Saturday, January 31, 2009

ProPay Denies Breach...

The FBI continues to investigate an international fraud scheme that has affected hundreds of small business accounts...
ACH, Banking Account Fraud Scheme

ProPay, Inc. has recently become aware of what appears to be a very large and widespread international fraud scheme involving unauthorized electronic checks (ACH). The scheme has affected millions of people including, unfortunately, a small number of individuals who may be or have been ProPay account holders. To be clear, after internal and external analysis and investigation, ProPay is extremely confident that the stolen bank information came from other sources and not from ProPay.

ProPay has an ongoing effort to monitor our systems and we remain confident in our system security. ProPay's systems fully encrypt client sensitive information in storage as well as in transit. In addition, sensitive client information is masked when it is viewed internally or externally. ProPay is committed to protecting sensitive information and we will continue to adhere to industry best practice security standards. ProPay meets or exceeds the security requirements and data protection as defined by the major card brands (PCI DSS)—Visa, MasterCard, etc.

The fraud scheme mentioned above involves an electronic draft against a checking account ranging in amount from $24.95 – $39.99. The charge appears on the affected individual's checking account statement under one of a variety of names which may include MBilling, MB Moon Park, MB Hot Planet, and PHE Subscription. The business supporting these names represents itself to victims as a third-party billing service, generally billing on behalf of a purported adult website.

With regard to this particular ACH scheme we know the following:

1. This is an international scheme and millions of people (the vast majority of whom have no affiliation to ProPay) have been affected.
2. We know that numerous payment providers, processors, banks, mortgage companies and others have felt the effects of this scheme and have been named in various reports, blogs, etc.

We encourage the following actions to protect your sensitive information from fraudulent activity.

1. Frequently check your bank accounts and credit card statements (even if you don't balance your account) and immediately report suspicious activity.
2. Keep your computer secure by using up-to-date firewall and virus protection software and by restricting access appropriately.
3. Sign up for automatic updates for any Windows Operating System (OS). If you have an OS earlier than XP, we strongly recommend that you upgrade to at least XP and install all Service Packs.
4. Reject any email that asks you to follow a link to a website and input sensitive or personal information.
5. Only do business with secure websites – look for the lock icon in the bottom-right of your internet browser or look for the prefix "https://..." where the "s" indicates a secure site.
6. Strengthen your password – include numbers, symbols and upper and lower case letters. Using a unique password for each service also helps protect your accounts.
7. For more information please see

ProPay has been in contact with law enforcement and will continue to monitor the developments surrounding this particular fraud scheme and will gladly assist, to the extent possible, any ProPay account holders that may have been affected. If you have questions please contact ProPay at (866) 964-0853.

Reblog this post [with Zemanta]

Dismissal of AmEx Lawsuit Reversed

2nd Circuit Reverses Dismissal of American Express Class Action Lawsuit - MSNBC Wire Services -
ST. PAUL, Minn., Jan. 30, 2009 (GLOBE NEWSWIRE) -- The United States Second Circuit Court of Appeals today reversed the dismissal of a massive antitrust class action brought by merchants against the American Express Company ("Am Ex"). The case alleges that American Express in 1999 began a massive effort to take a share of the standard commodity credit card business away from Visa and MasterCard. However, Am Ex wished to partner with banks in issuing these credit cards. The merchants alleged that Am Ex understood that a high merchant fee would be attractive to the banks; therefore Am Ex illegally forced merchants to pay excessive rates equal to Am Ex's more attractive business and personal charge cards by tying the acceptance of the credit and charge cards together. As a condition of accepting Am Ex's credit and charge cards, Am Ex required merchants to sign away their ability to pursue claims as a class (known as a "class action waiver").

The U.S. District Court in the Southern District of New York granted Am Ex's motion to dismiss the case and send it to arbitration. The small merchants appealed the decision to the Second Circuit Court of Appeals, which found that "the class action waiver . . . cannot be enforced in this case because to do so would grant Amex de facto immunity from antitrust liability by removing the plaintiffs' only reasonably feasible means of recovery."

The policy of putting anti-class action rules in consumer and merchant agreements has been growing enormously in recent years. This case was the first case decided by a U.S. Appellate Court in which it was held that the high costs of the case itself voids such rules because the case could only proceed if all the plaintiffs were allowed to share the costs in a class action. The decision will no doubt be used by plaintiffs in dozens of other cases where defendants have attempted to ban class actions by inserting such a clause in a standard agreement.
Story continues below ↓advertisement | your ad here

The plaintiffs in the case were represented by Friedman Law Group of Manhattan, NY, Reinhardt Wendorf and Blanchfield of St. Paul, MN and Patton Boggs of Washington, DC.

