Forgot your password?
typodupeerror
Security The Almighty Buck

Largest Data Breach Disclosed During Inauguration 168

Posted by kdawson
from the debit-cards-at-risk dept.
rmogull writes "Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn't know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I've written some additional analysis on this and similar breaches. It's interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems." One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Heartland just put up a press release on the breach.
This discussion has been archived. No new comments can be posted.

Largest Data Breach Disclosed During Inauguration

Comments Filter:
  • Suckers (Score:5, Funny)

    by htnmmo (1454573) on Tuesday January 20, 2009 @02:57PM (#26534663) Homepage
    This is why I never go on the internet. It's just not safe.
  • Missing Address (Score:5, Insightful)

    by wiz31337 (154231) * on Tuesday January 20, 2009 @03:00PM (#26534745)

    "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said.

    Because as we all know it is impossible to get someone's address by having only their full name and credit card number.

    They are trying to down play a very serious incident by disclosing the breach on a day heavily focused on the inauguration. Then they have the nerve to say "don't worry they didn't get your address" as if to say someone smart enough to embed malicious software which gathers credit card numbers is not smart enough to find someone's address. Common!

    • Re:Missing Address (Score:5, Informative)

      by n0dna (939092) on Tuesday January 20, 2009 @03:22PM (#26535195)

      Let's also not overlook that while some stores/merchants may have a policy to ask for address when doing Cardless Transactions, the processing houses (at least the ones I've used) will more than happily process the transaction successfully without anything more than the card number and the expiration date.

      Some processors will refuse to process transactions within the month that the card expires, but you simply add 4 years to the date and it'll go through just fine.

      The Credit Card companies have pushed very hard and very long to make credit transactions more painless than cash. You have to drop some safeguards to do that though.

      • Slightly OT, but FYI:

        Both of the first points are relative...it depends on the processor, and the product on which they are processing. The address verification (AVS) gives the merchant better pricing, but is not a mandatory knock-out rule with Visa/MC to get an authorization. Some processing platforms will force a reject if the AVS match fails, some will let it go through at the higher rate.

        The expiration is relative, too...some platforms do a literal verification, some just check to see if it matches [0-1

        • And most velocity check systems will pick up on expiry skipping (+1/mo or +1/year) transactions. But yeah, you think agreements between card holders and the respective issuer is fine print, take a look at those between a merchant and an ISO/acquirer.

          AVS can get discount rates and/or better chargeback conditions for card-present transactions. To really get the best protection you need to use Verified by Visa or similar programs. Of course, they are a pain to implement, have horrible card holder participation

    • by sorak (246725) on Tuesday January 20, 2009 @05:16PM (#26537515)

      Hmmm...B.H. Obama. Jeffery, get out the phone book. We need to determine where this guy lives.

    • ID thief: Hi, I've moved recently, and I just wanted to check you guys have my new address.

      Every time I've done that with my bank, they've asked for my full name, date of birth, and account number (or if I go through the automated channel, the only ID I need is my phone or online banking pin). After those are provided, they tell me what address they have on file.

      • by bskin (35954)

        Standard practice in the finance industry these days is to send a notification whenever an address is changed - to both the new and old address. It wouldn't stop them from making the transaction, but it would notify the cardholder that something is up and make it pretty easy to dispute charges.

  • The guy posted to his blog about it. On the same day as the inauguration.

    Seriously, the tone of the summary is dumb as fuck. The press release is from today, as is the blog post. It's not even a fucking newspaper article.

    • by whoever57 (658626)

      The guy posted to his blog about it. On the same day as the inauguration.

      Did he? I would RTFA, but I've given up trying to read white-on-black web pages. Seriously, whoever thought that dense white text on a black background is easily readable?

      I'll agree that it is a little more readable on LCD monitors than it was on slightly old CRT monitors, but it still isn't easily readable.

