Friday, January 30, 2009

Gemalto Chippin' In with Venezuelan Bank Card Leaders

Gemalto teams with Venezuelan bank card market leaders to accelerate EMV migration

Digital security provider Gemalto is teaming up with Corporación Cardtech, Venezuela’s largest supplier of magnetic stripe bank cards, and Newtech Solutions, a consulting and technical support organization that specializes in EMV to help banks in Venezuela move to the new, smart credit card that will better protect their customers from fraud and identity theft.  Under the new agreement, banks in Venezuela working with the two companies will have access to expertise, consulting services, smart cards and technology from Gemalto. The partners estimate that eight million cards will be issued in the first year, starting in June 2009. Close to 16 million debit and credit cards are currently in use in Venezuela.

"Venezuelan banks are faced with constantly increasing card fraud, mostly due to illegal copying of magnetic stripe information to create “cloned” credit cards. The problem, that affects all of Latin America, has led to a liability shift which penalizes card issuers and merchants that do not issue or accept EMV cards. This liability change for non-EMV cards becomes effective in Venezuela starting July 2009."

EMV cards, also known as Chip and PIN, include a microprocessor and software with security features that work together with the payment transaction authorization network to prevent card fraud and identity theft. Unlike with magnetic stripe only cards, smart card based transactions cannot be easily cloned, which is a primary source of fraud throughout Latin America.

Editor's Note:  While it's true that they can't be cloned and easily used" at a retail location, they  certainly can  be  "easily" cloned and used online.  This is because the magstripe is still present on the back of the smart cards and that is what is "lifted" when cloning a card.

That, in large part, is why UK Fraud is 14 times higher overseas, (see related stories below) and why 1 in 4 Brits have experienced credit or debit card fraud.  (and why Gemalto wants EMV in the US.)  Online Transactions (web based) are currently (and HATM can change that) Card Not Present transactions.

So in order to
protect both online shoppers and online retailers, online (PIN) debit should be utilized.  HomeATM is the only provider of such a solution  which has been deemed both PCI 2.0 compliant, and offers "End to End Encryption" on all of it's PIN Based Transactions. 

In addition, HATM is EMV ready and it's personal swiping device transforms Card Not Present transactions into Card Present transactions, adding a layer of security with two factor authentication. (what you have and what you know, the card and the PIN respectively)

HATM's end-to-end encryption protects the consumers PIN throughout the whole transaction, as it is NEVER in the clear.     

For more information on how HomeATM's PIN Based Transactions can benefit your organization, visit

Reblog this post [with Zemanta]

Did Heartland CEO Make Insider Trades?

In an article written by Anthony M. Freed, which I read yesterday, and was picked up this morning by Seeking Alpha,  he questions the timing of CEO Robert Carr's stock trades and whether or not they had anything to do with insider knowledge of the breach.  Makes for interesting reading and thought I'd share his conjectures with you. 

Did Heartland CEO Make Insider Trades? : Information Security Resources
By Anthony M. Freed, Financial Editor

Heartland Payment Systems (HPY) and Federal investigators have released more details about the technical nature of the massive financial data breach made public last week, but have refused to pinpoint the exact date that Heartland first became aware there may have been a problem with their network security.

The date they settle on may well be the difference between market serendipity and an SEC investigation for insider trading, as an examination of stock sales made by Heartland CEO Robert O. Carr in the second half of 2008 raises some serious questions about just who knew what and when in the latest version of the worst-ever information security breach which has now spawned a class action lawsuit.

Heartland CEO Questionable Stock Trades - Click to Enlarge

Federal investigators and the Secret Service have apparently traced the Heartland data breach to sources outside of North America, with some reports indicating Eastern Europe as being the most likely origin of the unauthorized access.

The principles and methods used by the perpetrator(s) have been uncovered, with evidence that is somewhat contradictory in nature, some of which is suspected of being nothing more than red haring planted by the hacker(s) to throw investigators off their trail.

Excerpts from Evan Schuman:(StoreFront BackTalk)
The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa (V) and MasterCard (US:MA) according to Heartland CFO Robert Baldwin.

“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said.