CONTACT: Friedman Law Group
Gary Friedman
212 680-5150 or 917 568-5024

Reinhardt Wendorf and Blanchfield
Mark Reinhardt
843 883-9333

Source: GlobeNewswire, Inc. 2009

Reblog this post [with Zemanta]

Friday, January 30, 2009

Gemalto Chippin' In with Venezuelan Bank Card Leaders

Gemalto teams with Venezuelan bank card market leaders to accelerate EMV migration

Digital security provider Gemalto is teaming up with Corporación Cardtech, Venezuela’s largest supplier of magnetic stripe bank cards, and Newtech Solutions, a consulting and technical support organization that specializes in EMV to help banks in Venezuela move to the new, smart credit card that will better protect their customers from fraud and identity theft.  Under the new agreement, banks in Venezuela working with the two companies will have access to expertise, consulting services, smart cards and technology from Gemalto. The partners estimate that eight million cards will be issued in the first year, starting in June 2009. Close to 16 million debit and credit cards are currently in use in Venezuela.

"Venezuelan banks are faced with constantly increasing card fraud, mostly due to illegal copying of magnetic stripe information to create “cloned” credit cards. The problem, that affects all of Latin America, has led to a liability shift which penalizes card issuers and merchants that do not issue or accept EMV cards. This liability change for non-EMV cards becomes effective in Venezuela starting July 2009."

EMV cards, also known as Chip and PIN, include a microprocessor and software with security features that work together with the payment transaction authorization network to prevent card fraud and identity theft. Unlike with magnetic stripe only cards, smart card based transactions cannot be easily cloned, which is a primary source of fraud throughout Latin America.

Editor's Note:  While it's true that they can't be cloned and easily used" at a retail location, they  certainly can  be  "easily" cloned and used online.  This is because the magstripe is still present on the back of the smart cards and that is what is "lifted" when cloning a card.

That, in large part, is why UK Fraud is 14 times higher overseas, (see related stories below) and why 1 in 4 Brits have experienced credit or debit card fraud.  (and why Gemalto wants EMV in the US.)  Online Transactions (web based) are currently (and HATM can change that) Card Not Present transactions.

So in order to
protect both online shoppers and online retailers, online (PIN) debit should be utilized.  HomeATM is the only provider of such a solution  which has been deemed both PCI 2.0 compliant, and offers "End to End Encryption" on all of it's PIN Based Transactions. 

In addition, HATM is EMV ready and it's personal swiping device transforms Card Not Present transactions into Card Present transactions, adding a layer of security with two factor authentication. (what you have and what you know, the card and the PIN respectively)

HATM's end-to-end encryption protects the consumers PIN throughout the whole transaction, as it is NEVER in the clear.     

For more information on how HomeATM's PIN Based Transactions can benefit your organization, visit

Reblog this post [with Zemanta]

Did Heartland CEO Make Insider Trades?

In an article written by Anthony M. Freed, which I read yesterday, and was picked up this morning by Seeking Alpha,  he questions the timing of CEO Robert Carr's stock trades and whether or not they had anything to do with insider knowledge of the breach.  Makes for interesting reading and thought I'd share his conjectures with you. 

Did Heartland CEO Make Insider Trades? : Information Security Resources
By Anthony M. Freed, Financial Editor

Heartland Payment Systems (HPY) and Federal investigators have released more details about the technical nature of the massive financial data breach made public last week, but have refused to pinpoint the exact date that Heartland first became aware there may have been a problem with their network security.

The date they settle on may well be the difference between market serendipity and an SEC investigation for insider trading, as an examination of stock sales made by Heartland CEO Robert O. Carr in the second half of 2008 raises some serious questions about just who knew what and when in the latest version of the worst-ever information security breach which has now spawned a class action lawsuit.

Heartland CEO Questionable Stock Trades - Click to Enlarge

Federal investigators and the Secret Service have apparently traced the Heartland data breach to sources outside of North America, with some reports indicating Eastern Europe as being the most likely origin of the unauthorized access.

The principles and methods used by the perpetrator(s) have been uncovered, with evidence that is somewhat contradictory in nature, some of which is suspected of being nothing more than red haring planted by the hacker(s) to throw investigators off their trail.

