January 2009


Heartland Credit/Debit Card Data Loss Greatest in World History?

DataLossGreatest

On Barack Obama’s inauguration day (20th January 2009) Heartland Payment Systems Inc reported a data breach of more than 100 million credit and debit card account details which seems likely to be the largest such fraud in payment card history dwarfing the TJX data breach of 45 million credit and debit card numbers stolen in 2007.

The company handles more than 100 million credit/debit card transactions every month for their 250,000 business clients. These customers cover every branch of industry from retailers to restaurants (about 40% of their business transactions) and suggestions are that people in just about every state in the USA are affected by this fraud.

In the case of TJX the fraudsters intercepted wireless payment card transactions made within the stores over several years. At that time (and still in some cases today) these businesses were only using the weak and deprecated security of WEP (Wireless Equivalent Privacy) used by the early adopters of IEEE 802.11 Wi-Fi. In the Heartland case the fraudsters introduced sniffing malware into the data centres that intercepted the data captured from the credit and debit card magnetic stripes from their clients.

This data is of course sufficient to create counterfeit magnetic stripe credit and debit cards that could be used to plunder the bank accounts of the innocent card holders. Worse than that of course is that the more intelligent fraudsters might just take a little bit here and there which in many cases will probably go undetected.

Apparently the fraudsters introduced the malware about May 2008 but Heartland weren’t aware of the problem until late autumn 2008 and then only after Visa and Mastercard started reporting fraudulent activity reports that resulted from payments made by merchants whose transactions were processed by Heartland. As we mentioned previously Heartland saved up the day of confession until Inauguration day, one where the eyes of the world were looking elsewhere. Robert Baldwin Jr, Heartland’s President and Chief Financial Officer has said that it is too early to estimate how many people have been affected and that comparison with TJX is premature. The TJX total losses have been estimated at up to $1 billion and pro-rata we might expect this to be twice as much.

Where do you start on something almost unbelievable on this scale, how on earth can consumers and citizens ever trust those organisations that handle their private data in whatever form?

In the first instance one has to wonder what has happened to the PCI-DSS (Payment Card Industry – Data Security Standard) which is designed to provide the necessary assurance that frauds of this ilk should not happen. Every organisation that stores or processes consumer credit and debit card information is subject to the fairly stringent requirements of the DSS and should have been evaluated and certified to be meeting the requirements. One doesn’t want to speculate without full knowledge of the facts but it does seem as though the company was guilty of lax protective monitoring controls and more to the point that it escaped audit detection by 3rd parties.

The other interesting point is that given Visa and Mastercard were aware that something was amiss as early as autumn 2008 why did nothing happen in the interim months?

And then you have to ask, why is the USA not pursuing a chip & PIN strategy? Mastercard and Visa are forcing its adoption in most other major countries (the UK back in 2002) by moving liability for the charge back of fraudulent payments to the party not using chip & PIN. As long as magnetic stripe payment cards are in widespread use there is a simple fraud attack path for the crooks. It is easy to counterfeit a magnetic stripe card it is extremely difficult to counterfeit a modern smart card chip that can exhibit the necessary cryptographic functionality, assuming it is of course tested as part of the transaction authorisation but that is another matter.

This data loss seems to set the scene for another year of problems which is clearly escalating year by year as shown in the timeline for data loss aside.

Advertise Here

Email: info@smartcard.co.uk

The problem is that consumers are going to lose confidence in payment systems and the management of citizen data by government departments. It is really surprising that these frauds are taking place using well known attack paths and that large enterprises have such totally inadequate controls in place.

David Everett – Smartcard & Identity News





Whitepapers

20/10/2014 Headlines

Wave Crest Launches MyChoice Global Payments Solution

Wave Crest Group Limited unveils MyChoice, the first global payments programme featuring a prepaid debit card for European businesses of all sizes. With a fully.....Read More

Bank of England Enters into Banknote Printing Contract with De La Rue

The Bank of England is announcing that is has today entered into a new 10 year contract with De La Rue to print its banknotes at the Bank's facility in Debden, .....Read More

Beyond the Turnstile: Adding Open-Loop Functions to Transit Fare Cards

New research examines how transit agencies can enable their fare cards to be used wherever payment cards are accepted. The new research report titled 'Beyond t.....Read More

Smart Watches In-Use to Reach Over 100 Million by 2019

A new report by Juniper Research has forecast that more than 100 million smart watches will be in use worldwide by 2019, with a host of premium brand launches o.....Read More

Mobile Identity Unlocks Digital Service Delivery for Governments

Jointly authored by the GSMA and the Secure Identity Alliance, the report, 'Mobile Identity - Unlocking the Potential of the Digital Economy', presents best pra.....Read More


Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication