Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

Millions May Be At Risk Of Credit, Debit Fraud After Security Breach{Heartland Payment Systems)

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
This topic is archived.
Home » Discuss » Latest Breaking News Donate to DU
 
OhioChick Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 04:19 PM
Original message
Millions May Be At Risk Of Credit, Debit Fraud After Security Breach{Heartland Payment Systems)
Edited on Wed Jan-21-09 04:19 PM by OhioChick
Source: Newsnet5.com

4:25 pm EST January 21, 2009

PRINCETON, N.J. -- A massive security breach at a major processing company in New Jersey has exposed millions of credit and debit cardholders to the risk of fraud.

Heartland Payment Systems disclosed the data breach Monday. It is believed hackers used sniffer software to capture credit card data once a consumer's card was swiped, reported NewsChannel5's sister station WXYZ.

Customers of Visa, MasterCard, American Express and Discover may be vulnerable to the risk.

The Secret Service is investigating the breach and suspects an international ring of hackers is responsible.

Analysts fear the breach could lead to hundreds of millions in losses.

The processing company has created a Web site to provide cardholders with more information.

For more information go to Heartland Payment Systems' Web site.

Read more: http://www.newsnet5.com/money/18531072/detail.html
Printer Friendly | Permalink |  | Top
kimmerspixelated Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 04:25 PM
Response to Original message
1. When is this crap gonna stop???!!!
Printer Friendly | Permalink |  | Top
 
Donnachaidh Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:02 PM
Response to Reply #1
2. Those companies would certainly get their shit together if THEY
were held personally responsible for each and every identity stolen from their database. Not only for the amounts stolen, but the cost of cleaning up EVERY credit rating that takes a hit.
Printer Friendly | Permalink |  | Top
 
Mike 03 Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:31 PM
Response to Original message
3. "For more information go to Heartlan Payment Systems' Web site."
I'm staring at it right now. There's no information whatsoever about this story. Just ads for how brilliant and secure they are.
Printer Friendly | Permalink |  | Top
 
pipi_k Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:34 PM
Response to Original message
4. I found out yesterday that I was one of those people
There were nine (maybe more) fraudulent charges on my Chase Bank Visa.

Chase called me yesterday to report a fraud alert. I called back and went over the charges with someone and my account will be canceled and I'll get a new card.

All yesterday I drove myself nuts wondering how someone could have gotten my information...then today I read that article about the credit card hacking. At least now I know I wasn't singled out by someone who stole my information in a store or something, although I usually use my debit card when I shop at RL stores.

One thing I'm glad of is that I keep track of every charge I make on each of my cards in a little notebook, then check them against my bills when they come in. These charges didn't happen until after 1-04-09, so I wouldn't have noticed them until next month if Chase hadn't called me first.

It just feels really creepy. :(

Printer Friendly | Permalink |  | Top
 
Robbien Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:47 PM
Response to Reply #4
5. Yesterday's article said that the majority of the leaks were for restaurants

But of course none of the articles are providing names of stores/restaurants which are at risk. Might reduce their profits.

Gaah!
Printer Friendly | Permalink |  | Top
 
pipi_k Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:03 PM
Response to Reply #5
9. Some of the places where mine was used were
GT Nutrition services, some Google site, iTunes, Netflix

no restaurants (yet)

But yeah...I just got done reading an article that said up to 40% of transactions were at restaurants.


I'm hoping Chase sends me a statement that I can actually read and check against my little notebook.




PS..well, they were quick about closing my account, thank goodness...just tried to check my online statement and there's no information there.
Printer Friendly | Permalink |  | Top
 
Robbien Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:10 PM
Response to Reply #9
11. Last year about this time my Chase credit card number was also hijacked

Never did find out where the thief got it.

The statement had pages and pages of charges. Chase was good and fast about removing the charges and closing the account and sent a replacement card within just a couple of days.

It was pretty unsettling.
Printer Friendly | Permalink |  | Top
 
all.of.me Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 07:19 PM
Response to Reply #5
26. My favorite local restaurant had to close because of this.
They got sued after someone's identity was stolen from their credit card use at the restaurant, and they could not get out from under. So they closed. It was really sad.
Printer Friendly | Permalink |  | Top
 