Excerpts from Evan Schuman:(StoreFront BackTalk)
The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa (V) and MasterCard (US:MA) according to Heartland CFO Robert Baldwin.

“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said.

Another consultant-who also wanted his name left out-said the ability to write directly to specific disk sectors is frightening. “Somehow, these guys went directly to the base level of the machine (to an area) that was not part of the file table for the disk,” he said. “Somehow, they got around the operating system. That’s a scary mother in and of itself.”

Other industry brains were less impressed. One nationally recognized and certified information security expert who I corresponded with Wednesday evening regarding the breach indicated that the hackers exploited a system weakness that should have been well known to Heartland, for which protocols issued several years ago.

From my email conversation:
“This was an ‘I told you so’ moment for me. I know exactly which part of the process got hit. It was the un-encrypted Point-to-Point connection which occurs between the Host Security Module (HSM) and the Application Security Module (ASM).

“But that means that they had to have had a hole in their firewall to insert the sniffer into unallocated disk space. “

“Now Heartland is crying poor me, and the making it sound like they are heroes by claiming that they are going to ‘develop’ end to end encryption. They should have been using the ISO Banking Security Standards which were promulgated in 2004/2005. They should be expected to uphold the standard.”

It looks as if the techies have already dissected the mechanics of this modern day cyber-cat-burglar, but ten days later we still have no clear idea of how long the sensitive data was exposed or when Carr and other Heartland executives first had an indication that something was not as it should be.

More from Evan Schuman:
Heartland CFO Robert) Baldwin also added more details to the sketchy timeframes that have been revealed thus far about the attacks, specifying that Heartland was contacted by Visa and MasterCard “in very late October,” possibly October 28.

Given that authorities are conducting an investigation, it is understandable that many details will not be released until after an arrest is made, but given the nature of the details that have and have not been revealed, one has to wonder who all is actually under investigation here.

Usually in an on-going criminal investigation, details are withheld from the press and public for many different reasons, but generally it is the mechanistic details of the crime, and often all the press has to report on is the headline and a timestamp.

Oddly enough it is the those details of the crime that have been trickling out that one would not expect - including the suspects possible location - but yet the generalities are being obscured, like what was stolen when did they steal it?

The answer to the latter of the two questions is of particular issue.

If Heartland personnel, and particularly Bob Carr, had absolutely no indication that something was awry with their processing system security until they were alerted by Visa and MasterCard at the end of October, then there is no problem.

Under this scenario, according to the chart above, Carr just happened to be in the middle of a major sell off of Heartland stock unlike any he has ever undertaken before when he found out “late in the fall” about the existence of problems.

It could simply be the case that Carr just happen to decide to sell 80,000 shares of Heartland stock for roughly $1.6 Million a pop on nine separate occasions about every other week in the four month period leading up to the announcement of the breach. These uncharacteristically large and more than frequent liquidations just happen to have occurred while the company was in the middle of an expensive acquisition and expansion of services push, all of course while the credit markets were in total dysfunction.

If on the other hand, company communiqué and records reveal that Heartland knew of possible anomalies in the processing security at the end of August instead of at the end of October, then we have a whole other scenario to apply the data to.

Under this hypothetical situation, Heartland may have discovered problems prior to end of August and may have known it was something serious simply because no one could figure it out. According to the official company statements, this was a difficult intrusion to detect, one that was missed more than once.

Again from Evan Schuman:
The initial internal conclusion was that “it looked most likely that it would be in a certain segment of our processing platform,” said Baldwin, adding that Heartland does not want to identify what that segment was. The company hired a forensic investigation team to come in and focus solely on that one area, an effort that ultimately proved fruitless. “We found issues in a large segment of our processing environment. The one that looked like the most promising turned out to be clean,” he said.

That second team “was nearing conclusion” and was about to make the same assessment the first team did: clean bill of health. But one of the last things that external, qualified risk assessor did was to try and match various temp files with their associated application. When some orphans-.tmp files that couldn’t be matched to any application or the OS-were turned over to Heartland’s internal IT group, they also couldn’t explain them, saying that it was “not in a format we use,” Baldwin said. More investigation ultimately concluded that those temp files were the byproduct of malware, and more searching eventually located the files in the unallocated portions of server disk drives.

So, continuing with the hypothetical scenario, Heartland would have had inside personnel looking for the problem when they get a call of Visa and MasterCard with the friendly heads-up. Heartland could have just not acknowledged the problem until their business partners forced them to.

