Thursday, January 22, 2009

The Bad Guys Are Very Good - Heartland President

Yes, that's what he said.  I know what he meant, but nonetheless, it's the kind of line that both Norm Crosby and Yogi Berra would be proud of.

According to Newsday.com Heartland has closed the security hole that ultimately may lead their own extinction...especially considering how bad their ticker looks today.

I've posted comments throughout.

"Heartland says it has closed the security hole that allowed criminals to infiltrate their systems, but the matter is far from settled.

The company will likely have to pay big penalties to banks to reimburse the cost of issuing new cards, and analysts say the intrusion could even threaten the company's survival if the big card brands decide to cut off Heartland from connecting to their networks.

One big payment processor, CardSystems Solutions, went under after a 2005 data breach in which 40 million credit card accounts were compromised and the big card brands stopped doing business with CardSystems. Representatives for Visa Inc. and MasterCard Inc. declined to comment" 

(Editor's Note: If Heartland was PCI certified, I highly doubt they'll be "cut-off" by Visa/MC, however, that's not to say that they won't lose a significant portion of their 250,000 member base, especially considering that these merchants may be subjected to very expensive fraud-related remedies.  The merchant's will look to Heartland when the bills come.  I was surprised Heartland is not offering free credit report monitoring, so I won't be when they tell merchants to "deal with it."  Sounds like the clock is running for Heartland...also  sounds like they've got a bad-ticker...)

Speaking of tickers...I see that HPS is down almost 20% today.  (see live chart at end of this post)

Yesterday, I said in a post
"As people start to realize the magnitude of the breach, and therefore the losses associated with them, I expect HPS stock get "massacred" by...ironically, "Valentine's Day."    Maybe that "Valentine's Day Massacre" might be come earlier than I thought...

Getting back to the newsday.com story, "the industry's security requirements call for payment processors to have separate networks — one for the financial transactions, and another for their general corporate tasks. Heartland wouldn't say how the malware got into the network that processes financial transactions or when it was planted there. (Why would that be?)

"If you're actually able to compromise that protected network, you're in, man — you have the keys to the kingdom," said Mike Rothman, senior vice president of strategy for security software vendor eIQnetworks Inc. "I presume they were able to sniff a large part of the payment traffic at the time the network was compromised."

Robert Baldwin, Heartland's president and chief financial officer, said the thieves accessed a part of Heartland's network that handles transactions for 175,000 of the 250,000 merchants the company works with. He said the program slipped past Heartland's antivirus software and was able to read data in unencrypted form as it was passed from Heartland to the card brands.  Baldwin said Heartland uses heavy encryption, which means its data is cloaked in special computer coding so unauthorized computers can't read it, but added that the data has to be sent in unencrypted form to the card brands, which is where the criminals were able to spot it. (Editor's Note:  "and  therein lies the problem)

"Baldwin emphasized that no PIN codes were believed stolen. Baldwin added that the company passed an industry-mandated security inspection in April."  (about which much will be written in coming days/weeks/months)

"Unfortunately the bad guys are very, very good," he  said. "The malware we encountered did not, and does not, get very well captured by antivirus software, (ya-think?)) so it's a challenge we're going to have to keep working as an industry to combat."
 

Continue Reading at Newsday.com









Reblog this post [with Zemanta]

Disqus for ePayment News