      • Dunno; I don't have much problem with white on black text. I prefer green or amber on black, though, but that's mostly nostalgia for the VT-220s I spent so much time in front of.

  • by Gary W. Longsine (124661) on Tuesday January 20, 2009 @03:03PM (#26534773) Homepage Journal
    Nearly every company that suffers a breach like this tries to assure people about what the bad guy's didn't manage to steal. Don't believe it. Even if it might be true at the strict technical level, it's still not relevant to the analysis of the severity of this issue. The bad guys already have databases full of names and addresses which they will cross reference against the data they stole.
    • Re: (Score:2, Funny)

      by noidentity (188756)
      Come on, use the right word! They COPIED the data, not STOLE it, unless they really did delete it from the original server, in which case they would have noticed it missing immediately.
    • And potentially any other data stolen anywhere else. Who's to say that these same individuals don't have a copy of the data from other big break-ins lying around.

      If they managed to buy one of those databases, suddenly they have a massive amount of data-mining information available to them.
  • by MozeeToby (1163751) on Tuesday January 20, 2009 @03:03PM (#26534789)

    The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address.

    Because we all know that it's impossible to spoof the magnetic strip on the credit card.

    • by Repton (60818)

      I'm not sure what you mean ...

      The magnetic stripe doesn't have anything to do with card-not-present transactions. CNP basically means internet: you type in your name, card number, expiry date, possibly security code. It's not clear whether they got the security code, but I guess they did, otherwise the company would be touting that as another up-side.

      The magnetic stripe has its own security code, which is not printed on the card. This means that you can't make counterfeit cards given only knowledge of t

      • by drinkypoo (153816)

        The point is that it's really amazingly easy to make a fake credit card that looks just like the real thing. The only hard part is the hologram and you can just get some holographic sticker and scuff the crap out of it and convince most people if you can distract them away with social engineering (and if the card works the first time.) Not that I would ever do this, I'm about as sneaky as Baby Huey.

  • When stuff like this happens, it is not the consumers who end up paying, but Visa / MC - who end up putting pressure on these guys to get their act together.

    • by Chuck Chunder (21021) on Tuesday January 20, 2009 @03:36PM (#26535493) Homepage Journal

      Some clueless person says this every time there is a story on credit cards.

      Visa/MC do not end up paying. Merchants on the receiving end of fraudulent transactions do. Visa/MC may even profit from it as the fees they charge merchants for chargebacks can be quite steep.

      • by javelinco (652113)
        And? Most of the time, the reason the chargeback happened is because the merchant didn't bother to follow procedures - they didn't validate the identity of the person using the CC.
        • Re: (Score:3, Informative)

          by Todd Knarr (15451)

          Save that Visa and Mastercard rules prohibit the merchant from validating the identity of the person using the credit card. For instance, a merchant is prohibited from requiring the customer to present ID (such as a driver's license) before they'll take the card. If a merchant refuses to take cards without identification, Visa/MC will terminate their merchant account.

          • Re: (Score:3, Informative)

            Not quite. The merchant agreement typically states that the merchant cannot use ID to validate the identity ONLY for card purchases. If they check ID for check purchases, too, they'd typically be free to do so. It's essentially "you cannot do anything that makes it more inconvenient to the customer to purchase via our card than via other methods".
            • by nxtw (866177)

              Not quite. The merchant agreement typically states that the merchant cannot use ID to validate the identity ONLY for card purchases. If they check ID for check purchases, too, they'd typically be free to do so. It's essentially "you cannot do anything that makes it more inconvenient to the customer to purchase via our card than via other methods".

              Same applies for cash, too, which isn't quite the same as writing a check.

              How many people would present identification for a cash purchase that wasn't age restrict

              • Yeah, that's an awkward one - on one hand if it was a mom and pop that relied on repeat business, you could play the "keeps our merchant fees down, we pass the savings on to you!" card, but that's dubious.

