Wednesday, January 21, 2009

Will Heartland Become the Largest Data Breach in History?

According to a press release from Heartland Systems, a payment card processor, their data has been being compromised since sometime last year. On the site, Heartland set up to cover the incident, it says they promptly notified the Secret Service and hired two teams of forensic computer investigators to look into the case after they discovered their systems had been compromised.

Heartland was initially notified by Visa/Mastercard of suspicious activity, which led to malicious software being discovered in their system. The malware in question was harvesting and (obviously) transmitting data. In the press release, they state they believe the breach has been contained. Heartland claims no merchant data, social security numbers or unencrypted PINs were compromised. They were also quick to add that their check management systems, Canadian payroll, campus solutions, micropayments operations and recently acquired Network Services and Chockstone processing platforms had not been compromised, either.

It should be noted that in previous breaches, additional items were later discovered to have been compromised as the investigation progressed.

Brian Krebs at the Washington Post interviewed Robert Baldwin, Heartland's president and chief financial officer, who stated they don't know how many transactions were compromised. In the interview, Baldwin pointed out that since the card numbers compromised didn't have address information; it would be hard for fraudsters to use them in card-not-present (e-commmerce) transactions. Most e-commerce platforms validate the address tied to the card as a security measure. I thought about this for a second and remembered that Visa/Mastercard had warned Heartland about suspicious transactions. If there were suspicious transactions, I would deduct someone is using this data to commit fraud. Besides that, I doubt anyone sophisticated enough to pull this off would go to all this trouble (and potential legal exposure) if they couldn't use the information to make money. This is another thing that might suggest additional information will be discovered as the investigation progresses.

In the interview, Baldwin declined to name any of their customers, who were compromised. Heartland processes payments for about 250,000 customers and processes about 100 million transactions per month. He also said they will not be offering identity theft protection since not enough information was stolen to commit identity theft.

On the Truston blog, Tom Fragala, aptly pointed out that this equates to four billion transactions a year. Many are speculating that this will turn out to be the largest known data breach in history. Tom's company, which offers a privacy-friendly identity theft prevention and recovery service, offers a 45 day free-trial of their services. Even after the 45 days, the prevention part of the service is free.

Tom blogs on matters like this and wrote an interesting article pointing out the consumer protection features of debit and credit cards. Please note, debit cards offer less protection. The point is that if a card owner doesn't discover the fraud in a specified time period, they can be held liable for the financial loss. It's probably a good time for everyone to pay attention to their statements, carefully.

Given the mandatory notification laws, which have been passed in almost all 50 states, this is going to equate a lot of people that have to be notified. Simply stated, it's going to be a "notification nightmare." It should be noted that shutting down all the compromised cards and notifying victims is a substantial cost in any data breach.

SC Magazine also covered the story and got a quote from Rich Mogull, founder of IT security consultancy Securosis, who pointed out there is a trend of malicious software being planted somewhere in the processing system in all the high-profile data breaches seen in recent history. TJX (94 million cards compromised), Hannaford and CardSystems (40 million cards compromised) are all being cited as examples.

According to Visa, Heartland was validated as Payment Card Industry Data Security Standard (PCI DSS) compliant on April 30, 2008. They then stated this status was being reviewed. Trustwave is Heartland's PCI assessor. Hannaford was PCI compliant at the time they were compromised, also. According to the article in SC magazine, TrustWave wouldn't return calls to comment on this.

On the Heartland site, it mentions they are a founding supporter of the Merchant Bill of Rights, which advocates for and educates merchants on fair practices when they accept payment cards. Two of the biggest heartaches for merchants accepting payment cards are the interchange fees and becoming PCI compliant, which is considered an expensive process. Interchange fees are a tariff charged by the credit card companies on every transaction and according to the critics are not very equitable. Estimates have been made in the past that they equate to $30 billion in extra fees added to the cost-of-goods sold with payment cards, yearly. Ultimately, these are costs are often passed on to the consumer.

So far as PCI compliance — which now seems to have been proven ineffective in at least two instances — the National Retail Federation has responded by going on record to challenge the card issuers on their requirements to store data. Because of the cost, a lot of merchants have been slow to adopt PCI data-security standards and the merchants who are not in compliance face fines by the payment card industry.

