Data Breach at Heartland
A New Jersey based payment card processing company- Heartland Payment System Inc. admitted last week to a data breach into their system. In what may result as one of the largest compromises in payment card information, Heartland disclosed that intruders had hacked into their systems and planted malware that they had then used to steal debit and credit card data.
What the folks over at Heartland remain unaware of is how the attackers launched the attack or how long the malware has been in their systems.
This is a grave matter for this company and its 250000 business customers for which it processes around a 100 million transactions every month. This is being compared to the attack on TJX in 2007 when around forty five million cards were compromised. So how successful were the attackers in getting the data they wanted in this case? According to reports from Heartland, the intruders were able to capture card account numbers, expiration dates and in some cases, the customers’ names as well. The malware installed on the system allowed them to sniff on unencrypted data as the transactions were being processed in Heartland’s system.
What the thieves were not able to get their hands on were the Personal Identification numbers (PINs) and the addresses of the card holders. This is generally the information that they need to withdraw funds from the victims’ accounts online or on the phone. Heartland also stated that although this information was not compromised, the attacker could duplicate the data stolen and clone the debit or credit card and then swipe it at any location to extract funds.
Reading about this incident, made me think of all the times I went to Starbucks and used my debit card. I didn’t have to enter my PIN, and the cashier never asked me for my ID or took my signature. All he/she did was swipe my card. Many people do not track their transactions daily and hence a thief could easily get away with small withdrawals like this for a period of time if he was successfully able to clone the card with the stolen data. There is risk involved in this approach like being caught under surveillance but many businesses that do not enforce security measures as mentioned above just steer clear the way for attackers. The “Two factor authentication” technique would definitely be more effective in this case.
What I also found interesting in this article was that Heartland was not able to detect this attack for a long time until it was brought to their notice by Visa and MasterCard who discovered the suspicious activity. This caused the malware to run for a longer time and hence compromise more data. Also, the attackers chose a card processing company instead of a retailer, and this shows that they wanted their attack to be more effective as more transactions would be going through the card processor than its customer.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=spam,_malware_and_vulnerabilities&articleId=332977&taxonomyId=85&intsrc=kc_top
Comment by suskizor
January 27, 2009 @ 1:22 am
I have to agree that it would be exceedingly easy to perpetrate identity theft if you had the necessary information, as I’m asked for ID with my credit card less than ten percent of the time. But what alarms me the most is that Heartland never even noticed that they had been infiltrated. Since they say themselves that they don’t know when they were first infiltrated, there’s no reason their systems couldn’t still be compromised. I’m guessing that the only basis for their timeframe of “the second half of 2008” is the dates from the reports of questionable activity by Visa and Mastercard.
By a curious trick in wording, when Heartland’s information site about the incident says the stolen data “did NOT contain … unencrypted personal identification numbers,” it reads to me as though the stolen data contained encrypted personal identification numbers. Based on the effectiveness of their system security, this may be only marginally better for cardholders than containing unencrypted personal identification numbers.
I would have thought that there’d be standards for security measures one must take to protect sensitive financial information. If there aren’t, there definitely should be, because card processing centers such as Heartland are the juiciest, tastiest mines of data for identity thieves and should be the best protected.
Comment by yonderin
January 27, 2009 @ 11:48 pm
What concerns me is that a third party such as Heartland is processing the transactions I make with my credit card, but they are unable to detect that their system has been compromised. Furthermore, with no knowledge of how the attackers breached the system, then there’s a high probability that the system is still breached, or could be breached again at any time without their knowledge.
This is obviously a very large scale attack, but with the number of identity theft cases growing each year, these attacks are becoming increasingly common. However, an attack can come in many different forms, it could be as simple as someone finding your credit card and using it before you can report it stolen. As previously mentioned, IDs are rarely asked for with a purchase (I barely have my ID checked even with “CHECK ID” as my signature).
Identity theft is an issue that I’ve be concerned about for a while. In fact, I actually have identity theft insurance to protect myself in the event that I become a victim of such an attack.
Having your identity stolen can be a detrimental experience. It can costs an individual more than just money, it costs time to repair the damage, a victim often feels violated, and it can have a mental burden due to the stress of the event.
A few years ago a friend of mine had his identity stolen, but he didn’t know it until he tried to rent his first apartment and the background check showed that he was in debt for $10,000. It took him over a year to get it straightened out. This is an example of the kind of traumatic effect that can result from such an attack.
I agree with suskizor that there needs to be standard for any security systems dealing with sensitive financial information such as credit card or bank account information to prevent these types of large scale attacks from occurring.
Comment by devynp
January 29, 2009 @ 11:15 pm
I found out from the rules for VISA merchants from http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf that says
“Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures. Laws in several states also make it illegal for merchants to write a cardholder’s personal information, such as an address or phone number, on a sales receipt.”
Althought the credit card company may intend this as part of their customer service, this is not a very good security defense. If we can actually refuse to show our ID, wouldn’t this make it easier for theft to use fake credit cards? They can just make cards with certain number, name, and magnetic stripes and they can make purchase on about anything they want.. hard to believe..
Comment by lidor7
January 30, 2009 @ 7:03 pm
Debit and credit card security is a curious thing. If I have it right, I believe it is the merchant’s responsibility to ensure that the signature is valid, but at the same time VISA policy prohibits merchants from placing restrictions or further barriers from using credit cards. So when someone steals your credit card or credit card number, they can buy stuff, you report it, and the merchants end up paying for it.
And what’s interesting is that some stores ask for ID when you use a credit card (particularly if you look young I suspect), but policy states that they can’t force you to show your ID. Of course, only a jerk wouldn’t show their ID, but someone using a stolen CC would probably be a jerk.
On the flip side, I’ve heard that some people refuse to show ID in fear of the employee copying down their personal information such as their CC number or driver’s license number, which is a whole other security issue.
In any case, CC companies definitely seem to have the upper hand. They enjoy the extra profits, but we, the consumers enjoy the extra convenient, and it seems like merchants probably just work the cost into their prices.
—
On another note, I’m curious as to what kind of software or systems are available for detecting security breaches. I know we talked a little about canaries, but what kind of systems are used on a larger scale to detect data compromises? That’s something I’d like to see a little time dedicated to discussing in lecture. I feel like we talked about detection a little, but not how it works in practice.