                But it is possible. :)

                • slightly OT, but since I own an only-slightly-larger-than-mom-and-pop business, I have to say, this sort of thing is becoming a real consideration. 10 years ago, my business was 60/40 cash/cc, now it's reversed and getting worse (because of the ubiquity of debit cards, and those stupid commercials that try to make people feel bad for paying cash...how stupid is that?). I'm seriously considering giving a cash discount just to avoid or reduce the:

                  1) costs of cc transactions
                  2) the hassle of securly storing so

                  • Just make sure you do it as a "discount for cash", not a "fee for CCs". The former, your merchant account is fine, the latter, you can be severely slapped. And by slapped I mean a fine levied by your merchant provider / revocation of your merchant facility.
                    • yeah, I'm aware. What's amazing is how many small shops do charge a fee, or a minumum amount, both of which are violations of the merchant agreement. I'm always curious how they get away with it... probably no one bothers to report it and life goes on.

      • Everyone pays. Consumers deal with losses and ID theft, merchants deal with lost customers and higher fees and time to deal with the issue, acquirers and issuers pay fines and fees and hire people to work the issues and fix the problems, the card brands have to pay people to sort through the problem, ensure the current regulations were adequate and who is at fault, hire lobbyists to keep themselves from being slammed in Washington. Everybody, at all points of the industry, loses.

      • Given how much it costs merchants when someone issues a chargeback (they loose the money they got paid for the goods, they likely loose the goods AND they have to pay fees to Visa/MC/etc), why aren't the merchants doing more to pick up on fraudulent transactions? And why aren't they doing more to apply pressure to Visa/MC/etc to change the rules (e.g. get rid of the rules that make it harder for them to do ID checks etc to pick up the fraud)

        I have no clue how much money, say, Wal-Mart is out annually becaus

    • "When stuff like this happens, it is not the consumers who end up paying, but Visa / MC - who end up putting pressure on these guys to get their act together"

      It's the consumers who pay for it with higher charges to pay for things like the chip-and-pin upgrade. Similar to how the consumers pay for shop-lifting ..
  • by rs232 (849320) on Tuesday January 20, 2009 @03:42PM (#26535657)
    What's needed is a totally new kind of online financial transaction system. One that don't use card numbers. A dongle on the client connects to the server generates a one-time session key,and identifies itself to the server and displays a random Pin code, the customer then types it in to verify the transaction. The session is encrypted and the data sent can only be used for the one transaction, no repeat man-in-the-middle hacks ..
    • Please mod parent up. I have mod points, but posted elsewhere. Having just gone through PCI compliance (which is frankly a joke), there needs to be a better system out there.

    • I was just thinking the same thing today. Blizzard is offering this for WOW players to protect accounts. A loss in convienience is a small price to pay at this point to address the ever growing insecurity (not to mention costs to businesses) of the credit card system.

    • by the_olo (160789)

      That's what EMV [wikipedia.org] and chip and PIN [wikipedia.org] with end-to-end encryption [wikipedia.org] is generally all about. All that US companies need to do is stop postponing it and finally make the switch to that technology like companies in many other countries already did.

    • by jrumney (197329)
      Not quite what you are suggesting since it doesn't connect to the client PC so there's a lot more data entry required of the user, but these devices [barclays.co.uk], widely deployed by UK banks, have a feature where they can sign transaction amounts and destinations. Some banks terms and conditions hint that their use might be extended to online shopping in the near future, which would be a great improvement over the horribly insecure "click here to change your password using the information that any fraudster already has"
      • by jc42 (318812)

        Hmmm ... I walked through the Barclays demo pages, and one thing I noticed was that the URL always started with "http://". So what's to prevent my ISP or anyone else along the data path from extracting all the data from the packets and adding it to their database? In particular, I noticed that the protocol involved typing in the recipient's account number and name, which could be useful data to anyone watching the conversation.

    • The technology exists. The US credit card companies have zero incentive to implement it. They pass off all the costs of fraud to mostly their merchants and occasionally their cardholders.

