Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Largest Data Breach Disclosed During Inauguration

kdawson posted more than 5 years ago | from the debit-cards-at-risk dept.

Security 168

rmogull writes "Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn't know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I've written some additional analysis on this and similar breaches. It's interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems." One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Heartland just put up a press release on the breach.

cancel ×

168 comments

Sorry! There are no comments related to the filter you selected.

WTF??? (1, Insightful)

canUbeleiveIT (787307) | more than 5 years ago | (#26534345)

Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration.

WTF??? What does the inauguration have to do with this? I suggest we go back to all Slashdot stories and insert what happened on that day. Examples:

* Researcher says Linux is better than Windows on Friendship Day.
* Researcher says Linux is better than Windows on Fall Equinox.
* Researcher says Linux is better than Windows on Kwanzaa.

Re:WTF??? (5, Insightful)

EvanED (569694) | more than 5 years ago | (#26534407)

I would say it may have quite a lot to do with it... it's either a pretty big coincidence, or they are trying to bury the news by releasing it when the networks actually have something else to report on.

What's your bet on?

Re:WTF??? (0, Redundant)

gravos (912628) | more than 5 years ago | (#26534489)

"Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible," he said. "In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible."

Does anybody really believe this?

Re:WTF??? (4, Informative)

idiotnot (302133) | more than 5 years ago | (#26535013)

Same reason Clear Channel laid off 8% while this was going on. :-)

Re:WTF??? (3, Funny)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26535033)

Yeah, but that was good news...

Re:WTF??? (5, Informative)

amRadioHed (463061) | more than 5 years ago | (#26534435)

The implication is that they timed the announcement to occur when no one is paying attention.

Re:WTF??? (5, Insightful)

idontgno (624372) | more than 5 years ago | (#26534669)

[Heartland Payment Systems President and CFO] Baldwin said Heartland worked to disclose the breach last week.

"Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until today," Baldwin said.

"Legal reviews": "Holy crap, we're gonna get our butts sued off if this breach becomes a big news story! You have to delay this until we can start a war or something to distract the press!"

"Will the inauguration hype of the first African-American President of the United States work as a distraction?"

"Brilliant!"

Re:WTF??? (4, Interesting)

bugs2squash (1132591) | more than 5 years ago | (#26535277)

The breach happened last year. What's the betting that the first customers know about it is when faudulent activity is showing up on their credit cards.

The first instinct of Heartland is to save itself and the first instinct of the banks will be that it can rate jack its customers if the new activity has put them overlimit.

Only after leaking of the news is inevitable and can no longer be delayed will Heartland grudgingly try to sneak it out under the radar and then in a general, untargeted sense, not directly to the customers involved. Nothing will be done to avoid spreading the pain to a card holder or to a vendor.

I dare say most of the legal wrangling was in how to spin this as a justification to claim from TARP.

Re:WTF??? (4, Interesting)

jdoverholt (1229898) | more than 5 years ago | (#26537493)

Incidentally, I got a call this morning about an hour before noon EST from Chase. They said they "received information" that my credit card information was compromised. The only suspicious charge was from November, which I didn't notice on my own. This is also the only time Chase has done anything but screw me, so I was pleasantly surprised that they were dealing with it so well. Now I see this and think "hey, I'm part of the largest ___ in history!" Sweet.

Re:WTF??? (1, Redundant)

joelmax (1445613) | more than 5 years ago | (#26535175)

Exactly. Considering the media hype behind the inauguration of Obama, and considering the possible pr nightmare (And it does promise to be a pr nightmare) that this poses to heartland, I would have to say that this was pre-planned as a form of damage control.

Re:WTF??? (5, Insightful)

oldspewey (1303305) | more than 5 years ago | (#26534455)

Today. During the inauguration. WTF??? What does the inauguration have to do with this?

Well, somebody who is inclined toward cynicism might conclude that the company deliberately chose to release this information when public attention would be diverted elsewhere.

Re:WTF??? (2, Interesting)

canUbeleiveIT (787307) | more than 5 years ago | (#26534737)

Well, somebody who is inclined toward cynicism might conclude that the company deliberately chose to release this information when public attention would be diverted elsewhere.

Ahh...now I get it. Still, there was that plane that landed in the Hudson a few days back, yesterday was MLK day, the Super Bowl will be in a couple of weeks. Not to mention that it would seem that it would be in their best interests to get the word out to minimize losses.