Storing this data is required to prevent the third headache merchants face when accepting payment cards, or what is known as chargebacks. Chargebacks are when transactions are charged back to a merchant account because of alleged fraud. The NRF contends that being forced to maintain the data to protect themselves makes it easier to compromise.

Heartland is being challenged for releasing this information during the inauguration, when it was less likely to be a hot story. Although this seems to be the case, we need to realize the stakes in data-breaches are high. In the last breach involving a card processor (CardSystems), the card-issuers stopped doing business with the company and the end-result was the company is no longer in existence. Also, it should be pointed out that Heartland wouldn't be the only company that seemed to be very cautious when disclosing the fact that their data was compromised. Once disclosed, there is little doubt that the company in question faces some extremely unfavorable public exposure.

On a closing note, data breaches continue to occur at alarming rates. All sides of the equation need to come together and figure out solutions that work. One of them might be to upgrade the plastic to chip and PIN technology, which has become the standard in other countries. Nigeria was the most recent country to mandate this technology. While this might not directly stop data breaches, it would make it a lot harder to counterfeit the plastic, which is what the criminals use to cash-out the proceeds of data breaches with.

The other problem is that credit card fraud has been made too easy to commit. Card data and the tools to produce counterfeit cards are easy to obtain and even sold in chat rooms. A lot of this technology can also be bought on (what I consider) questionable sites, including eBay. Very few of these fraudsters get caught and because of this; it appears that the activity is getting more and more organized. Historically, the cost of all this seems to have been written off as a cost of doing business. In reality, a lot of these "costs" are passed on to the consumer in the form of higher interest rates and fees.

My prediction is that with the state credit is currently in with the sour economy, coupled with the increase in criminal activity, we are getting to the point where it is going to be hard to simply write-off all the financial costs. Until we start punishing the criminals effectively for this type of activity, it is going to continue to grow and probably prosper.

Update 2/13/09: It appears that the first arrests in the Heartland Data Breach have been made in Leon County, Florida. Three men (Tony Acreus, Jeremy Frazier and Timothy Johns) were encoding numbers stolen in the breach on gift cards and using them at Walmart.

The official press release from the authorities credits Walmart for supporting the investigation.

While it's great a few people got caught -- this probably only accounts for a small amount of the stolen data. My guess is that our three fraudsters bought the numbers via anonymous sources (probably on the Internet).

Monday, January 19, 2009

Fake Obama Site is a Malware Booby-Trap

Over the weekend, I got an e-mail from my Mom warning me not to open any e-mail with the title "Obama Acceptance Speech" because it contained a trojan. It even cited Snopes as stating that the threat wasn't a hoax. I sent her a reply referencing the last post on spam I did, which had a paragraph about Obama spam on it. My point was anyone who thinks there is only one e-mail of this type is out there is probably sadly mistaken.

On Sunday, with the inauguration less than 24 hours away, I got a hot tip that the Symantec Lab had detected another round of Obama spam with malicious intent being sent across the electronic universe. Zuftikar Ramzan announced on the Symantec Security Blog that this latest round of Obama spam uses lures with titles like "Our new president has gone," "Obama refused to be the president of the United States of America," and "There is no president in the USA anymore and Obama has gone."

Zuftikar also mentioned a link in these e-mails (removed for safety reasons) leading to a faux website that looks amazingly similar to the official Obama-Biden site. The fake site can be seen below:

This fake site attempts to exploit weaknesses in a Web browser to install malicious software without the owner's knowledge. According to Zuftikar, the page and its links all have malicious software on them. In other words, the entire site is literally a virtual booby trap.

The files are titled usa.exe, obamanew.exe, pdf.exe, statement.exe, barackblog.exe and barackspeech.exe. While the titles might be different, they lead to the same variety of malware known as the W32.Waledac. This malicious software is capable of stealing sensitive information, turning your machine into a spam-spewing zombie and leaving a back door for a hacker to gain access to it.

Political themes have been used a lot in recent times to lure people into clicking on links in spam e-mails they shouldn't have. Other common lures include the old fashioned too-good-to-be-true, security and badge-of-authority types (IRS, FBI, CIA, etc.).

With tax season upon us, expect the IRS to be a common one used in the near future.Symantec does provide removal instructions for this malware on their site, but most of us are far better off by not clicking on this type of stuff in the first place. These e-mails are sent out by the millions and the best thing to do is hit delete before opening them up.