DISQUS

Sue · 11 months ago

This a misfortunate incident for Heartland. People seem to forget that Heartland is a victim of a crime. Hackers got in - heck, it happened to the Pentagon and Time Warner.

tylerhannan · 11 months ago

I agree completely. This a great example of criminal activity...And Heartland is a victim. As are the businesses it provides processing capabilities for (albeit tangentially). Perhaps most impacted are the cardholders...

Based on the type of business they are...and the focus on security & compliance in the payments sector it remains thoroughly intriguing and will be discussed, I believe, for years to come. (For example, the CardSystems breach and its impact are still topics of discussion)

Maggie · 11 months ago

Heartland is not the victim it the card issuers that are the victims. They are not the ones that will have to cover the losses on the use of these cards. It is Heatlands job to protect all infomration that they process. We are talking about hugh amounts of money that Banks, Credit Unions will have to cover because they failed to do their job. Somehow people think that nobody pays when fraud is involved with credit debit cards they are wrong. Millions of dollars will be spent to reissue cards, stop cards, notice customers and talk about bad PR!!! Let me assure you that Heartland is not paying one dime of these losses.

tylerhannan · 11 months ago

I appreciate your sentiment.

I might restate as Heartland is not the ONLY victim. Keep in mind that, as they are a publicly traded company, this will (likely) have a measurable impact on their business.

You are absolutely correct that there will be a larger (most likely MUCH larger) dollar impact on fraud losses and the material cost of re-issuing cards. Which, for those in a credit union, is a ridiculous hit. I think your statement regarding PR is also enlightening...the average consumer has no idea who Heartland is, or more importantly what they do. They do know that their branded card from the CU down the street is now "unsafe."

I do find it intriguing that, in most breaches, the hardest hit (from a PR perspective) is the merchant itself. For example, TJX is to blame for my card being released at their store. In this scenario there isn't as easy a finger to point (at least for the consumer).

Thanks for your thoughts!!! I always appreciate the perspective of someone at a different point in the chain of business that makes the payment industry function.

MarkR · 11 months ago

Card issuers are the victims?? It's the merchants that will ultimately be the ones who are out of pocket! All card-not-present transactions are subject to charge backs from cardholders who dispute an any authorized transactions. If the merchant can't prove that the transaction was initiated by the card holder and they've shipped goods in good faith then, they're the ones who get stung.

Heartland certainly failed some aspect of PCI / DSS compliance. All systems that transport card data are supposed to have virus/malware protection on them, and someone had to gain access to the system to plant it in the first place too.

Also, if these transactions were card not present then why was the extra track data able to be gleaned in the first place? This information is only required for card present transactions. The hardware device and system that pulled the track data and supplied it to them was probably non PCI/DSS compliant too (like many car parking devices).

This is probably the biggest issue here since like others have mentioned, it is trivially easy to write this information back to a blank magnetic card which can then be used as a REAL card present transaction. It is very difficult for merchant protect themselves if their 'customer' presents a card in person, validates the 'signature' on the back and later finds it is STILL fraudulent..

Nat · 11 months ago

"In addition, I could go online and purchase a magstripe writer for under 300 dollars (from reputable resources…quite possibly less through other avenues). Not having an address in no way prevents the “bad guys” (to steal language from the article) from creating duplicate cards. Anecdotally, a friend who sat on a grand jury in my home state spoke of the majority of fraud cases being a combination of check fraud at grocery and burned cards."

Actually, I believe that the article DOES mention that fake cards can be created with the information that was stolen.

tylerhannan · 11 months ago

It does mention that. "Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards." A single statement that is followed by the quote in the blog regarding Card-not-present transactions...

The point of my thoughts is that I'm not sure everyone knows quite how simple and easy the concept of creating a counterfeit card really is. The technology is surprisingly inexpensive...and rather prevalent.

Tom Mahoney · 11 months ago

I suspect that the number could go higher than 100 million. My sources are telling me that the breach was on-going from May to November. Heartland claims 100 miliion transactions per month. If even a huge percentage of their transactions are repeat card users, we're looking at a maybe 300 million.