      A well-funded insurgent could start making some headway, but then they'd finally have reason to switch. So, good luck getting that company funded.

  • storing this information ?
    • by ducomputergeek (595742) on Tuesday January 20, 2009 @03:56PM (#26535969)

      Because they are the ones processing the transactions. We don't use heartland, but when take online orders through our website, we don't store the credit card information, our CC Processor does. The processors are the one that actually run the transactions, take money from the customers account, take a percentage, then deposit to the merchants account. And they have to keep records of all that.

      In order for CC payment to work someone has to store that data somewhere.

      • by Repton (60818)

        This happened to a processing company called CardSystems a few years ago. After that, it came out that "CardSystems had been keeping data that it was contractually obligated to delete" (quoting wikipedia [wikipedia.org]) and it lead to VISA and MasterCard firing the company.

        So what is different here?

    • Re: (Score:3, Informative)

      by cbiltcliffe (186293)

      I don't think they were necessarily storing it, from the press release. To me, it basically says a network sniffer picked up network traffic on the wire. That can happen whether you store the info or not.

      • by bwindle2 (519558)
        Maybe they sniffed something, but the Payment Card Industry Data Security Standards, which I'm sure someone as large as these guys must be forced to comply with and get regularly audited to, clearly requires all card-holder data be encrypted, either while on-disk or on-wire.
  • This is BS. Anyone with a card terminal can key the number in, or the card could be cloned. I discovered that FIA categorizes keying the number into the terminal as a "card present" transaction, when I tried to dispute an unrecognized charge. They then use this as a reason that the charge was legitimate, even when the card was not in fact present.

  • AVS is not necessary to process a transaction.
    Anyone with a merchant account has the full ability to control their scrub by adjusting their AVS settings, from full matching, partial or none at all.

  • We have been going through these issues for years. These problems are not created by consumers, but by the companies that want to legitimately take their funds in return for goods, yet the consumers wind up having their share of problems from this.

    At some point facial, iris, thumbprint readers (of pattern or blood vessels) or something is going to have to be implemented.

    Given that most computers/cellphones have cameras now, when will it happen?

  • "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address."

    Hah.

    Addresses in card-not-present transactions can in fact be gotten, and if they use AVS then at the least the AVS data is readily available.

    In other words, you're getting pwned even if it was card-not-present.

    For those not in the know, most Internet transactions, phone orders, mail orders, and eBay/PayPal transc

  • by WillAffleckUW (858324) on Tuesday January 20, 2009 @05:40PM (#26537893) Homepage Journal

    Those who claim to be perfect but never admit mistakes usually are covering up for massive mistakes.

    And the missing million emails we know of are just the observable symptom, as are the transactions in this health data breach.

    The old truisms of data security still apply:

    1. It's usually insiders that provided or passed on information used to get access.

    2. Those who cover up problems only create even larger problems, due to the system of trust.

    3. You can stop 99 percent of attacks with reasonable security measures, but a determined attacker willing to use human intelligence methods will almost always get through the other 1 percent - the trick is knowing what measures will dissuade the 99 percent and implement those, and use reporting to discover the other 1 percent instead of measures that will be defeated anyway.

  • Why are we assuming 100 million transactions?

    TFA says "100 million transactions per month". But they have no idea how long the malware was in place. It could have been a week; that's 25 million transactions. It could have been six months. Hell, the TJX breach happened over the course of several years (although they weren't stealing data continuously). It sound like it'll definitely be big, and it could be the biggest ever (TJX clocks in at around 45 million transactions stolen), but we don't have any i

  • "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address."

    So... of the 300-million-plus transactions they KNOW have been exposed, NONE of them were card-not-present(CNP) transactions that included address verification data?

    Address verification data might not be enough for identify theft -- but then it might -- but it SURE as hell is enough to forge more CNP transactions.

The biggest mistake you can make is to believe that you are working for someone else.

Working...