Millions May Be At Risk Of Credit, Debit Fraud After Security Breach{Heartland Payment Systems)

Source: Newsnet5.com

4:25 pm EST January 21, 2009

PRINCETON, N.J. -- A massive security breach at a major processing company in New Jersey has exposed millions of credit and debit cardholders to the risk of fraud.

Heartland Payment Systems disclosed the data breach Monday. It is believed hackers used sniffer software to capture credit card data once a consumer's card was swiped, reported NewsChannel5's sister station WXYZ.

Customers of Visa, MasterCard, American Express and Discover may be vulnerable to the risk.

The Secret Service is investigating the breach and suspects an international ring of hackers is responsible.

Analysts fear the breach could lead to hundreds of millions in losses.

The processing company has created a Web site to provide cardholders with more information.

For more information go to Heartland Payment Systems' Web site.

Read more: http://www.newsnet5.com/money/18531072/detail.html

were held personally responsible for each and every identity stolen from their database. Not only for the amounts stolen, but the cost of cleaning up EVERY credit rating that takes a hit.

I'm staring at it right now. There's no information whatsoever about this story. Just ads for how brilliant and secure they are.

There were nine (maybe more) fraudulent charges on my Chase Bank Visa.

Chase called me yesterday to report a fraud alert. I called back and went over the charges with someone and my account will be canceled and I'll get a new card.

All yesterday I drove myself nuts wondering how someone could have gotten my information...then today I read that article about the credit card hacking. At least now I know I wasn't singled out by someone who stole my information in a store or something, although I usually use my debit card when I shop at RL stores.

One thing I'm glad of is that I keep track of every charge I make on each of my cards in a little notebook, then check them against my bills when they come in. These charges didn't happen until after 1-04-09, so I wouldn't have noticed them until next month if Chase hadn't called me first.

It just feels really creepy. :(

But of course none of the articles are providing names of stores/restaurants which are at risk. Might reduce their profits.

Gaah!

GT Nutrition services, some Google site, iTunes, Netflix

no restaurants (yet)

But yeah...I just got done reading an article that said up to 40% of transactions were at restaurants.


I'm hoping Chase sends me a statement that I can actually read and check against my little notebook.




PS..well, they were quick about closing my account, thank goodness...just tried to check my online statement and there's no information there.

Never did find out where the thief got it.

The statement had pages and pages of charges. Chase was good and fast about removing the charges and closing the account and sent a replacement card within just a couple of days.

It was pretty unsettling.

They got sued after someone's identity was stolen from their credit card use at the restaurant, and they could not get out from under. So they closed. It was really sad.

According to the article, the CEO says that the sniffer software was installed in an unencrypted area, that in order to make the request, the data had to be unencrypted. So I'm not sure exactly what they did, but I can say with some certainty that they broke a cardinal rule somewhere or another. The general idea is to have private circuits (lines) from customers (gas stations, shoe stores, department stores, you name it) coming in to mainframes or minis or whatever they use to process payments. Traffic remains encrypted from the point of sale, through the private circuits, and typically to a firewall that, in addition to its standard firewall duties, terminates the encrypted session. This is then sent to another firewall that sits in front of the main processing equipment. Only certain source addresses with certain destination addresses and ports are permitted through the firewall. The processing equipment then must settle with the various card issuers. The same process applies: firewalls, encryption, etc on the way to the issuers. The only time/place where the data should be unencrypted is right at the settlement point, the mainframe(s), AS400's, or whatever. Moreover, I find myself wondering what sort of server was hijacked and had the sniffer software installed. Even with sniffer software installed, in a switched network (which Heartland would most certainly have), one machine still cannot sniff traffic on the entire segment. Network switches would need to be specifically configured to permit the hijacked server to listen to traffic on other switchports (port spanning is the common name of the technology used here).

This makes me wonder if the hackers got root access on one of the actual settlement machines. Any way you slice it, it's a horrible data security failure. I'm guessing that whomever performed their last security audit is brushing up on their resume, and the network people may not be far behind.

the three digit security code on the back of the card was also compromised?

