Heartland Payment Systems Hacked, Possibly 100M Accounts Stolen

Daily Tech ^ | January 21, 2009 11:19 AM | Tom Corelis

[traditional1]

The type of folks that are Obamamaniacs are also the types of folks who would steal and spend other peoples’ money (even on credit cards).

[xcamel]

99,999,999 others, to be exact...

[fanfan]

“Heartland believes the intrusion is [now] contained,” reads the press release.

LOL!

[BigDaddyTX]

Match that data with all of the $25 BO internet donations, remember how his internet guru was not aware that credit card processing companies had the ability to perform address verifications?

[xcamel]

“The investigation of the Century” - that aint-not-ever-gonna-happen

[Not_Who_U_Think]

Most amazing is that a company of this size and exposure would not be doing real-time network monitoring. At the very least, a decent firewall and log review would have shown the suspicious outbound traffic. There is just no excuse for this.

[DaoPian]

Exactly the same thing happened to me yesterday as well.

1st Transaction $103 ITunes

2nd Transaction $206 ITunes denied by bank.

I asked about it and they claimed they have people monitoring transactions and they notice unusual activity which is out of the normal pattern of purchases. I called BS, but they played dumb.

[rednek]

I use Heartland for processing in my business. This is the first I have heard of this. I guess a phone call is in order. Someone has some “splainin” to do.......red

[RKBA Democrat]

Another reason to pay cash.

[SunkenCiv]

Hey, the money for the inauguration had to come from *somewhere*.

[fanfan]

Oh, jeez, I wouldn't want to be in your shoes.

Depending on other people very rarely works out.

[meyer]

OK, so who’s Heartland and who’s credit card accounts do they process?

[Starfleet Command]

And this effects my Obama-sourced gas tank fillings and mortgage payments how?

Seriously though, this is precisely the financial infrastructural component weakpoint that Obamacampaign08 took advantage of to help itself to American's credit funds.

Looks like Hell has dissension in its ranks...

[Enterprise]

It appears that we did not have anything charged to the card. They need the 3 digit security code on the back if they are going to charge something online (ideally) and they need the 4 digit code to use it as a debit card. We tend to use the card to try to pay cash for gas and restaurant expenses, so now it will be 7 to 10 days before we get another card. Bummer.

[sausageseller]

They offer payment services. 6th largest processor of credit cards.

They also do checks and many other services. You don't really know if a business is using them. Even if you ask most of the people running your card would never know.

I think it is kind of dirty they released this info yesterday.

[randog]

This is just an excuse for poor security practices.

Yup. Heartland basically allowed their HR department to define their internal security. I'll betcha the HR director said, "Him?! He's the last guy I woulda suspected!!"

[ElkGroveDan]

“Sub-25 cent transactions” This is sorta new, isn’t it. The hackers seem to be doing what banks, etc. have been doing for decades - charge lots of people a little money. No real “victims” in a case like this.

No those transactions are "tests" if they go through, then the fraudsters lay low or sell the card info with the "test" report to prove it's valid, and then POW the big charges come in later.

[grey_whiskers]

Heartland CFO and president Robert Baldwin, in an interview with BankInfoSecurity.com, said his company was confident that the only data picked up was cardholders’ names and credit card numbers.

Look for an uptick in web-based donations to The One's campaign. /sarc>

Cheers!

[ozark hilljilly]

Ahhh jeez! This is the company I do biz with to handle credit card transactions at my store!
This is news to me.
HO-LEEE CRAP.

[N3WBI3]

Never mind the OS platform, how about just encrypting credit card numbers on their local network?

Mind waiting 10 minutes for the authorization to go through? Trust me if you decide to encrypt all the transactions you are going to miss every SLA you have.

I think what he means is that internal encryption would delay authorization by a second or two, and besides, it would cost money.

A previous employer decided to do ejb to ejb encryption on a J2EE platform and saw response time go from 2 seconds to 5 minutes. Yes per transaction in isolation you're only talking about 1 or two more seconds but that causes a serious log jam within a shot time and eventually the load on the cpu bring everything to a halt.

The bigger question is what was their security policy beyond encryption. What workstations had direct access to the core network and why was heartlands monitoring of outgoing traffic so weak.

Now I have to worry if my card is compromised. I think the inevitable lawsuits will cost a lot more that fast internal encryption.

We are going to have new cards issued regardless...

My company does encryption on all data and telephone leaving our building.

But not on your internal network!

Modern, fast encryption slows transmission very minimally.

Any encryption worth it is going to slow the processing of millions upon millions of transitions down significantly on a high volume app..