Another consultant-who also wanted his name left out-said the ability to write directly to specific disk sectors is frightening. “Somehow, these guys went directly to the base level of the machine (to an area) that was not part of the file table for the disk,” he said. “Somehow, they got around the operating system. That’s a scary mother in and of itself.”

Other industry brains were less impressed. One nationally recognized and certified information security expert who I corresponded with Wednesday evening regarding the breach indicated that the hackers exploited a system weakness that should have been well known to Heartland, for which protocols issued several years ago.

From my email conversation:
“This was an ‘I told you so’ moment for me. I know exactly which part of the process got hit. It was the un-encrypted Point-to-Point connection which occurs between the Host Security Module (HSM) and the Application Security Module (ASM).

“But that means that they had to have had a hole in their firewall to insert the sniffer into unallocated disk space. “

“Now Heartland is crying poor me, and the making it sound like they are heroes by claiming that they are going to ‘develop’ end to end encryption. They should have been using the ISO Banking Security Standards which were promulgated in 2004/2005. They should be expected to uphold the standard.”

It looks as if the techies have already dissected the mechanics of this modern day cyber-cat-burglar, but ten days later we still have no clear idea of how long the sensitive data was exposed or when Carr and other Heartland executives first had an indication that something was not as it should be.

More from Evan Schuman:
Heartland CFO Robert) Baldwin also added more details to the sketchy timeframes that have been revealed thus far about the attacks, specifying that Heartland was contacted by Visa and MasterCard “in very late October,” possibly October 28.

Given that authorities are conducting an investigation, it is understandable that many details will not be released until after an arrest is made, but given the nature of the details that have and have not been revealed, one has to wonder who all is actually under investigation here.

Usually in an on-going criminal investigation, details are withheld from the press and public for many different reasons, but generally it is the mechanistic details of the crime, and often all the press has to report on is the headline and a timestamp.

Oddly enough it is the those details of the crime that have been trickling out that one would not expect - including the suspects possible location - but yet the generalities are being obscured, like what was stolen when did they steal it?

The answer to the latter of the two questions is of particular issue.

If Heartland personnel, and particularly Bob Carr, had absolutely no indication that something was awry with their processing system security until they were alerted by Visa and MasterCard at the end of October, then there is no problem.

Under this scenario, according to the chart above, Carr just happened to be in the middle of a major sell off of Heartland stock unlike any he has ever undertaken before when he found out “late in the fall” about the existence of problems.

It could simply be the case that Carr just happen to decide to sell 80,000 shares of Heartland stock for roughly $1.6 Million a pop on nine separate occasions about every other week in the four month period leading up to the announcement of the breach. These uncharacteristically large and more than frequent liquidations just happen to have occurred while the company was in the middle of an expensive acquisition and expansion of services push, all of course while the credit markets were in total dysfunction.

If on the other hand, company communiqué and records reveal that Heartland knew of possible anomalies in the processing security at the end of August instead of at the end of October, then we have a whole other scenario to apply the data to.

Under this hypothetical situation, Heartland may have discovered problems prior to end of August and may have known it was something serious simply because no one could figure it out. According to the official company statements, this was a difficult intrusion to detect, one that was missed more than once.

Again from Evan Schuman:
The initial internal conclusion was that “it looked most likely that it would be in a certain segment of our processing platform,” said Baldwin, adding that Heartland does not want to identify what that segment was. The company hired a forensic investigation team to come in and focus solely on that one area, an effort that ultimately proved fruitless. “We found issues in a large segment of our processing environment. The one that looked like the most promising turned out to be clean,” he said.

That second team “was nearing conclusion” and was about to make the same assessment the first team did: clean bill of health. But one of the last things that external, qualified risk assessor did was to try and match various temp files with their associated application. When some orphans-.tmp files that couldn’t be matched to any application or the OS-were turned over to Heartland’s internal IT group, they also couldn’t explain them, saying that it was “not in a format we use,” Baldwin said. More investigation ultimately concluded that those temp files were the byproduct of malware, and more searching eventually located the files in the unallocated portions of server disk drives.

So, continuing with the hypothetical scenario, Heartland would have had inside personnel looking for the problem when they get a call of Visa and MasterCard with the friendly heads-up. Heartland could have just not acknowledged the problem until their business partners forced them to.