The end of August is of interest because this is when Carr began to sell of large blocks of stock about every other week, and this was a significantly different trading pattern than Carr had engaged in previously.

If documentation turns up that indicates Heartland knew of serious problems with their network security prior to August 28th, these huge and rapid sell-offs by Carr may look more than suspect to the SEC.

I can not see the strategic value of withholding an accurate timeline of what exactly the company and Carr knew, and when exactly they knew it. But, if it turns out that everything is kosher here and all is as Heartland has indicated so far - which is very little - then I guess I just don’t understand Carr’s trading strategy over the last half of 2008 and how it related to his goals as a CEO for the growth an performance of his company.

They seem to be at odds, but that is no crime, just ask anyone who shorts their own company from time to time. It just needs to be cleared up. Not to worry though, as this is nothing that a solid and well documented timeline won’t be able to take care of (hint hint).

Meanwhile, Heartland’s stock (HPY) bounced back a little Wednesday, but is still trading at nearly half of it’s value prior to the breach announcement.

The data loss debacle at Heartland highlights the fact that the failure to secure information is a growing national security threat, and will be the next major shareholder derivative, director and officer liability, regulatory, consumer product safety, and class-action issue to impact our economy.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and

Reblog this post [with Zemanta]

Hundreds Hit in Debit Scam

London Free Press - News- Debit scam victims now in the 'hundreds'

Police now confirm there are “hundreds” of victims in a debit card scam in Stratford.

Although police said every financial institution was hit, they’ve confirmed there were more than 350 victims at just two banks. “We’re just starting to extrapolate the data, but it’s obviously in the hundreds,” said Det. Inspector Sam Theocharis.   Asked how much money the culprits have scammed, Theocharis said: “Who knows? We can’t say for sure just yet, but it’s well over $100,000. Right now, I can say there’s no bank that hasn’t been affected.”

Police are working with the Interact Canada, the Canadian Bankers Association, and security branches of the various banks to try and gauge the breadth of the scam, which was discovered last weekend as Stratford residents began seeing money disappear from accounts and debit cards were disabled.

Police have traced some of the “empty envelope” deposits to the Greater Toronto Area, Montreal and Kirkland, Que. The scammers use the debit card information of victims to withdraw cash or make phony deposits before making withdrawls. Theocharis said there's little doubt the scam involved more than one person and more than a single ATM, bank or business. But he said the investigation is still in the early stages of pulling information together from various banks.

Some of the victims are from the surrounding area and frequent Stratford on a regular basis. Police have a variety of investigative tools available to them, such as video surveillance to identify suspects, which is part of the information now being gathered.

“We’re still trying to pinpoint where it happened and then we’ll try to find some common denominators and, hopefully, identify some suspects,” said Theocharis.  Police urge Stratford residents to check their accounts and report suspicious activity. The Canadian Bankers Association (CBA) said earlier this week no one will be out of pocket, because the banks will refund their accounts.

The illegal withdrawals range from $200 to $2,000. In some instances, the culprits tried to withdraw money, but failed because of bank anti-fraud technology. 

The CBA says debit card fraud is a problem, but not as widespread as some may think. Less than one per cent of the 21 million debit cards in circulation in 2007 were hit by fraud, with the total amount lost estimated at $107 million.

For information about how to protect yourself from debit-card fraud, the CBA urges consumers to visit its website at

Reblog this post [with Zemanta]

What the Heartland Breach Means to Banks

Heartland Breach: What it Means to Banking Institutions. An Interview with James Van Dyke, Founder/President, Javelin Strategy & Research

Bank Info Security- The Heartland Payment Systems data breach – it’s the first major security incident of 2009. But how big is it really?  What are the key takeaways for banking institutions left explaining this breach to their customers?

In an exclusive interview, James Van Dyke, Founder and President of Javelin Strategy & Research, discusses the implications of the Heartland case, offering insight on:
– Conclusions we can draw from the Heartland breach;
– How banking institutions should communicate with their customers;
– Vulnerabilities we should watch to avoid the next big breach.

Read Full Article (registration required)

Reblog this post [with Zemanta]

Thursday, January 29, 2009

HomeATM Meets PCI 2.0 Requirements

Witham Labs Provides A=OK, Certification Next Step
Above photo courtesy of HomeATM CEO, Ken Mages

I am pleased to report that since October 2008, HomeATM's personal card swiping device has undergone the scrutiny and rigors of PCI 2.0 testing at  Witham Labs, and that as of today, 1/29, our SafeTPIN device has either met or exceeded  the PCI 2.0 requirements "for a PIN Entry Device for online PINs".

