YACCB

[unixronin]

That's "Yet Another Credit Card Breach".  Princeton, NJ payment processor Heartland Payment Services suspected three months ago that they'd been compromised, and called in outside forensic investigators in December after internal auditors failed to find a smoking gun, but didn't see fit to tell anyone until now.  Heartland says "tens of millions" of Visa and Mastercard credit and debit cards may have been compromised.  Other sources say the number may be over 100 million; Heartland claims to process a hundred million credit card transactions per month.

[Heartland President and CFO Robert] Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country.  He declined to name any well-known establishments or retail clients that may have been affected by the breach.  Baldwin said it would be unfair to mention any one of his company's customers.

Baldwin may decline to identify them, but if 40% come from "small to midsize restaurants" and "no single customer accounts for more than a tenth of a percent" of their transactions, I'll bet you most or all of the other 60% come from small retail merchants and other small businesses.

Like the Hannafords breach, this one involves a sniffer "of a previously undiscovered variety" planted on Heartland's payment processing network.  Heartland doesn't know how it got there or how long it's been there.  The Secret Service is investigating, and reportedly believes the breach to be associated with a cybercrime gang under ongoing investigation and believed to be responsible for "a significant number of breaches of financial institutions".

Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland's disclosure -- a day in which many Americans and news outlets are glued to coverage of Barack Obama's inauguration as the nation's 44th president.

"This looks like the biggest breach ever disclosed, and they're doing it on inauguration day?" Litan said.  "I can't believe they waited until today to disclose.  That seems very deceptive."

But Baldwin says they got the information out on "the first possible day that they could" once they actually confirmed the breach.

(Pointer credit to mazianni)

Comments

[luxobscura.livejournal.com]

What's the point in mending the Constitution if we, as a society, are going to continue to accept as a de facto aspect of modern living the incredibly stupid idea of having our identites floating around on privately operated databases?

Answer: None

[unixronin.livejournal.com]

I think you're asking the wrong question there. It's something of a non-sequitur.

A better question goes something like this: How can we redesign the infrastructure and protocols used for credit/debit authentication and verification with the realities of today's Internet environment in mind? Solutions must place a priority on the following:

• end-to-end security of card and cardholder data


• integrity, security and confidentiality of transaction databases


• verifiability of legitimate transactions


• verifiability of card ownership


• deniability of fraudulent transactions


• minimizing cost and retraining for merchants to switch over to the new system

[mazianni.livejournal.com]

You fail to mention accountability.

[luxobscura.livejournal.com]

HAHAHAHAHAHAHAHA


That's...funny.

[unixronin.livejournal.com]

That's true too. But I wasn't trying to compile an exhaustive list.

[luxobscura.livejournal.com]

That all sounds expensive and time consuming. In other words, unlikely.

[luxobscura.livejournal.com]

Well, you're talking to a guy who's obsessed with the 19th century Western US, so...

When you robbed one bank back in the day, you robbed one bank. It wasn't like 10,000 other banks got robbed simultaneously.

Ah, the live fast and die fast days...

[lonewolf545.livejournal.com]

Most of which is already required under current regulations. I work in the credit card processing industry, all of our servers are behind firewalls, requests for access through the firewalls is carefully scrutinized, plain-text transmissions are banned wherever practical (some older systems/software do not support encrypted connections), all SQL statements are logged, the number of users with access to the data is kept as low as practically possible, our network team does penetration testing, watches for unauthorized devices on the network, restricts connections through the firewalls to specific client hosts, etc...

But a lot of the industry is still adapting to the new world. It takes YEARS to develop and roll out new solutions, I've been working on one for 4.5 years that won't be ready for US deployment for several more months, at which point we will start migrating customers from the legacy systems.

[unixronin.livejournal.com]

And there's the rub, isn't it? It takes much longer to develop and roll out new, more secure systems than it does for the black hats to start poking around looking for ways to break into them or ways to bypass the new security provisions. And there's always the social-engineering attack.

[guppiecat]

As someone who works with the PCI-DSS and related regs, I can state that Heartland seems to have not only done what they were REQUIRED to do, but that they also did what the laws ENCOURAGED them to do.

The way these things are written, it is in a company's best interest to notify others when there is a breach as soon as possible, but it is also in their best interest to delay such notification until they know that there was a breach and which card numbers were impacted.

This may not be the end result that we all want, but they are playing by the rules, and I have to support them on that. The three month time frame is unsurprising.

[unixronin.livejournal.com]

Yeah, it sounds like once they smelled a rat they went after it pretty persistently, but just didn't blow the whistle until they were certain.