Security Update - 100 Million Credit Cards Stolen

Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants: http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm I took a moment to see if they were PCI Compliant and they were audited in March 2008 by Trustwave.

They said the start of it all was a keylogger that got into their systems, as described in this snippet from http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=212901505&subSection=News

---------- 
"the breach was the result of keylogging malware, which covertly captures anything typed on an infected computer, such as user names and passwords. ... 

There were two elements to it, one of which was a keylogger that got through our firewall," he said. "Then subsequently it was able to propagate a sniffer onto some of the machines in our network. And those are what was actually grabbing the transactions as they floated over our network." 
---------- 

You have to wonder if the keylogger software came in over a network, or if it was carried in by an employee on a USB token, in a laptop they infected while using it at home or while traveling, etc.We're not sure PCI DSS can effectively prevent problems like those, although it can recommend good security practices that reduce the possibility.


PCI DSS mandates that machines that store/process/transmit cardholder information should not have direct Internet connectivity. There shouldn't really be a means for a sniffer to send results back to it's employer over the Internet, so in a way the exploit described does violate PCI DSS.

Also, integrity, anti-virus and event monitoring controls should certainly pick up things like keyloggers and an IDS/IPS/firewall could be used to identify some rather odd connections from certain servers.


Recent Entries

CUPPS: The Platform of the Future (Airline Kiosk)
CUPPS has been architected as the platform of the future, able to accommodate many things even beyond the agent-facing applications…
EMV takes aim at U.S.
Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian PublicationsLike a massive tidal wave, EMV continues to roll…
Tokenization and Enterprise Security
Nice article on tokenization which also highlights lack of formal standards for tokenization at this time. Credit Card Tokenization: Put All…
Wal-Mart's Kiosk Trial Raises Serious PCI, Data Ownership Issues
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units…
Proximity (NFC) Mobile Payment Technology - Security Whitepaper
The opportunities offered by the advent of proximity mobile payments are clear; differentiated payment services, increased transaction volumes, faster transactions,…
Look Beyond Hospitality Touch Screen Solutions
Whether you realize it or not, touch technology quickly is becoming the intuitive input delivery method of choice. Look no…
Level 4: The small-merchant PCI challenge
While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve…
ATM Card Skimming and Pin Capture
ATM Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of…
Background - Use of Electronic Health Records in U.S. Hospitals
Report from New England Journal of Medicine on Electronic Health Records. Concludes - very low levels of adoption in U.S.…
PCI DSS in real life -- Requirement 1 Firewall
Excerpt: Critical to the selection was choosing a vendor that best met PCI DSS (Payment Card Industry Data Security Standard)…
User Interface & Content - Can I Use My Website?
Web sites, self-service can play nicely together according to Jim Kruper of Kioware.  With the increasing number of devices that…
Resource Link - Understanding credit card transaction fees
Merchants accounts, gateways and rates. Having your kiosk process credits cards swiped locally (card present) come with regulatory standard considerations…
Whitepaper - Introduction to CFM or Customer Flow Management
CFM or Customer Flow Management systems are found in more verticals/markets than any other application. Here is a technical document…
Compliance Resource: ETA and Electronic Transaction Compliance
Worth noting Heartland Payment Systems and RBS Worldpay have been removed from Visa Inc.'s list of PCI compliant service providers and…
Going beyond current PCI security standards
Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior…
ADA Requirements - Changes in California
In late 2008 the California legislature passed a stronger version of ADA which was Senate Bill 1608. This bill became…
Opinion - Why is Redbox Afraid of the iPhone?
Over the last few years, Redbox has been able to build an impressive DVD rental network by being innovative and…
Research Report - Touchscreen Check-In: Kiosks Speed Hospital Registration
March 2009 -- Patient self-service kiosks are being used with growing frequency in hospital ambulatory settings and emergency departments. These interactive…
Cloud Computing - What is it?
Cloud computing resources question was raised by a member of Health Infomatics group we participate in. Health technology right now…
Heartland Put on Probation for Security Breach
Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is finally being called to the…



Related Ring Sites:
  GoKIS  |   ThinClient.org  |   keefner.com  |   Visi Kiosk site  |   KIOSK  |   Kis-kiosk.com  |
Resource Sites:
  Elo TouchSystems  |   Acire Inc.  |   Nextep  |   TIO Networks  |   Olea  |   Self-Service Networks  |   Meridian Kiosks  |   Provisio  |   Kioware  |
  Selling Machine Partners  |   Source Technologies  |   Seepoint  |   5Point  |   Nanonation  |   Netkey  |   KioskCom  |   Summit Research  |   NCR  |