Tom Mahoney, Director
Merchant911.org

tylerhannan · 11 months ago

A colleague advised me of your post regarding this issue in the "Payments and Cards Network" on LinkedIn. If this has been ongoing for 7 months...the number could, in fact, be staggering!

David Bergert · 11 months ago

I want to comment on:

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address,""

Track 1 and/or Track 2 Data is way more valuable then just plain account numbers - the street value of these "dumps" is also much higher then card numbers alone. I actually have a card encoder/writer for $300 and it is easy to clone cards. I use them in development of payment applications.

tylerhannan · 11 months ago

Some of you may have noticed that I just deleted an anonymous comment from someone who claims to work at Heartland. For all I know, they are telling the truth.

Unfortunately, the comment was an obvious copy/paste missive that didn't address any of the content of the post above and, as such, didn't add value to the conversation.

Contact me if you have any thoughts or concerns. (The information is above...or use the comment system itself.)

B Smith · 11 months ago

The theft of account numbers and expiration dates (also obtained by phishing) are not sufficiect to complete a mag stripe transaction using a counterfeit card if the issuer is also validating the card verification codes encoded on the magnetic stripe. Also, Visa will calculate the amount of fraud and will reimburse the issuers after collecting the money from the financial institution who has signed Hartlad for processing. Issuers can make a claim with Mastercard for reimbursement.

As a note less than 2% of compromised account information is used fraudulently

I have a lot of experience in this area and am called on to give seminars about the sue of security features that allow the industry to control fraud.

Anon · 9 months ago

I am going to add to this thread, and apologies for my comments being so late.

I have read a lot in the news about people branding Heartland as non PCI compliant, as lax in their security measures and generally some pretty hateful comments. I wonder how any of these people actually KNOW they are not compliant, or perhaps KNOW how many firewalls, IPS or IDS devices they have in their network.
It is very unfortunate that they were hacked, but as it has been correctly stated, the data was captured in flight, which has now presented a new issue to protect against.
Heartland if found to be PCI compliant, really won't have done anything wrong, you can debate this but you will be debating the relevance of PCI compliancy :)

I hope the company makes it, if you have actually researched them, they do offer a fair deal to merchants, which in turn keep their prices down for me and you. Hackers are incredible these days, and it may well be the case that there is one who is better than the anti virus companies (wow, as if that hasnt happened before!!)

tylerhannan · 9 months ago

Thanks for the comment.

Heartland, as I stated in the original post, appears to have been considered as "compliant" by VISA at the time of the breach.

In terms of debating the relevance of PCI...You will probably notice a theme among my posts (both here and via twitter at http://twitter.com/tylerhannan) that PCI is not the "be all, end all" of compliance. It is not a goal. It should be treated as an outcome of a Risk Management strategy.

We won't know, quite possibly ever, the details of how they were breached...although we will get a fair picture as details come out. That, however, doesn't mean that is should cause all in the industry to pause and take assessment of their position on compliance, security, and risk management in general.

I know Heartland well. I know their pricing structure (from multiple perspectives). Their value to the payments world, in my opinion, has little to do with whether their risk approach was holistic. Was it a case of negligence or a case of the "black hats" beating proper security preventions? I suppose time will tell...

The theme, however, (at least from my perspective) is the situation should reinforce a measured and attentive review of security policies that anyone in the "processing" sphere choose to implement.

thanks for you thoughts. they are appreciated.

anon · 9 months ago

I completely agree. I feel that the time has come to provide end to end encryption, which should at least protect against this type of attack.
PCI compliance is only a point in time compliance, so it could well have been that their systems were not compliant even one day after the auditing finished. It is really unfortunate.

I personally feel that the management handled the situation appallingly, they should have some sort of grilling from visa m/c and amex. It was not handled the way you would expect and hope for, from a company that handles such sensitive data.

Good article and informed responses, far better to read and discuss than the usual "heartland should pay, death to heartland" lol

:)