Congratulations are in order for our CTO, Ben Lo, who works out of our Hong Kong location.  Congrats to Ben and his team for their integral role in achieving this milestone! 

When you combine this news with the fact that HomeATM already provides "end to end encryption" which is only a topic of discussion for other processors, it escalates HomeATM to the top of the security ranks in the payments industry.

* E2EE = Continuous protection of the confidentiality and integrity of transmitted information by encrypting it at the origin and decrypting at its destination. For example, a virtual private network (VPN) uses end-to-end encryption.  Another example, HomeATM uses end-to-end encryption.

Back to our PCI 2.0 story.  Here's a sampling from the Witham Labs report:  Click on the graphics to enlarge and read.

Executive Summary

HomeATM of 1010 Sherbrooke West, Monreal, Quebec, Canada H3A 2R7, has designed and manufactured a PIN Entry Device named “SafeTPIN”. This PED has magnetic stripe reader.

Witham Laboratories was asked to study the SafeTPIN and comment on its compliance with the PCI requirements for PEDs, v2.0. Under NDA, working units were provided for destructive analysis, along with wiring schematics and layouts, test data, loader application and firmware source code. We tested and evaluated the submitted samples of the device.

This report presents our findings for compliance to the PCI-PED requirements (v2.0), with detailed analysis of each requirement, overview of architecture and methods and cost estimates of possible attacks.

Witham Laboratories was able to verify the compliance of the SafeTPIN with all applicable PCI requirements v2.0 for PIN entry devices.

This report details the results of the evaluation, and is suitable for submission to PCI.

“The PED uses tamper detection and response mechanisms which cause the PED to become immediately inoperable and results in the automatic and immediate erasure of any secret information which may be stored in the PED. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams) and using ventilation openings and there is not  any demonstrable way to disable or defeat the mechanisms"

Reblog this post [with Zemanta]

Is Google Checking Out Austraila?

Is Google Going Down...Under?  The Herald Sun says it very well may be, mate. 

How do you want to pay? Google? | Herald Sun
GOOGLE Australia is considering a plan to take on payments giants such as Visa, Mastercard and B-Pay in the booming online payments market. The move comes as the search giant secured a financial services license from local regulators.

The Australian Securities and Investments Commission recently issued Google Australia with an authority to provide deposit and payments services to local merchants and shoppers.  While the licence does not permit Google to provide cash-based payments services to Australian clients, it will enable the group to facilitate digital or online transactions.

Web-based commerce is a hotly contested and lucrative market for payments providers and has spawned a raft of new players including E-Bay subsidiary PayPal.

The ASIC licence potentially opens a fresh revenue stream for Google which will be able to collect processing and transaction fees for bringing shoppers and merchants together via its websites.

Google Australia spokesman Rob Schilken confirmed that the company was working on options to roll out an internet payments platform in Australia.
  "It's a matter of doing the due diligence and the homework so that if we're in a position to launch we can do it," he said.

But no decision has been taken."  Through PayPal, EBay has stolen a march on Google in the Australian online payments arena.

Market research published earlier this month by Neilson Online found that 7.3 million Australians shop over the internet.

Reblog this post [with Zemanta]

Malware = $1 Trillion Problem

Malware Increased  by 400% in '08

DAVOS, Switzerland (Reuters) - Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime, according to a study released on Thursday by security technology firm McAfee Inc.

The California-based company launched the survey after detecting a rapid acceleration of malicious software, or "malware," last year, CEO David DeWalt told Reuters. Malware increased by 400 percent in 2008, he said.

"This was a very insidious type of malware that was designed either to steal your data, steal your identity, steal your money, and in many cases the scale as well as the sophistication was very alarming," DeWalt said in an interview at the meeting of the World Economic Forum in Davos, Switzerland.

Editor's Note: In the wake of the Massive Heart(land) Attack some industry leaders are calling for end-to-end encryption. (E2EE)  HomeATM already incorporates E2EE and is awaiting PCI  2.0 certification for their personal swiping device with PIN Pad.

The survey of 800 companies in 8 countries showed that 80 percent of malware aimed to make a financial gain, in contrast to traditional viruses and worms which just had nuisance value.

In the survey, 42 percent of companies said that laid-off employees were the single biggest threat to their data security.

