Tuesday, January 20, 2009

Largest Breach Ever? Deception Involved?

Brian Krebs, writing for the Washington Post, covered this morning's announcement that Heartland Payment Services was breached.  He is calling it one of the largest breaches ever, and according to him, Avivah Litan, a distinguished analyst from Gartner criticized and questioned as deceptive, the "Inauguration Day" release, apparently suggesting that it wouldn't get the coverage it would otherwise.

Payment Processing Breach May Be Largest Ever

A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have led to the theft of more than 100 million credit and debit card accounts, the company said today.

If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported.

Robert Baldwin, Heartland's president and chief financial officer, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said.  As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants "is not impossible, but much less likely."

Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland's disclosure -- a day in which many Americans and news outlets are glued to coverage of Barack Obama's inauguration as the nation's 44th president. "This looks like the biggest breach ever disclosed, and they're doing it on inauguration day?" Litan said. "I can't believe they waited until today to disclose. That seems very deceptive."

Reblog this post [with Zemanta]

Biometric PIN Debit for M-Commerce?

World's first biometric, waterproof mobile surfaces

Fujitsu has launched what it claims is the world’s first waterproof handset with an embedded biometric sensor. Fujitsu's F-01A: waterproof and secure.

The Symbian-based F-01A supports e-Wallet transactions.

Combine this AND our PIN debit mobile platform and there would be triple-authentication protection for the m-commerce sector... 

Biometric sign-in (who you are) authorizes and activates use of our SwipePIN device, which verifies card present  (what you have) by swiping said card, and triple-authenticates the transaction by asking the user to enter their PIN.  (what you know

For more information on the biometric sensor manufacturer visit: Authentec

Reblog this post [with Zemanta]

Credit Card Fraud Up Down Under

Credit Card fraud rates are "jumping" faster than ever, not just here, but around the globe.  In this article, the APCA announced that there's been huge rises in CNP transactions and that credit card fraud spiked to 50.2 cents per $1000, or almost 7 times higher than debit's 7.4 cents per $1000 transacted. Here's the article from Karen Dearne, who writes for Austrailian IT.

Credit card fraud spikes | Australian IT
CREDIT card fraud in Australia jumped to $233 million in the last financial year, up from $157 million in 2006-07, according to the Australian Payments Clearing Association.

The losses are due to increased fraud across borders, and huge rises in card-not-present (CNP) fraud involving online, phone or mail transactions.  Editor's Note: Huge rises in card-not-present fraud can be eliminated by morphing them into card-present transactions with the HomeATM SwipePIN device...)

Total fraud on Australian credit cards amounted to $132 million; of this, $73 million was obtained by criminals using the cards in other countries. More than $63 million was lost to CNP scams ($22 million within Australia and $41.6 million on locally-issued cards used overseas).

Skimmed and counterfeit cards accounted for $42 million in losses ($18 million within Australia, and $24 million on locally issued cards used overseas).

For the first time, losses due to fraud on cards originally issued overseas topped $100 million; criminals using foreign cards within Australia reaped almost $101 million, up from $66 million in 2006-2007.  The number of local cases involving skimmed or counterfeit cards from overseas almost doubled: more than 155,000 incidents were reported, resulting in total losses of $65 million, compared with 82,000 and $40 million the previous year.

At the same time, fraudsters used overseas cards to steal nearly $25 million through CNP transactions locally, up from $16.5 million.

APCA chief executive Chris Hamilton said credit and charge fraud now cost 50.2 cents in every $1000 of payments transacted, up from 38.6 cents previously. 

Debit card fraud increased only slightly, from 7.1 cents to 7.4 cents in every $1000 transacted, reflecting the greater security of Eftpos and ATM networks.
Reblog this post [with Zemanta]

Fraud in the Heartland

In yesterday's last post: "Hackers Affect Debit and ATM Networks" I provided information from a story published by "The Times Tribune" that the STAR debit network had seen some suspicious activity and in a response to the situation, STAR said "the debit card issue we were alerted to could affect not only STAR but also other debit networks." 

Earlier this morning, came news that one of the nations bigger processors, Heartland Payment Systems has been breached.  Are they related or was Avivah Litan, distinguished analyst with Garnter spot-on when she said, "
payments and funds transfer processors, rather than retailers are now the one's being targeted by hackers." 

Is the "Mother of All Hacks" coming?  In that post, when speaking of the recent Royal Bank of Scotland breach, I said: "There is a disturbing development brewing in the payments world.   It's bad enough when a retailer's computer  security is breached but now we've got us a completely different ballgame.  When hackers penetrate the computer systems of major acquirers and processors, well to use a famous quote, "We've got a problem Houston." 

This could turn out to be a "Royal pain in the ***" for Visa and Mastercard themselves because acquirers like Royal Bank of Scotland link directly into their networks. On the surface, this appears to be "one small step for hackers but it's "one giant step" for hack-kind."  

In that post I quoted Ms. Litan as saying:

“It’s very bad news,” says distinguished analyst Avivah Litan. Unlike retailers’ computer systems, processors’ systems connect directly to the networks of Visa Inc. and MasterCard Inc. “An attacker that breaks into a processor conceivably can get into the heart of the system,” and attacks on acquirers and processors are increasing."

Did she say "get into the Heart of the system?..." Man, she's like the Nostradamus of the payments world...stay tuned...

Heartland Payment Systems Uncovers Malicious Software In Its Processing System
No merchant information or cardholder Social Security numbers compromised.

PRINCETON, N.J., Jan. 20 /PRNewswire-FirstCall/ -- Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained.

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

After being alerted by Visa(R) and MasterCard(R) of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland's network.

Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

Heartland has created a website - www.2008breach.com - to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.

"Heartland apologizes for any inconvenience this situation has caused," continued Baldwin. "Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective."

Reblog this post [with Zemanta]

Disqus for ePayment News