DisgustipatedinCA Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:56 PM
Response to Original message
6. I was a network engineer for a credit card processor
According to the article, the CEO says that the sniffer software was installed in an unencrypted area, that in order to make the request, the data had to be unencrypted. So I'm not sure exactly what they did, but I can say with some certainty that they broke a cardinal rule somewhere or another. The general idea is to have private circuits (lines) from customers (gas stations, shoe stores, department stores, you name it) coming in to mainframes or minis or whatever they use to process payments. Traffic remains encrypted from the point of sale, through the private circuits, and typically to a firewall that, in addition to its standard firewall duties, terminates the encrypted session. This is then sent to another firewall that sits in front of the main processing equipment. Only certain source addresses with certain destination addresses and ports are permitted through the firewall. The processing equipment then must settle with the various card issuers. The same process applies: firewalls, encryption, etc on the way to the issuers. The only time/place where the data should be unencrypted is right at the settlement point, the mainframe(s), AS400's, or whatever. Moreover, I find myself wondering what sort of server was hijacked and had the sniffer software installed. Even with sniffer software installed, in a switched network (which Heartland would most certainly have), one machine still cannot sniff traffic on the entire segment. Network switches would need to be specifically configured to permit the hijacked server to listen to traffic on other switchports (port spanning is the common name of the technology used here).

This makes me wonder if the hackers got root access on one of the actual settlement machines. Any way you slice it, it's a horrible data security failure. I'm guessing that whomever performed their last security audit is brushing up on their resume, and the network people may not be far behind.
Printer Friendly | Permalink |  | Top
 
pipi_k Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:09 PM
Response to Reply #6
10. Does this mean that
the three digit security code on the back of the card was also compromised?

Because yesterday when I thought it was just my card, I was thinking, well, at least it's not like someone could go around using my cc number all over the place because there are some places where you have to provide that three digit code and, of course, it can't be done unless the person has the card in front of him/her.

Now I guess that's not even true if all the information was hacked?


They're saying that addresses, DOB, and SS#s were NOT stolen, but I dunno if I trust them...

:scared:
Printer Friendly | Permalink |  | Top
 
hughee99 Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 07:08 PM
Response to Reply #6
23. Inside job perhaps?
If I recall correctly, TJX (TJ Maxx, Marshall, etc parent company that was hacked last year) started out by saying that it was hackers but eventually said that there were inside personnel involved.

Also, If I recall, they didn't tell the customers until months after they found out number had been stolen (just after Holiday shopping season).
Printer Friendly | Permalink |  | Top
 
ChromeFoundry Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 07:34 PM
Response to Reply #6
30. I bet they hacked a load balancer, or
they are using something like a software based firewall. Most of the bigger processing houses allow encrypted sockets directly over an Internet connection. I haven't seen someone put in a dedicated line for CC processing in quite a while.
Printer Friendly | Permalink |  | Top
 
Duer 157099 Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:01 PM
Response to Original message
7. And remember Obama promises that all health records will be "online"
Can't wait.
Printer Friendly | Permalink |  | Top
 
pipi_k Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:15 PM
Response to Reply #7
12. Well, I can see your point, but
the same can happen even without records being online.

Some time ago a local bank got into trouble for dumping its financial records in a dumpster without shredding them first.

There are probably loads of medical facilities that are guilty of the same thing.

I used to work in the data processing dept of an HMO and we saw literally thousands of medical records pass through, but we were very serious about patient confidentiality and shredding stuff after it had gone into the computer system. I'm not so sure about other places, though....

people are just plain lazy and don't want to take the time to shred stuff, figuring nobody's going to bother going through the dumpsters.

Hah...little do they know!

Printer Friendly | Permalink |  | Top
 
Duer 157099 Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:20 PM
Response to Reply #12
13. I would much rather take the risk of a dumpster diver finding hard copies
than the risk inherent with digitized networked data. Any day.

It's a huge clusterfuck just waiting to happen. The insurance companies are salivating right now.
Printer Friendly | Permalink |  | Top
 
OhioChick Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:29 PM
Response to Reply #7
15. Bad, bad idea.
Imagine about all the "breaches" you'll be hearing about then.
Insurance companies would pay big bucks to see who is relatively healthy and who has pre-existing conditions.

A nightmare waiting to happen.
Printer Friendly | Permalink |  | Top
 
Justyce Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:35 PM
Response to Reply #15
18. I agree. I don't know what he's thinking on this one...
Printer Friendly | Permalink |  | Top
 
high density Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:34 PM
Response to Reply #7
17. Welcome to 2009.
These records already exist in databases and it's about linking them up for better, more efficient medicine. Obviously that is a great task to make secure, but it can be done.
Printer Friendly | Permalink |  | Top
 
Duer 157099 Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:42 PM
Response to Reply #17
19. Awww, how cute and novel, being sold the "better, more efficient" story
I know the story, we all do.

And I beg to differ about the security: it CANNOT be done. They can have 99.9% success rate, but a failure rate of 0.1% is FAILURE, especially if it is YOUR data.

