http://www.pogowasright.org/article.php?story=20090122091603601
An F.A.Q. on the Heartland Payment Systems breach
Thursday, January 22 2009 @ 09:16 AM EST Contributed by: PrivacyNews
Because Heartland Payment Systems has not really answered the questions of interest to consumers and bloggers like me, I thought -- out of "an abundance of caution" -- that I would compile what we know and create an F.A.Q. on the breach.
1. I never heard of Heartland Payment Systems. Who are they, and how do I know if they have my data?
When you use your credit card or debit card , you provide your card details. Merchants and restaurants all use payment processing companies to handle the card transactions. Heartland is one of the biggest card payment processors in the U.S. It handles transactions for Visa, MasterCard, American Express, Diners Club, Discover, and JCB.
You would have no way of knowing whether they have your data unless you had a list of every one of their 175,000 or so clients and had used your card with one of those clients during the period when their system had been breached.
You can find more information on Heartland on their web site. What you will not find on their home page is any reference to the breach or any link to information about the breach.
2. What happened?
Heartland Payment Systems' security failed to detect that a keylogger had gotten past their firewall. A keylogger records every keystroke you type, like usernames and passwords. According to HPS president Robert Baldwin, the keylogger then propagated a sniffer that started capturing transaction data in real-time. Transaction data includes your name, and credit or debit card number and expiration date.
3. When did the breach occur?
HPS is still scratching its head over that one, but there are published reports that Visa and MasterCard informed credit unions that fraudulent charges were being posted from May 16 - August 19th, suggesting that the breach predates May 2008. HPS either hasn't figured out or hasn't revealed exactly when the breach began and when it ended.
4. How did HPS find out about the breach?
HPS reports that Visa and MasterCard contacted them about suspicious activity. HPS couldn't find anything wrong, and brought in a forensics team, who just last week, reportedly discovered "evidence" of the breach.
5. When did HPS find out about the breach?
HPS has not said precisely when they were first contacted, but some reports indicate that they were notified by Visa and MasterCard in the fall of 2008.
6. What kinds of data were stolen?
Credit card numbers, expiration dates, debit card numbers, and customers' names. In its press release, HPS said that no Social Security numbers, unencrypted personal identification numbers (PIN), addresses, or telephone numbers were involved. The breach affected one of HPS's networks, but not all of them.
7. How many people had their data stolen? I heard it was 100 million accounts.
HPS president Baldwin says that they don't know that yet. As of Jan. 20, they hadn't figured out what data the sniffer actually grabbed, whether the data were sent to an external site, or what data was actually accessed.
The 100 million figure is a distortion of a statement Baldwin made in an interview where he mentioned that HPS processes 100 million transactions per month. First, 100 million transactions per month do not represent 100 million accounts or unique individuals because some people make numerous purchases on their card each month. Second, this breach seemingly went on for well over a month. So how many unique card numbers does HPS process in an 8-month period? We don't know.
8. Is there any indication of fraudulent use of card numbers resulting from this breach?
Yes, indeedy. Although the number of publicly reported cases is relatively small (less than 200 as of Jan. 22), we expect the numbers to rise.
9. Is the breach still ongoing?
HPS says that it has contained the problem.
10. Some reports said that HPS was PCI-compliant but the breach happened anyway. What's that about?
It means that they followed industry standards for security. But industry standards are the floor protections that need to be in place, and do not protect against all breaches. Think "necessary but not sufficient."
11. What should I do?
You can do what I did: make up a dartboard and put HPS in the center and throw darts at it.
Other than that, either wait for your bank, credit union or card issuer to notify you. If you don't want to wait, call them to see if your account was known to be affected. And if you haven't been checking your card and bank statements all along, go back and check them starting in April of 2008.
If you're really nervous, cancel all your cards and have them reissued with new numbers.
12. What is HPS offering or doing to help us if our cards were used for fraud?
Absolutely nothing. They say it would be "inappropriate" to do anything because this cannot lead to ID theft because there were no addresses or PINs or SSN. They did not respond to an inquiry as to whether they would reconsider offering free credit monitoring in light of reports that the breach resulted in fraud.
13. Where can I find out more about the breach and any updates?
HPS set up what has so far been a totally uninformative and useless web site at www.2008breach.com. Your best bet is to read news sites or sites like www.databreaches.net where you will find links to news articles and other updates based on our own queries.
New software installed, data going out and no one notices?
http://www.databreaches.net/?p=915
Six month exposure window on Heartland breach?
Posted January 22nd, 2009 by admin
According to a CBS news report, Platte Valley Bank issued the following release today:
The VISA Fraud Control & Investigations has been notified of a confirmed network intrusion that has put VISA account numbers at risk. Platte Valley Bank received a VISA Alert Wednesday, January 21, 2009. As of Thursday morning, January 22nd, 388 of Platte Valley Bank’s Debit Card customers have been affected. The entity type was classified as a “Brick & Mortar 3rd Party Processor”. No word yet on any Credit Cards being affected, but possibly could be, as this is related to the Heartland Payment Systems Breach announced yesterday, January 21, 2009.
The reported incident involves confirmed unauthorized access to a U.S. 3RD party processor’s authorization system of signature-based and PIN-based transaction information, that included cardholder name, expiration date, account numbers and some encrypted PIN blocks. Exposure Window was May 15, 2008 through November 13, 2008.
[...]
The release raises additional questions, including:
How did the window of exposure end on November 13 if Heartland didn’t find any evidence of a breach until last week (and seemingly wouldn’t be able to stop the bleeding until they found out where the problem was)?
Maybe some kind reader with a security background can explain that.
In other Heartland news, Forcht Bank updated the alert on their site and confirmed that their debit card breach was part of the Heartland breach.
“It is better to look secure than to be secure.”
http://www.databreaches.net/?p=911
Heartland breach raises questions about PCI standard’s effectiveness
Posted January 22nd, 2009 by admin
Ellen Messmer reports:
[...]
It’s not yet known if the Heartland data breach will count as the largest card heist ever. But some analysts say what is clear is that payment-card processors are under increasing attack, and that the Payment Card Industry (PCI) data security standard that Visa and MasterCard require isn’t sufficient to ensure cardholder data is safeguarded.
“Billions is being spent on PCI compliance, but it isn’t really working,” says Gartner analyst Avivah Litan. “PCI’s dirty little secret is that it doesn’t mandate encryption inside a private network because then all the processors would have to encrypt.”
Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered. But Litan notes the complex interconnections among payment-card processers, merchants and banks would make point-to-point encryption extremely unwieldy. End-to-end application-level encryption might be more feasible where card data is originated.
The irony, Litan says, is that some retailers today do encrypt using VPNs to send cardholder data to a payment processor like Heartland, but processors decrypt it to transmit it onward.
Read more on Network World
Criminals are good business!
http://www.databreaches.net/?p=926
Mobile County sheriff: Bail bond companies illegally accessed computer system
Posted January 23rd, 2009 by admin
Robert McClendon reports:
Three Mobile County bail bond companies have been illegally accessing the Sheriff’s Office Web site to get personal information on inmates and gain a competitive advantage, authorities said Wednesday.
Bonding agents at A to Z Bail Bonds, Central Bonding and Bandit Bail Bonds somehow obtained a login and password allowing them access to a protected portion of the Web site, Sheriff Sam Cochran said.
The companies then used that information to contact inmates’ relatives and get their business, he said. That gave the companies a leg up on their competitors, who rely on walk-ins and cold calls from the inmates themselves, Cochran said.
No arrests have been made, but charges could be filed later as the investigation progresses, Cochran said
Read more on al.com
Note: One of the companies involved says that a sheriff’s deputy gave him the password. Read more here.
Google is a “friend” of the White House. God help the “Enemies!”
http://www.pogowasright.org/article.php?story=20090122103441473
White House quietly exempts YouTube from federal Web privacy rules
Thursday, January 22 2009 @ 10:34 AM EST Contributed by: PrivacyNews
The new website for Obama's White House is already drawing attention from privacy activists and tech bloggers. While the initial focus has been on site's policies relating to search engine robots, a far more interesting tidbid (sic) has so far escaped the public eye: the White House has quietly exempted YouTube from strict rules regulating to the use of cookies on federal agency websites.
Source - Cnet
[From the article:
No other company has been singled out and rewarded with such a waiver.
… As soon as a visitor surfs to one of the blog pages that contain a YouTube video, a long-term tracking cookie is automatically set in the user's browser--even for those users who do not click the "play" button.
… The YouTube-related text in the new White House privacy policy implies that not all users will be tracked by YouTube. The policy notes that:
"If you would like to view a video without the use of persistent cookies, a link to download the video file is typically provided just below the video."
As of Thursday morning, this statement is false.
Ditto?
http://www.pogowasright.org/article.php?story=20090123060231942
Obama Sides With Bush in Spy Case
Friday, January 23 2009 @ 06:02 AM EST Contributed by: PrivacyNews
The Obama administration fell in line with the Bush administration Thursday when it urged a federal judge to set aside a ruling in a closely watched spy case weighing whether a U.S. president may bypass Congress and establish a program of eavesdropping on Americans without warrants.
Source - Threat Level Related - Court filing [pdf]
With “celebrity” comes Paparazzi. Let's hope they never find that comment in my records that a “still is not proper use of the chemistry lab!”
http://www.pogowasright.org/article.php?story=20090122130142936
Repaying Our Heroes, Public School Records Revealed
Thursday, January 22 2009 @ 01:01 PM EST Contributed by: PrivacyNews
On January 15, 2009, a US Airways jetliner with 155 people aboard lost power in both engines after taking off from La Guardia Airport. Unable to return to La Guardia, the experienced pilot decided to avoid densely populated areas and directed the plane to the Hudson River.... So how does the public school that educated the pilot over 40 years earlier repay our hero? It honored him not with a plaque, but with the publication of his academic records. According to Fox News, the pilot's school records appeared online a day after the crash and rescue, including a childhood photo, testing history, and IQ.
Source - Concurring Opinions
Comment: Fox News leads off with "The hero pilot who miraculously guided his crippled jet into a textbook landing in the icy Hudson River was a straight-A student as a schoolboy in Denison, Texas — but his school district gets an "F" for making his academic records public." So does Fox News for reproducing the photos of the records. Yes, I know that anything the media gets, they can pretty much use, but even so....
Useful?
http://securosis.com/2009/01/22/the-business-justification-for-data-security/
The Business Justification For Data Security
Written by rmogull
… Thus, in the very near future, we will be releasing a report (also distributed by SANS) on The Business Justification for Data Security. (For the record, I like the term information-centric better, but we have to acknowledge the reality that “data security” is more commonly used).
Normally we prefer to develop our content live on the blog, as with the application security series, but this was complex enough that we felt we needed to form a first draft of the complete model, then release it for public review. Starting today, we’re going to release the core content of the report for public review as a series of posts.
'cause I gotta know what to teach.
http://tech.slashdot.org/article.pl?sid=09%2F01%2F22%2F237213&from=rss
Survey Says C Dominated New '08 Open-Source Projects
Posted by timothy on Thursday January 22, @06:54PM from the take-that-25-other-letters dept. Programming Software
svonkie writes
"C overwhelmingly proved to be the most popular programming language for thousands of new open-source projects in 2008, reports The Register (UK). According to license tracker Black Duck Software, which monitors 180,000 projects on nearly 4,000 sites, almost half — 47 per cent — of new projects last year used C. 17,000 new open-source projects were created in total. Next in popularity after C came Java, with 28 per cent. In scripting, JavaScript came out on top with 20 per cent, followed by Perl with 18 per cent. PHP attracted just 11 per cent, and Ruby six per cent. The numbers are a surprise, as open-source PHP has proved popular as a web-site development language, while Ruby's been a hot topic for many."
No comments:
Post a Comment