Visa, MasterCard, AmEx, Discover Customers Vulnerable In Massive Credit Card Data Theft

Credit Card Processor Says Some Data Was Stolen

By ERIC DASH and BRAD STONE
Published: January 20, 2009


Heartland Payment Systems, a major payment processing company, disclosed a data breach on Monday that potentially exposed tens of millions of credit and debit cardholders to the risk of fraud in what could quickly become one of the country’s biggest data compromises.

Robert H. B. Baldwin Jr., Heartland’s president and chief financial officer, said that his company believed the card numbers, expiration dates, and in some cases cardholder names were exposed after attacks on its computer systems at the one point where data had been unencrypted.

Once consumers swiped their cards, so-called sniffer software captured that data as Heartland sought authorization from the major payment companies and banks. Customers of Visa, MasterCard, American Express and Discover Financial were all vulnerable.

“We have industry-leading encryption, but the data has to be unencrypted to request the information,” Mr. Baldwin said. “The sniffer was able to grab that authorization data at that point.”

more...

http://www.nytimes.com/2009/01/21/technology/21breach.html?_r=1&ref=business

And not just charges on their own company card. Is there case law regarding exposure to companies for ID theft resulting from unauthorized disclosure? I've never heard of anyone being compensated.

absolutely no use whatsoever. Just a bunch of platitudes about how trustworthy and reliable they are.

And cut up their credit cards for good. I've never had a card and never had to deal with the stress and anxiety that goes with one. My life is better for it, since I don't have to pay out extra money, stay within my budget, and don't have to deal with shit like this.

.

of course they'll say that the breach of their software has cost them millions if not billions and if they fail, there goes the credit card industry.

I was a network engineer for a payment processing company. Fortunately, I'm now a network engineer in an entirely different line of business. According to the article, the CEO says that the sniffer software was installed in an unencrypted area, that in order to make the request, the data had to be unencrypted. So I'm not sure exactly what they did, but I can say with some certainty that they broke a cardinal rule somewhere or another. The general idea is to have private circuits (lines) from customers (gas stations, shoe stores, department stores, you name it) coming in to mainframes or minis or whatever they use to process payments. Traffic remains encrypted from the point of sale, through the private circuits, and typically to a firewall that, in addition to its standard firewall duties, terminates the encrypted session. This is then sent to another firewall that sits in front of the main processing equipment. Only certain source addresses with certain destination addresses and ports are permitted through the firewall. The processing equipment then must settle with the various card issuers. The same process applies: firewalls, encryption, etc on the way to the issuers. The only time/place where the data should be unencrypted is right at the settlement point, the mainframe(s), AS400's, or whatever. Moreover, I find myself wondering what sort of server was hijacked and had the sniffer software installed. Even with sniffer software installed, in a switched network (which Heartland would most certainly have), one machine still cannot sniff traffic on the entire segment. Network switches would need to be specifically configured to permit the hijacked server to listen to traffic on other switchports (port spanning is the common name of the technology used here).

This makes me wonder if the hackers got root access on one of the actual settlement machines. Any way you slice it, it's a horrible data security failure. I'm guessing that whomever performed their last security audit is brushing up on their resume, and the network people may not be far behind.