C'mon, this isn't even an honest debate, we all know where this goes.

Printer Friendly | Permalink |  | Top
 
high density Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:51 PM
Response to Reply #19
20. Yeah you're right and I'm wrong
Let's delete everything and go back to paper, because that can never be lost or stolen.
Printer Friendly | Permalink |  | Top
 
Duer 157099 Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 07:02 PM
Response to Reply #20
21. It's about the data being networked, not digitized
and it's not a personal attack on you or your opinion.

Obama has made a clear point of saying he intends for all medical records to be "ONLINE" as in "networked" - a far cry from the data being digitized, as it almost certainly all is currently.

Printer Friendly | Permalink |  | Top
 
OhioChick Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 07:06 PM
Response to Reply #21
22. It doesn't matter.....won't happen anytime soon.
Edited on Wed Jan-21-09 07:07 PM by OhioChick
No enough money allocated for such a project.

"Obama's national health records system will be costly, daunting"

"And while he has pledged to invest $10 billion a year over the next five years on the effort, the price tag for such a system could be closer to $100 billion over the next 10 years, according to experts. They also note that sticking to his five-year timetable could prove to be daunting."

http://www.computerworld.com/action/article.do?command=...


Printer Friendly | Permalink |  | Top
 
Duer 157099 Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 07:15 PM
Response to Reply #22
24. Good. I hope they scrap the project rather than try to do it on the cheap
because if they do go ahead with it, they damn well better plan to do it as best they can. The worst compromise would be to cheap-out on a project like this.

Better to abandon it altogether.

Good news. Thanks. :thumbsup:
Printer Friendly | Permalink |  | Top
 
OhioChick Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 07:17 PM
Response to Reply #24
25. You're right...
Better to do it "right" with the proper funding instead of "on the cheap."
Printer Friendly | Permalink |  | Top
 
fascisthunter Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:02 PM
Response to Original message
8. Is There any Accountability for These Breaches?
I mean, will this company itself be held responsible, because they should be?
Printer Friendly | Permalink |  | Top
 
1776Forever Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:25 PM
Response to Original message
14. I bet this is what happen to me - Charge of $15.99 came from nowhere - bank paid me back.
But it was a pain to make the phone calls and report where I last used my card. The bank did tell me it was used in CA and I am in Ohio and wasn't near CA that day.

Check your bank records closely for sure!
Printer Friendly | Permalink |  | Top
 
bluesmail Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:30 PM
Response to Original message
16. The Last Hurrah? I hope so. n/t
Printer Friendly | Permalink |  | Top
 
wildflowergardener Donating Member (863 posts) Send PM | Profile | Ignore Wed Jan-21-09 07:19 PM
Response to Original message
27. A little confused
The website really doesn't tell you anything. Am I correct that your number would have been taken when you swiped the card somewhere, so it would be based on where you shop, rather than having a certain type of card?

Would this only be cards you have used recently - do you think?

Meg
Printer Friendly | Permalink |  | Top
 
JayMusgrove Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 07:23 PM
Response to Original message
28. How about we all have to show a thumb print to buy anything, which will be matched to.;;;
Edited on Wed Jan-21-09 07:24 PM by JayMusgrove
Whatever is on record for our thumb in a central data file.

Oh, yeah, it won't work for on-line purchases, but hey, for on-line purchases you might have to take a phone call to confirm your purchase before it is sent. Slows the system down some, but would get rid of all possible data fraud if you have to verify your purchase with a thumb print at point of sale, or take a call on your home phone to get something on-line.

This seems like banks and credit card companies just want to claim they were hacked so the feds will bail them out. IMO
Printer Friendly | Permalink |  | Top
 
IndianaGreen Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 07:24 PM
Response to Original message
29. No merchant information or cardholder Social Security numbers compromised.
This is what they claim, but I would take it with a grain of salt:

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland's network.

Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

http://2008breach.com /
Printer Friendly | Permalink |  | Top
 
Mnemosyne Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Jan-22-09 10:39 AM
Response to Original message
31. 251,164,141 since January 2005. TIA lived, as we now know.
TOTAL number of records containing sensitive personal information
involved in security breaches in the U.S. since January 2005.

Jan. 10, 2005 George Mason University
(Fairfax, VA) Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the university's main ID server. 32,000

http://www.privacyrights.org/ar/ChronDataBreaches.htm

I was hit in 2005 through my credit union debit card.
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view 
this author's profile Click to add 
this author to your buddy list Click to add 
this author to your Ignore list Thu Apr 17th 2014, 02:16 PM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » Latest Breaking News Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators


Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC