Millions of card details may have been lost
vnunet.com, 21 Jan 2009
Credit card processing firm Heartland Payment Systems has uncovered malicious software in its computers that has been diverting information used for credit card cloning.
The company said that it started to get reports last year of increasing levels of card fraud among its customer base.
Heartland called in investigators who found malicious code in its servers which could scan and send on the data stored on the magnetic strip of credit and debit cards.
The company handles up to 100 million credit card transactions a month for over 250,000 US businesses.
"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert Baldwin, Heartland's president and chief financial officer, in a statement.
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are co-operating closely with the US Secret Service and Department of Justice."
The company has stressed that the code could not record Social Security numbers, unencrypted PINs, addresses or telephone numbers. Nevertheless, the information could be used to create cloned cards.
"Today's systems have 'air gaps' where the data is unencrypted, and there is always the potential for data leakage," Mark Bower, director of information protection solutions at Voltage Security, told vnunet.com.
"There are some techniques to avoid this problem, notably format-preserving encryption. This uses standard algorithms to encrypt data from the get-go."
Bower explained that some merchants are encrypting data only for storage, and then sending decrypted information for processing, which is highly unsafe.
The timing of the announcement, on the same day as the US presidential inauguration, has also been questioned.
"It is certainly interesting timing, but it won't bury the news. The TJ Maxx case resonated for months, and this is much bigger," said Bower.
"It's not the initial breach that's the problem; it's criminals selling that data on which can continue to be a problem for months."
Security chiefs offered advice on how to survive job and funding cuts during the downturn
Scammers exploiting hole in old Asterisk software
F-Secure reports huge rise in malware for profit
This week we cover the continuing controversy surrounding the Orange T-Mobile deal
Using managed services to protect mobile data users from the latest security threats
Counting the cost of data security: the benefits of secured mobile services
Shifting Disaster Recovery targets with SharePoint and SQL server configurations
Using a hostbased recovery system for mission-critical systems
Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you over 6,000 white papers, case studies and analyst reports.
Replacement warning functioning normally, claims software giant
Annual initiative warns of phishing, ID theft and social network...
Do you agree?
Have your say on this article