The increase in the availability and power of removable storage, such as mobile phones, laptops, and USB sticks, has made data loss or theft easier. And global supply chains mean that sensitive data is often stored abroad.

DeWalt said the survey showed that the average company has $12 million of data stored outside its home country -- often in countries with little intellectual property law.

Data lost accidentally or through theft can be expensive to replace or damaging to a company's reputation or brand.

In April last year, discount retailer TJX said it would pay up to $24 million as part of a settlement with MasterCard over a security breach that put credit card data for tens of millions of shoppers at risk.

The British government has been repeatedly embarrassed by losses of data, such as when the tax authority, HM Revenue and Customs, lost data on 25 million people exposing them to the risk of identity theft and fraud.

(Reporting by Jonathan Lynn; editing by Simon Jessop)

Reblog this post [with Zemanta]

Wednesday, January 28, 2009

Heartland Sniffer Found in Unallocated Portion of Disk Drive

StorefrontBacktalk: Heartland Sniffer Hid In Unallocated Portion Of Disk

Evan Schuman, who first reported that the Secret Service has identified the person(s) responsible for the Heartland attack, writes more about the attack in his publication, StoreFront Backtalk. 

He says that the sniffer malware used in the Heartland attack was cloaked in an unallocated portion of Heartland's server, which is a well-known tactic.  What's unique in this type of attack is that it requires "tricking" the Operating System either by modifying the OS itself, or installing a modified device driver.  Either way, one consultant said that the fact the hacker(s) got around the OS itself is a "scary mother."

SFBT also says in the article that Robert Baldwin, President and COO of Heartland, says they were contacted by V/MC in late October.  It then took two weeks by two different forensic teams, (who , according to Heartland) were both about to issue a clean bill of health, to find some .tmp files in an unallocated portion of the disk drives, which turned out to  be a by-product of the malware. 

Finally, Evan Schuman addresses Heartland's decision to pursue End 2 End Encryption, questioning how feasible it is, given the cost, the amount of payment players that would have to participate, combined with the fact that it is the card brands themselves, who insist on dealing with unencrypted data.

This from StoreFront Backtalk:

The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.

Regarding end-to-end-encryption, Evan quotes Heartland CEO Bob Carr and explains the potential problem with it...

"Heartland CEO Robert Carr said in a statement. “Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed.” 

End-to-end encryption is far from a new approach. But the flaw in today’s payment networks is that the card brands insist on dealing with card data in an unencrypted state, forcing transmission to be done over secure connections rather than the lower-cost Internet. This approach avoids forcing the card brands to have to decrypt the data when it arrives."

Read Evan Schuman's complete article here

Reblog this post [with Zemanta]

Banks Not HPY with Heartland

It appears some financial institutions aren't very HPY with Heartland Payment Systems...

The Washington Credit Union League (WCUL) in Federal Way, Washington is seeking to revive legislation that would mandate specific data protection controls on all merchants and third parties, such as Heartland.  The bill (HB 1149) received its first hearing last Thursday in the Washington State House Committee on Financial Institutions and Insurance, according to a statement released by the WCUL. 

But in reading between the lines, or  actually reading the yellow highlighted one's below, it looks like the beginnings of a class-action lawsuit against Heartland in order to recoup "$20 per issued card," the "30 minutes of staff time" it takes to get it done, and monetary damages to reimburse the "reputational damages" incurred by the Financial Institution.  They also state that "if someone's careless actions result in financial loss, they should have to pay for it" and that some institutions are reporting that "more than 50% of their card base has been affected" by the Heartland breach.  All bad news for Heartland's ticker...and like they say, this may just be the tip of the iceberg...


Contact:    David Bennett - Washington Credit Union League
                 Office: 206.340.4828  Mobile: 425.221.1237

Latest Data Breach Causing Significant Harm to  Washington’s Consumers, some Financial Institutions
A credit union-written bill now before the state legislature encourages all financial institutionsto take extraordinary measures to protect consumers from identity theft and fraud.

FEDERAL WAY, WASH—The state’s credit unions have been prepared for tough times on behalf of their members for more than 75 years, but the latest whammy leveled on them may cause as much harm to some as the current national financial meltdown.

Last Tuesday’s revelation by third-party credit and debit card processing company and Princeton N.J.based Heartland Payment Systems, a company that completes about 100 million transactions per month on behalf of more than 250,000 merchants, disclosed that it had begun to receive fraudulent activity alerts last year from MasterCard and VISA. According to reports, all of the unauthorized transactions were applied to cards that rely on Heartland to process payments.

