatory Lending Act of 2009. The bill was approved by a vote of 300 to 114. A summary of the bill can be viewed here.

In addition, Rep. Frank issued a press release in relation to consideration of HR 2267, the Internet Gambling Regulation, Consumer Protection and Enforcement Act and HR 2266, the Reasonable Prudence in Regulation Act.

The first bill regulates Internet gambling while the second bill delays implementation of regulations pursuant to Unlawful Internet Gambling Enforcement Act of 2006 for one year.

Congressional Hearings/Reports

The Congressional Oversight Panel issued a report entitled “Reviving Lending to Small Businesses and Families and the Impact of TALF” on Thursday, May 7, 2009. This report looks at the state of lending for small businesses and then examines the Term Asset-Backed Securities Loan Facility (TALF), which Treasury and the Federal Reserve established to improve access to credit for families and small businesses by supporting the issuance of asset-backed securities collateralized by credit card loans, student loans, auto loans and loans guaranteed by the Small Business Administration.

Compiled by Stan Santos

After Data Breach Heartland Comes Out Swinging

Heartland Comes Out Swinging After Data Breach - Business Center - PC World

"In the months following the disclosure of what may be the largest data breach in US history, Robert O. Carr, chairman and CEO of Heartland, has come out swinging. Instead of going into a near-death spiral of damage control mitigating the revelation that 100 million customer records leaked during 2008, Carr has been pointing the finger at the payment industry itself for not going far enough with best practices. Heartland has taken advantage of several merchant associations to promote new initiatives that could revolutionize the payment card industry beyond PCI DSS compliance.

Carr has been quite frank when talking about the breach itself, as opposed to the relative silence from TJX after its data breach back in 2007. Heartland said early on that they believed someone placed a listener program in the stream where data in motion was not encrypted. When the Payments Processing Information Sharing Council (PPISC) met for the fist time this week in St. Pete Beach, Florida, Carr took the unusual step of handing out USBs with the malware code found on the Heartland system at the time of their breach as well as malware discovered through other data breach investigations in 2008 and 2009 so other payment processors could look for malware on their own systems. Carr said in his Q1 2009 Earnings Call on Thursday that other industries share security information like this, why can't the card processors?

Additionally, Heartland is in the process of developing a true end-to-end (E2E) encryption solution for its merchants. What's different is that Heartland wants to be the first payment processor to ensure that data remains encrypted all the way from the point of sale through the processing by the card company."

Continue Reading at PC World

The only way for TRUE end-to-end encryption to occur is for Visa and MasterCard to change the way they process transactions entirely.  This is probably just a legal maneuver on Heartland's part (MasterCard recently hit them with a multi-million dollar fine) and certainly a PR move.

For example.  On Telephone-Order transactions the consumer provides their credit card number and expiration date to the operator.  Where's the encryption?  For e-commerce the consumer "types" their credit card number, expiration data AND CVV into boxes and presses submit.  Where's the encryption?  And don't tell me the HTTTPS BS.     

The only 3DES End-to-End Encrypted Transaction protected by DUKPT and PCI 2.0 certified solution for eCommerce in the world comes from the engineers at HomeATM.   How's that for some PR?