Because yesterday when I thought it was just my card, I was thinking, well, at least it's not like someone could go around using my cc number all over the place because there are some places where you have to provide that three digit code and, of course, it can't be done unless the person has the card in front of him/her.

Now I guess that's not even true if all the information was hacked?


They're saying that addresses, DOB, and SS#s were NOT stolen, but I dunno if I trust them...

:scared:

If I recall correctly, TJX (TJ Maxx, Marshall, etc parent company that was hacked last year) started out by saying that it was hackers but eventually said that there were inside personnel involved.

Also, If I recall, they didn't tell the customers until months after they found out number had been stolen (just after Holiday shopping season).

they are using something like a software based firewall. Most of the bigger processing houses allow encrypted sockets directly over an Internet connection. I haven't seen someone put in a dedicated line for CC processing in quite a while.

Can't wait.

the same can happen even without records being online.

Some time ago a local bank got into trouble for dumping its financial records in a dumpster without shredding them first.

There are probably loads of medical facilities that are guilty of the same thing.

I used to work in the data processing dept of an HMO and we saw literally thousands of medical records pass through, but we were very serious about patient confidentiality and shredding stuff after it had gone into the computer system. I'm not so sure about other places, though....

people are just plain lazy and don't want to take the time to shred stuff, figuring nobody's going to bother going through the dumpsters.

Hah...little do they know!

than the risk inherent with digitized networked data. Any day.

It's a huge clusterfuck just waiting to happen. The insurance companies are salivating right now.

Imagine about all the "breaches" you'll be hearing about then.
Insurance companies would pay big bucks to see who is relatively healthy and who has pre-existing conditions.

A nightmare waiting to happen.

These records already exist in databases and it's about linking them up for better, more efficient medicine. Obviously that is a great task to make secure, but it can be done.

I know the story, we all do.

And I beg to differ about the security: it CANNOT be done. They can have 99.9% success rate, but a failure rate of 0.1% is FAILURE, especially if it is YOUR data.

C'mon, this isn't even an honest debate, we all know where this goes.

Let's delete everything and go back to paper, because that can never be lost or stolen.

and it's not a personal attack on you or your opinion.

Obama has made a clear point of saying he intends for all medical records to be "ONLINE" as in "networked" - a far cry from the data being digitized, as it almost certainly all is currently.

No enough money allocated for such a project.

"Obama's national health records system will be costly, daunting"

"And while he has pledged to invest $10 billion a year over the next five years on the effort, the price tag for such a system could be closer to $100 billion over the next 10 years, according to experts. They also note that sticking to his five-year timetable could prove to be daunting."

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126279&intsrc=hm_list

because if they do go ahead with it, they damn well better plan to do it as best they can. The worst compromise would be to cheap-out on a project like this.

Better to abandon it altogether.

Good news. Thanks. :thumbsup:

Better to do it "right" with the proper funding instead of "on the cheap."

I mean, will this company itself be held responsible, because they should be?

But it was a pain to make the phone calls and report where I last used my card. The bank did tell me it was used in CA and I am in Ohio and wasn't near CA that day.

Check your bank records closely for sure!

The website really doesn't tell you anything. Am I correct that your number would have been taken when you swiped the card somewhere, so it would be based on where you shop, rather than having a certain type of card?

Would this only be cards you have used recently - do you think?

Meg

Whatever is on record for our thumb in a central data file.

Oh, yeah, it won't work for on-line purchases, but hey, for on-line purchases you might have to take a phone call to confirm your purchase before it is sent. Slows the system down some, but would get rid of all possible data fraud if you have to verify your purchase with a thumb print at point of sale, or take a call on your home phone to get something on-line.

This seems like banks and credit card companies just want to claim they were hacked so the feds will bail them out. IMO

This is what they claim, but I would take it with a grain of salt:

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland's network.

Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

http://2008breach.com/

TOTAL number of records containing sensitive personal information
involved in security breaches in the U.S. since January 2005.

Jan. 10, 2005 George Mason University
(Fairfax, VA) Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the university's main ID server. 32,000

http://www.privacyrights.org/ar/ChronDataBreaches.htm

I was hit in 2005 through my credit union debit card.