January 2009


Heartland Credit/Debit Card Data Loss Greatest in World History?

DataLossGreatest

On Barack Obama’s inauguration day (20th January 2009) Heartland Payment Systems Inc reported a data breach of more than 100 million credit and debit card account details which seems likely to be the largest such fraud in payment card history dwarfing the TJX data breach of 45 million credit and debit card numbers stolen in 2007.

The company handles more than 100 million credit/debit card transactions every month for their 250,000 business clients. These customers cover every branch of industry from retailers to restaurants (about 40% of their business transactions) and suggestions are that people in just about every state in the USA are affected by this fraud.

In the case of TJX the fraudsters intercepted wireless payment card transactions made within the stores over several years. At that time (and still in some cases today) these businesses were only using the weak and deprecated security of WEP (Wireless Equivalent Privacy) used by the early adopters of IEEE 802.11 Wi-Fi. In the Heartland case the fraudsters introduced sniffing malware into the data centres that intercepted the data captured from the credit and debit card magnetic stripes from their clients.

This data is of course sufficient to create counterfeit magnetic stripe credit and debit cards that could be used to plunder the bank accounts of the innocent card holders. Worse than that of course is that the more intelligent fraudsters might just take a little bit here and there which in many cases will probably go undetected.

Apparently the fraudsters introduced the malware about May 2008 but Heartland weren’t aware of the problem until late autumn 2008 and then only after Visa and Mastercard started reporting fraudulent activity reports that resulted from payments made by merchants whose transactions were processed by Heartland. As we mentioned previously Heartland saved up the day of confession until Inauguration day, one where the eyes of the world were looking elsewhere. Robert Baldwin Jr, Heartland’s President and Chief Financial Officer has said that it is too early to estimate how many people have been affected and that comparison with TJX is premature. The TJX total losses have been estimated at up to $1 billion and pro-rata we might expect this to be twice as much.

Where do you start on something almost unbelievable on this scale, how on earth can consumers and citizens ever trust those organisations that handle their private data in whatever form?

In the first instance one has to wonder what has happened to the PCI-DSS (Payment Card Industry – Data Security Standard) which is designed to provide the necessary assurance that frauds of this ilk should not happen. Every organisation that stores or processes consumer credit and debit card information is subject to the fairly stringent requirements of the DSS and should have been evaluated and certified to be meeting the requirements. One doesn’t want to speculate without full knowledge of the facts but it does seem as though the company was guilty of lax protective monitoring controls and more to the point that it escaped audit detection by 3rd parties.

The other interesting point is that given Visa and Mastercard were aware that something was amiss as early as autumn 2008 why did nothing happen in the interim months?

And then you have to ask, why is the USA not pursuing a chip & PIN strategy? Mastercard and Visa are forcing its adoption in most other major countries (the UK back in 2002) by moving liability for the charge back of fraudulent payments to the party not using chip & PIN. As long as magnetic stripe payment cards are in widespread use there is a simple fraud attack path for the crooks. It is easy to counterfeit a magnetic stripe card it is extremely difficult to counterfeit a modern smart card chip that can exhibit the necessary cryptographic functionality, assuming it is of course tested as part of the transaction authorisation but that is another matter.

This data loss seems to set the scene for another year of problems which is clearly escalating year by year as shown in the timeline for data loss aside.

Advertise Here

Email: info@smartcard.co.uk

The problem is that consumers are going to lose confidence in payment systems and the management of citizen data by government departments. It is really surprising that these frauds are taking place using well known attack paths and that large enterprises have such totally inadequate controls in place.

David Everett – Smartcard & Identity News





Whitepapers

25/10/2014 Headlines

Smart Card Market Outlook 2018

eport from Research and Markets reveal the global smart card industry has been witnessing dynamic changes since the last few years which have created significan.....Read More

Crocus Launches the Multismart Project to Develop the First Multibit Technology for Secure Applications

Crocus Technology announces it will develop a Multibit Magnetic Logic Unit (MLU) technology for secure transaction applications and the Internet of Things (IoT).....Read More

60 Percent of Android Attacks Use Financial Malware

According to the results of the "Mobile CyberThreats" survey carried out by Kaspersky Lab and INTERPOL between August 2013 and July 2014, malicious programs tar.....Read More

Jumio Introduces BAM Checkout to Enable Frictionless Mobile Transactions

Jumio, Inc. has introduced BAM Checkout, a new, all-in-one credit card and identification scanning technology for mobile retailers. BAM Checkout's embeddable so.....Read More


Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication