Global Secure Systems - Heartland reveal massive credit card scam

Home

• 2012
• 2011 Archive
• 2010 Archive
• 2009 Archive
• 2008 Archive
• 2007 Archive
• 2006 Archive
• 2005 Archive
• 2004 Archive
• 2003 Archive
• 2002 Archive

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

About RSS feeds

Heartland reveal massive credit card scam

Credit card processor Heartland Payment Systems has announced that it has found malicious software in its computers that has been diverting information for credit card cloning. The company said that last year it started to get reports of increasing levels of card fraud among its customer base. It called in investigators who found malicious code in its servers which could scan and send on the data stored on the magnetic strip of credit and debit cards.

The company handles up to 100 million credit card transactions a month for over 250,000 US businesses.

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer in a statement.

"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

The company has stressed that the code could not record Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers. Nevertheless the information can be used to create cloned cards, which are then used to purchase goods that are then sold second hand.

“Today, systems have air gaps where the data is unencrypted and there’s always the potential for data leakage,” Mark Bower, director of information protection solutions at Voltage Security, told vnunet.com.

“There are some techniques to avoid this problem, notably format preserving encryption. This uses standard algorithms to encrypt data from the get go.”

He said that some merchants were only encrypting data for storage and then sending decrypted information on for processing, a highly unsafe form of processing.
The timing of the announcement, on the same day as the presidential inauguration, has also been called into question.

“It’s certainly interesting timing but it won’t bury the news,” Bower said.

“If you look at TKMaxx case that resonated for months and this is much bigger than that. It’s not the initial breach that’s the problem, it’s criminals selling that data on and that can continue to be a problem for months.”

Permalink Bookmark Digg this story

  |  About RSS feeds