On Barack Obama’s inauguration day (20th January 2009) Heartland Payment Systems Inc reported a data breach of more than 100 million credit and debit card account details which seems likely to be the largest such fraud in payment card history dwarfing the TJX data breach of 45 million credit and debit card numbers stolen in 2007.
The company handles more than 100 million credit/debit card transactions every month for their 250,000 business clients. These customers cover every branch of industry from retailers to restaurants (about 40% of their business transactions) and suggestions are that people in just about every state in the USA are affected by this fraud.
In the case of TJX the fraudsters intercepted wireless payment card transactions made within the stores over several years. At that time (and still in some cases today) these businesses were only using the weak and deprecated security of WEP (Wireless Equivalent Privacy) used by the early adopters of IEEE 802.11 Wi-Fi. In the Heartland case the fraudsters introduced sniffing malware into the data centres that intercepted the data captured from the credit and debit card magnetic stripes from their clients.
This data is of course sufficient to create counterfeit magnetic stripe credit and debit cards that could be used to plunder the bank accounts of the innocent card holders. Worse than that of course is that the more intelligent fraudsters might just take a little bit here and there which in many cases will probably go undetected.
Apparently the fraudsters introduced the malware about May 2008 but Heartland weren’t aware of the problem until late autumn 2008 and then only after Visa and Mastercard started reporting fraudulent activity reports that resulted from payments made by merchants whose transactions were processed by Heartland. As we mentioned previously Heartland saved up the day of confession until Inauguration day, one where the eyes of the world were looking elsewhere. Robert Baldwin Jr, Heartland’s President and Chief Financial Officer has said that it is too early to estimate how many people have been affected and that comparison with TJX is premature. The TJX total losses have been estimated at up to $1 billion and pro-rata we might expect this to be twice as much.
Where do you start on something almost unbelievable on this scale, how on earth can consumers and citizens ever trust those organisations that handle their private data in whatever form?
In the first instance one has to wonder what has happened to the PCI-DSS (Payment Card Industry – Data Security Standard) which is designed to provide the necessary assurance that frauds of this ilk should not happen. Every organisation that stores or processes consumer credit and debit card information is subject to the fairly stringent requirements of the DSS and should have been evaluated and certified to be meeting the requirements. One doesn’t want to speculate without full knowledge of the facts but it does seem as though the company was guilty of lax protective monitoring controls and more to the point that it escaped audit detection by 3rd parties.
The other interesting point is that given Visa and Mastercard were aware that something was amiss as early as autumn 2008 why did nothing happen in the interim months?
And then you have to ask, why is the USA not pursuing a chip & PIN strategy? Mastercard and Visa are forcing its adoption in most other major countries (the UK back in 2002) by moving liability for the charge back of fraudulent payments to the party not using chip & PIN. As long as magnetic stripe payment cards are in widespread use there is a simple fraud attack path for the crooks. It is easy to counterfeit a magnetic stripe card it is extremely difficult to counterfeit a modern smart card chip that can exhibit the necessary cryptographic functionality, assuming it is of course tested as part of the transaction authorisation but that is another matter.
This data loss seems to set the scene for another year of problems which is clearly escalating year by year as shown in the timeline for data loss aside.
The problem is that consumers are going to lose confidence in payment systems and the management of citizen data by government departments. It is really surprising that these frauds are taking place using well known attack paths and that large enterprises have such totally inadequate controls in place.
David Everett – Smartcard & Identity News