Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

Visa, MasterCard, AmEx, Discover Customers Vulnerable In Massive Credit Card Data Theft

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
This topic is archived.
Home » Discuss » Archives » General Discussion (1/22-2007 thru 12/14/2010) Donate to DU
 
babylonsister Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:22 PM
Original message
Visa, MasterCard, AmEx, Discover Customers Vulnerable In Massive Credit Card Data Theft

Credit Card Processor Says Some Data Was Stolen

By ERIC DASH and BRAD STONE
Published: January 20, 2009


Heartland Payment Systems, a major payment processing company, disclosed a data breach on Monday that potentially exposed tens of millions of credit and debit cardholders to the risk of fraud in what could quickly become one of the countrys biggest data compromises.

Robert H. B. Baldwin Jr., Heartlands president and chief financial officer, said that his company believed the card numbers, expiration dates, and in some cases cardholder names were exposed after attacks on its computer systems at the one point where data had been unencrypted.

Once consumers swiped their cards, so-called sniffer software captured that data as Heartland sought authorization from the major payment companies and banks. Customers of Visa, MasterCard, American Express and Discover Financial were all vulnerable.

We have industry-leading encryption, but the data has to be unencrypted to request the information, Mr. Baldwin said. The sniffer was able to grab that authorization data at that point.

more...

http://www.nytimes.com/2009/01/21/technology/21breach.h...
Printer Friendly | Permalink |  | Top
joeunderdog Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:27 PM
Response to Original message
1. Companies should be liable for any damages.
And not just charges on their own company card. Is there case law regarding exposure to companies for ID theft resulting from unauthorized disclosure? I've never heard of anyone being compensated.
Printer Friendly | Permalink |  | Top
 
Mike 03 Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:33 PM
Response to Original message
2. This could be a disaster. And the Heartland Payment Systems website is of
absolutely no use whatsoever. Just a bunch of platitudes about how trustworthy and reliable they are.
Printer Friendly | Permalink |  | Top
 
MadHound Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:52 PM
Response to Original message
3. One of many reasons people need to go to a cash/check/debit card basis
And cut up their credit cards for good. I've never had a card and never had to deal with the stress and anxiety that goes with one. My life is better for it, since I don't have to pay out extra money, stay within my budget, and don't have to deal with shit like this.
Printer Friendly | Permalink |  | Top
 
DisgustipatedinCA Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:58 PM
Response to Reply #3
5. Debit card authorization goes through the same facilities n/t
.
Printer Friendly | Permalink |  | Top
 
onethatcares Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 05:56 PM
Response to Original message
4. how soon will they need bail out money to help them?
of course they'll say that the breach of their software has cost them millions if not billions and if they fail, there goes the credit card industry.

Printer Friendly | Permalink |  | Top
 
DisgustipatedinCA Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Jan-21-09 06:00 PM
Response to Original message
6. cross-posted from LBN
I was a network engineer for a payment processing company. Fortunately, I'm now a network engineer in an entirely different line of business. According to the article, the CEO says that the sniffer software was installed in an unencrypted area, that in order to make the request, the data had to be unencrypted. So I'm not sure exactly what they did, but I can say with some certainty that they broke a cardinal rule somewhere or another. The general idea is to have private circuits (lines) from customers (gas stations, shoe stores, department stores, you name it) coming in to mainframes or minis or whatever they use to process payments. Traffic remains encrypted from the point of sale, through the private circuits, and typically to a firewall that, in addition to its standard firewall duties, terminates the encrypted session. This is then sent to another firewall that sits in front of the main processing equipment. Only certain source addresses with certain destination addresses and ports are permitted through the firewall. The processing equipment then must settle with the various card issuers. The same process applies: firewalls, encryption, etc on the way to the issuers. The only time/place where the data should be unencrypted is right at the settlement point, the mainframe(s), AS400's, or whatever. Moreover, I find myself wondering what sort of server was hijacked and had the sniffer software installed. Even with sniffer software installed, in a switched network (which Heartland would most certainly have), one machine still cannot sniff traffic on the entire segment. Network switches would need to be specifically configured to permit the hijacked server to listen to traffic on other switchports (port spanning is the common name of the technology used here).

This makes me wonder if the hackers got root access on one of the actual settlement machines. Any way you slice it, it's a horrible data security failure. I'm guessing that whomever performed their last security audit is brushing up on their resume, and the network people may not be far behind.
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view 
this author's profile Click to add 
this author to your buddy list Click to add 
this author to your Ignore list Sun Oct 26th 2014, 04:01 AM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » Archives » General Discussion (1/22-2007 thru 12/14/2010) Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators


Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC