Posted on 01/21/2009 3:09:52 PM PST by xcamel
Identity thieves install spyware to monitor transactions from the inside
In a press release timed to coincide with the inauguration of President Barack Obama, credit card processor Heartland Payment Systems announced Tuesday that it suffered a grievous security breach sometime in 2008, allowing hackers the opportunity to steal credit card information on what is possibly more than 100 million accounts.
Heartland is the sixth largest payment processor in the country, and specializes in transaction processing for small-to-medium-sized restaurants and retailers. According to Wired’s Thread Level, it processes more than 100 million transactions a month.
Federal investigators determined the source of the breach only last week. Spyware installed somewhere on the company’s internal network that sniffed unencrypted credit card transactions as they passed through Heartland’s systems.
“Heartland believes the intrusion is [now] contained,” reads the press release.
Actual damage assessments are still in progress, and the real question is just how much data the malware was able to capture. Heartland CFO and president Robert Baldwin, in an interview with BankInfoSecurity.com, said his company was confident that the only data picked up was cardholders’ names and credit card numbers.
Baldwin would not speculate on the actual number of credit card accounts exposed. The company’s press release, however, could confirm that the breach had no effect on the company’s other services, which include payroll and check processing, micropayment solutions, and its “recently acquired” Network Services and Chockstone processing platforms. Similarly, cardholder’s addresses, PIN numbers, and other personal data were also unaffected.
The unknown hackers’ sniffers were able to pick up credit card numbers because the data is sent unencrypted over Heartland’s internal network, a policy that Baldin justified as necessary “to get the authorization request out.”
Late last month, various blogs reported a number of mysterious, fraudulent sub-25-cent transactions appearing on readers’ and bloggers’ credit card statements, coming from a nonexistent company called “Adele Services”. While it appears these events are unrelated, some consider the timing suspicious.
“There is no hard evidence that the company's data leak was responsible for the sudden surge of mysterious microtransaction fees we reported in early December,” writes Ars Technica’s Joel Hruska, “but the timing is extremely coincidental. The December attacks were never successfully attributed to any single company or credit card, but instead affected a seemingly unrelated group of people.”
“Heartland may — and I do stress may — have been the hidden link between them,” he said.
Swell....
Why couldn’t they hack in to find out who all the foreign and illegitimate donors to Obama were?
My thought EXACTLY! Would be VERY interesting if there was some connection with the Identity Theft there, the microtransactions, and the mysterious sources of money flowing to the Obama campaign in the latter stages.
In a more ‘unforgiving’ nation those whose positions included security of our information would be executed!
I wonder if they use Windows based clients and servers.
It would be totally IRRESPONSIBLE for such a business to run Windows operating systems on anything. If my account was compromised because of spyware or a virus, I would bring civil action against them for knowingly using an inherently insecure operating system to handle my transactions. I would also sue Micro$h1t.
Controlling our financial, personal, movement, health information, internet use, food intake, and our "carbon allottment" will be sold to us as a great solution to "keeping us safe, healthy, and secure." All of that can easily be delivered via something on/in the body.
Lemme guess, you want them running Mac or Linux?
Obama's Fault
“Sub-25 cent transactions”
This is sorta new, isn’t it. The hackers seem to be doing what banks, etc. have been doing for decades - charge lots of people a little money. No real “victims” in a case like this. I would not consider myself terribly victimized if someone charged my card an amount so small that if I found it lying on the sidewalk I wouldn’t bother picking it up.
If I saw it on my bill, I would not bother bringing it up. They could probably ding me for months before I started really wondering what was going on, and then only out of curiosity.
How downright diabolical.
Pretty sneaky.
Just yesterday I received a call from my financial institution. Our debit card was being canceled and a new one issued because the information had been compromised. Since we tend to use our debit card for restaurant dining I am pretty sure the cancellation was related to the Heartland compromise.
Ain’t technology grand? And they want to keep doing more and more and more and more on line and using computers. Just more to be stolen.
Never mind the OS platform, how about just encrypting credit card numbers on their local network?
Heartland Pres., Baldwin said sending all data unencrypted over their internal network is necessary “to get the authorization out”. I think what he means is that internal encryption would delay authorization by a second or two, and besides, it would cost money.
Now I have to worry if my card is compromised. I think the inevitable lawsuits will cost a lot more that fast internal encryption.
My company does encryption on all data and telephone leaving our building. Modern, fast encryption slows transmission very minimally.
Unbelievable. This guy should be drawn and quartered.
Big fat honkin' male bovine excrement! Ever heard of hardware encryption, practically instantaneous? Ever heard of IPSec? This is just an excuse for poor security practices.
Just before Christmas Visa called and said that they were canceling my card and issuing another one. The reason given was that my information had been “compromised.” Wouldn’t give me any details. Be interesting to know if this happened to others.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.