Posted on 01/21/2009 3:09:52 PM PST by xcamel
Identity thieves install spyware to monitor transactions from the inside
In a press release timed to coincide with the inauguration of President Barack Obama, credit card processor Heartland Payment Systems announced Tuesday that it suffered a grievous security breach sometime in 2008, allowing hackers the opportunity to steal credit card information on what is possibly more than 100 million accounts.
Heartland is the sixth largest payment processor in the country, and specializes in transaction processing for small-to-medium-sized restaurants and retailers. According to Wired’s Thread Level, it processes more than 100 million transactions a month.
Federal investigators determined the source of the breach only last week. Spyware installed somewhere on the company’s internal network that sniffed unencrypted credit card transactions as they passed through Heartland’s systems.
“Heartland believes the intrusion is [now] contained,” reads the press release.
Actual damage assessments are still in progress, and the real question is just how much data the malware was able to capture. Heartland CFO and president Robert Baldwin, in an interview with BankInfoSecurity.com, said his company was confident that the only data picked up was cardholders’ names and credit card numbers.
Baldwin would not speculate on the actual number of credit card accounts exposed. The company’s press release, however, could confirm that the breach had no effect on the company’s other services, which include payroll and check processing, micropayment solutions, and its “recently acquired” Network Services and Chockstone processing platforms. Similarly, cardholder’s addresses, PIN numbers, and other personal data were also unaffected.
The unknown hackers’ sniffers were able to pick up credit card numbers because the data is sent unencrypted over Heartland’s internal network, a policy that Baldin justified as necessary “to get the authorization request out.”
Late last month, various blogs reported a number of mysterious, fraudulent sub-25-cent transactions appearing on readers’ and bloggers’ credit card statements, coming from a nonexistent company called “Adele Services”. While it appears these events are unrelated, some consider the timing suspicious.
“There is no hard evidence that the company's data leak was responsible for the sudden surge of mysterious microtransaction fees we reported in early December,” writes Ars Technica’s Joel Hruska, “but the timing is extremely coincidental. The December attacks were never successfully attributed to any single company or credit card, but instead affected a seemingly unrelated group of people.”
“Heartland may — and I do stress may — have been the hidden link between them,” he said.
Just before Thanksgiving, I had to close our Visa and open a new one - someone charged a trip to Iceland on our account. We’re disputing the charge, of course.
The system was hacked by European hackers. They penetrated 39 firewalls to get into the system. A total of 50 credit card processors were hacked and Heartland is the only one to announce publicly. They were able to acces names and credit card numbers, but not pins, social security #s or merchant bank info. Heartland has shared their info with the other processors to help stop future attacks. And yes, it was a windows based system. I am still pissed.................red
That's like getting mad at Goodyear because someone broke into your car. After spending 20 years+ as a System Administrator I've come to the conclusion that the only perfectly safe network is a isolated network. I know of people that have hacked into some of the so called 'impenetrable' networks in the world which you will never hear about. If they want to hack you they will.
I should clarify - I am not pissed it was a windows based system - I am pissed that it happened and that my business financial info and my customer's info was compromised.
Computers really are the root of all evil.
That I can agree with. I’ve had my CC # stolen more then once and wished I could find the turds that did it and beat the crap out of them.
Which makes me believe the theft was more wide-scale than that, since Politicians and Corporate Muckymucks always downplay such bad news.
At the basic, you can buy a simple network encryption solution to cover all traffic. The devices take most of the load. Going higher end for app server access, you can beef up a Catalyst 6500 switch with SSL modules so that it can handle 10,000 SSL negotiations per second and a quarter-million concurrent connections, and your app servers take on no SSL load.
seems reasonable but if the sniffer is on a server that does little good..
We still know way to little about what happened to know where or what should be done..
Bookmark.
Just saying encryption doesn’t have to be slow, but it costs a pretty penny to make it fast. Basically if these guys blame the lack of encryption for the success of the sniffer, they’re really blaming themselves for putting profit ahead of security.
“Heartland Pres., Baldwin said sending all data unencrypted over their internal network is necessary “to get the authorization out”. I think what he means is that internal encryption would delay authorization by a second or two, and besides, it would cost money.”
Either that, or Heartland does not want to spend the money for their system to be upgraded to use the ability to encrypt and decipher the data.
To me it sounds like an inside job and I would be surprised if it isn't.
One other thing. If VISA and MC made the merchant give ID for the card, allot of this would be stopped. But since the merchant doesn’t care because there is no consequence to them for taking the bogus card, they could care less.
Don’t worry, that $.025 went straight into your new president’s election campaign.
Now he can say, hey, that’s not right, we need more control over these things as only the government can do.
I love my country but fear my government.
ping
Maybe this is how Obama will pay for Porkulus Maximus. A stealth tax.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.