Heartland still does not know how long the breach occurred prior to its discovery and refuses to release the names of the merchants that contract with them, which deprives consumers who patronize those merchants the ability to be more vigilant in monitoring their credit and debit card accounts.

Some of the Washington’s financial institutions have reported that more than half of their card base has been affected by the breach.

Most credit union leaders believe that the effect during the initial days is just the “tip of the iceberg,” and have already begun to notify members, block accounts, reissue cards and numbers and provide ongoing fraud monitoring.

According to some industry insiders, fraudulent activity alerts began to arrive in mid-November, however because of liability reasons the alerts did not mention where the breach occurred. At least one has confirmed that counterfeit cards have been created from the stolen information and so far used in Florida and Mexico.

“The state’s credit union community is appalled, but unfortunately not very shocked by the immense size of the Heartland data breach,” said Washington Credit Union League President/CEO John Annaloro.

“In far too many cases, negligent data breachers do business as if they were immunized from liability when they fail to protect their customers’ personal information. In our view, if someone’s careless actions result in a financial loss to others, they should have to pay for it.”

In the past, it has been standard operating procedure following a data breach for credit unions to block accounts, reissue cards and numbers and provide ongoing fraud monitoring.

However, taking those aggressive steps to protect members from financial fraud and identity theft is becoming cost prohibitive because the frequency and size of data breaches is skyrocketing and costs the financial institution around $20 per card, depending on the extent of the action taken.

This number does not include costs associated with staff time, which can be as much as
30 minutes per card, or the negative reputational impact on the financial institution.

“While there are processes that are "supposed to provide" some reimbursement for fraud losses, the truth is that
these processes only recoup pennies on the dollar,” (translation:  we want more money) said Stacy Augustine, the Washington Credit Union League Senior Vice President in charge of government relations. “More importantly, the costs that are recouped don’t pay anything toward costs associated with a financial institution’s proactive steps to protect consumers from fraud and identity theft.”

Because of this, Washington’s credit unions have once again introduced legislation aimed at encouraging financial institutions to take extraordinary proactive steps to protect the state’s consumers from identity theft and financial fraud following a data breach. Like last year’s proposed bill, HB 1149 encourages financial institutions to take proactive measures to protect consumers by allowing them to sue negligent data breachers for the cost of aggressively protecting Washingtonians’ personal and private information.

Reblog this post [with Zemanta]

Class-Action Suit Against Heartland

In an article titled, "Banks, credit unions scramble in wake of Heartland breach," Jaikumar Vijayan writes for Computer World that several banks have begun reporting fraud and have been forced to issue replacement cards. 

In addition, the first class-action lawsuit has been filed on behalf of a woman in Woodbury,MN.

I would think this may just be the "tip of the iceberg" when it comes to lawsuits, as numerous credit unions and small banks will look for ways to recoup some of the exorbitant costs associated with a breach of this size.  Maybe Heartland Bank will lead the way.  Wouldn't that be a full circle and a half?

More likely it will be the Washington Credit Union League.  Based on the tone of their language in this document (Word) they are not very HPY with Heartland right now.

Here's a couple paragraphs from the ComputerWorld article.
"In the first real indication of the scope of the recently disclosed data breach at Heartland Payment Systems Inc., banks and credit unions from Washington to Maine have begun to reissue thousands of credit and debit cards over the past few days.

Several have also begun disclosing fraud associated with payment cards that were reported to them by Visa and MasterCard as having been exposed in the breach.

A Pennsylvania law firm today filed the first class-action lawsuit related to the breach. Chimicles & Tikellis LLP in Haverford, Pa., filed the lawsuit on behalf of Alicia Cooper, a resident of Woodbury, Minn., and others who might have been affected by the breach.

The complaint, filed in the U.S. District Court for the District of New Jersey in Trenton, alleges that Cooper, whose card was compromised in the breach, and others, were victims of Heartland's negligence in protecting cardholder data. The lawsuit, which calls for a jury trial, charged Heartland with breach of contract, breach of implied contract and breach of fiduciary contract for the breach..."