The end of August is of interest because this is when Carr began to sell of large blocks of stock about every other week, and this was a significantly different trading pattern than Carr had engaged in previously.

If documentation turns up that indicates Heartland knew of serious problems with their network security prior to August 28th, these huge and rapid sell-offs by Carr may look more than suspect to the SEC.

I can not see the strategic value of withholding an accurate timeline of what exactly the company and Carr knew, and when exactly they knew it. But, if it turns out that everything is kosher here and all is as Heartland has indicated so far - which is very little - then I guess I just don’t understand Carr’s trading strategy over the last half of 2008 and how it related to his goals as a CEO for the growth an performance of his company.

They seem to be at odds, but that is no crime, just ask anyone who shorts their own company from time to time. It just needs to be cleared up. Not to worry though, as this is nothing that a solid and well documented timeline won’t be able to take care of (hint hint).

Meanwhile, Heartland’s stock (HPY) bounced back a little Wednesday, but is still trading at nearly half of it’s value prior to the breach announcement.

The data loss debacle at Heartland highlights the fact that the failure to secure information is a growing national security threat, and will be the next major shareholder derivative, director and officer liability, regulatory, consumer product safety, and class-action issue to impact our economy.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and

Reblog this post [with Zemanta]

Hundreds Hit in Debit Scam

London Free Press - News- Debit scam victims now in the 'hundreds'

Police now confirm there are “hundreds” of victims in a debit card scam in Stratford.

Although police said every financial institution was hit, they’ve confirmed there were more than 350 victims at just two banks. “We’re just starting to extrapolate the data, but it’s obviously in the hundreds,” said Det. Inspector Sam Theocharis.   Asked how much money the culprits have scammed, Theocharis said: “Who knows? We can’t say for sure just yet, but it’s well over $100,000. Right now, I can say there’s no bank that hasn’t been affected.”

Police are working with the Interact Canada, the Canadian Bankers Association, and security branches of the various banks to try and gauge the breadth of the scam, which was discovered last weekend as Stratford residents began seeing money disappear from accounts and debit cards were disabled.

Police have traced some of the “empty envelope” deposits to the Greater Toronto Area, Montreal and Kirkland, Que. The scammers use the debit card information of victims to withdraw cash or make phony deposits before making withdrawls. Theocharis said there's little doubt the scam involved more than one person and more than a single ATM, bank or business. But he said the investigation is still in the early stages of pulling information together from various banks.

Some of the victims are from the surrounding area and frequent Stratford on a regular basis. Police have a variety of investigative tools available to them, such as video surveillance to identify suspects, which is part of the information now being gathered.

“We’re still trying to pinpoint where it happened and then we’ll try to find some common denominators and, hopefully, identify some suspects,” said Theocharis.  Police urge Stratford residents to check their accounts and report suspicious activity. The Canadian Bankers Association (CBA) said earlier this week no one will be out of pocket, because the banks will refund their accounts.

The illegal withdrawals range from $200 to $2,000. In some instances, the culprits tried to withdraw money, but failed because of bank anti-fraud technology. 

The CBA says debit card fraud is a problem, but not as widespread as some may think. Less than one per cent of the 21 million debit cards in circulation in 2007 were hit by fraud, with the total amount lost estimated at $107 million.

For information about how to protect yourself from debit-card fraud, the CBA urges consumers to visit its website at

Reblog this post [with Zemanta]

What the Heartland Breach Means to Banks

Heartland Breach: What it Means to Banking Institutions. An Interview with James Van Dyke, Founder/President, Javelin Strategy & Research

Bank Info Security- The Heartland Payment Systems data breach – it’s the first major security incident of 2009. But how big is it really?  What are the key takeaways for banking institutions left explaining this breach to their customers?

In an exclusive interview, James Van Dyke, Founder and President of Javelin Strategy & Research, discusses the implications of the Heartland case, offering insight on:
– Conclusions we can draw from the Heartland breach;
– How banking institutions should communicate with their customers;
– Vulnerabilities we should watch to avoid the next big breach.

Read Full Article (registration required)

Reblog this post [with Zemanta]

Disqus for ePayment News