Looks to me like this is going to get rather messy for Heartland.  Click here to read the whole story at

Reblog this post [with Zemanta]

One in Four Brits Hit w/Card Fraud

The Press Association, is reporting that: "One in four Briton's are a victim of card fraud."  According to their story, "1 in 4 Britons have been the victim of credit or debit card fraud."  Research has shown that:

Around 26% of people have now had their card used fraudulently, up from 21% when the same research was carried out 12 months ago, according to life assistance group CPP.  (Editor's Note: Unless they lived in London, where nearly 40% of Brits were victims.)

On average, fraudulent transactions totalled around £650, but 6% of people reported losses of more than £2,000.  But despite the large sums of money involved, 42% of card fraud victims did not spot the rogue transactions themselves, and only found out about them when they were alerted by their bank.

London remained the country's credit and debit card fraud hot spot, with 38% of people living in the capital having been hit by the problem, a 10% jump on the number of people who had been affected last year.
  It was closely followed by Cardiff at 34%, Manchester at 29% and Brighton at 27%, where there was a 15% jump in the proportion of people hit during the year.

Nearly four out of 10 victims had their card used online, while 21% had it cloned when using a cash machine or chip and Pin device, with others losing money after their card was lost or stolen. 

Kerry D'Souza, card fraud expert at CPP, said: "The dramatic increase in card fraud shows no sign of abating which isn't surprising given the desperate measures some people will resort to during the recession.

"Fraudsters are becoming increasingly sophisticated, especially when it comes to online transactions which are a particular cause for concern."

"Cardholders need to remain vigilant with their cards and take the necessary steps to protect themselves - from checking statements more frequently to keeping sight of their card when paying for transactions. It might seem like simple steps but they will go a long way in preventing fraud."

Reblog this post [with Zemanta]

Tuesday, January 27, 2009

Here to Stay - AltPay

Alternative Payments are on the rise, and they are cutting into the margins of the Dynamic Duo-poly. As credit card use declines, and debit, ACH and Money Transfer options increase, V/MC will take an even bigger hit...especially as the lime leeches from the mortar in the bricks of the house that retail built.

This article, about alternative payments, doesn't even touch on PIN Debit for the web. But it's the consumers preferred payment, which is what make s the potential for this industry so enticing. BTW, the rest of the AltPay's aside, PIN based transactions for the web is really starting to gain some "major momentum." The chatter around PIN Debit for the web has picked up tremendously over the past 10 months or so. And rightfully so...after all what part of online debit for online shopping doesn't make sense?)

I'll answer my own question. The part that doesn't make sense is the part where it's more secure than the way it's done now... and the part whereby lower interchange rates would potentially save internet retailers hundreds of millions of dollars annually.

Is it that simple...the fact that because interchange is lower, it's not as profitable to the banks, EFT's, processors and networks? Nah...couldn't matter anyway because that is all about to change. Hackers have changed the game and "now it's all about security." TJX, CardSystems, Hannaford, RBS Worldpay, and now Heartland have seen to that. We need a more secure transaction, one that's encrypted from beginning to end and not only have we already got it but it's already the consumers preferred method.

Here's a tidbit from Bala J.'s article:

Alternative Payments: More Ways to Close the Sale
By Bala Janakiraman
Online customers are increasingly turning to alternative payment methods, and merchants who don't want to miss out on sales should consider accepting some or all of them. Banks also are getting in on the act, creating Secure Vault Payments, which authenticate customers through online banking portals.

For the past few decades, checks, ACH, credit cards and debit cards have been the primary means of payments for consumers. These payment methods have been successful because consumers can pay for their purchases without carrying cash, merchants can increase sales by reaching a wider consumer base, and banks are able to establish themselves as trusted financial providers to both merchants and consumers. However, changing market trends are creating opportunities for alternative payment methods and practices.

The Driving Forces Behind Payments Innovation

Communications technologies, mainly the Internet and mobile phones, have dramatically altered the ways in which individuals interact with each other and, in turn, consumers are shifting more of their purchases from the physical world to the virtual. Merchants have adapted by becoming multichannel marketers and banks are following suit by providing new means for consumers to interact with their finances through popular tools such as online bill pay and mobile banking.

Second, the rise of online purchases has brought with it concerns of security. While most banks fully protect consumers against fraudulent transactions, consumers don't want to go through the hassle of identifying and fixing fraud. And merchants are even more concerned especially since they end up digesting most of the liability in the event of a security breach.

Merchants are also concerned about managing the rising costs of payment acceptance. Over the last 20 years, credit card interchange fees have gone up 25 percent to 90 percent, depending on the card type and the nature of the merchant business... continue reading

Reblog this post [with Zemanta]

Disqus for ePayment News