Re:WTF??? (4, Interesting)

idontgno (624372) | more than 5 years ago | (#26535023)

Not to mention that it would seem that it would be in their best interests to get the word out to minimize losses.

Oh, they've already got that covered:

Baldwin said it was not appropriate for Heartland to offer affected consumers credit protection or other identity theft protection services.

"Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible," he said. "In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible.

In other words, "Yeah, technically it was a breach, but you know, not enough data got released for us to actually be provably liable. So if your CC gets raped, you know, it's not our fault. Really. Trust us. ;)"

In related news, now we know what happened to the Iraqi Information Minister: He changed his name and became President and CFO of a large credit card payment processing company.

Re:WTF??? (3, Informative)

Bill, Shooter of Bul (629286) | more than 5 years ago | (#26536067)

No, they are liable and are going to pay through the nose, but not for "identity theft". They will be responsible for improperly securing their network and permitting the theft of the cards. But identity theft is a different beast. No one will be able to sign up for new credit cards and or loans in the names of the people whose data was compromised.

Re:WTF??? (-1, Flamebait)

abhi_beckert (785219) | more than 5 years ago | (#26536795)

>> In related news, now we know what happened to the Iraqi Information Minister: He changed his name and became President and CFO of a large credit card payment processing company.

That's borderline racist and not even funny. Take your warmongering FUD somewhere else please.

Re:WTF??? (1, Funny)

Anonymous Coward | more than 5 years ago | (#26537029)

good point. not even the Iraqi information minister would stoop so low....

Re:WTF??? (1)

Ambiguous Coward (205751) | more than 5 years ago | (#26535095)

All of those other incidents (MLK day, super bowl, etc.) are in passing. They are temporary, at best. The inauguration is going to echo through the media for a loooong time to come. Even if someone publicly calls them out on this (more than just on /.) and there is an attempt to generate an uproar over this, in the end, the inauguration will far outweigh the breach when it comes to face-time in the news.

I'm the cynical type, and I reckon they succeeded at hiding this one in plain sight.

Re:WTF??? (0)

Anonymous Coward | more than 5 years ago | (#26535513)

plane that landed in the Hudson a few days back

Unless they planed the crash it would be difficult to time the press release to coincide with it.

yesterday was MLK day

It was? Guess I missed it.

the Super Bowl will be in a couple of weeks

That's another one that is easy for most people to miss.

The inauguration has had much more hype and has more people "feeling good" than the other three combined. This was the perfect day to release bad news.

Re:WTF??? (5, Interesting)

Ambiguous Coward (205751) | more than 5 years ago | (#26535289)

Well, somebody who is inclined toward reality

No need to thank me.

Also, FTFA:

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn't until last week that investigators uncovered the source of the breach...

Meaning they knew about it long enough to hire some forensics teams, do the research, figure out where the breach came from, etc. and they finished all that up last week...and then decided to wait until NOON today to release the news to the public? Sorry, but that's plain bullshit, no cynicism involved. If they were interested in disclosure, they would've released the news sooner. At the very latest, they would've released it as soon as they found out how it happened (so they could say they had already closed the breach.)

Instead, they wait until noon (they're a New Jersey company) when the inauguration is happening? Why not sooner in the day? Why wait until what would arguably be lunch time usually? Who discloses breaches at lunch? Answer: nobody. On the other hand, who discloses breaches during a HUGE national (and arguably international) event? Answer: someone trying to hide something.

Again, I say inclined toward reality, not cynicism.

Re:WTF??? (0)

flabbergasted (518911) | more than 5 years ago | (#26537131)

Your comments have nothing to do with reality. I read this story on line this morning before I left the house. That would have been about 9am EST--three hours before the inauguration. Since I scan the headlines for three news services before leaving, I can't say for certain which it was. Probably either the AP or NYT.

Re:WTF??? (0)

Anonymous Coward | more than 5 years ago | (#26534673)

Researcher says Linux is better than Windows on Kwanzaa.

I would like to point out that Kwanzaa lasts a whole week--something can happen during it but you seem to think it's only the length of a day. If you're going to make a celebration the butt of your jokes, please at least pay some attention to it.

Re:WTF??? (3, Funny)

Bryan Ischo (893) | more than 5 years ago | (#26534807)

"Researcher says Linux is better than Windows on Pedantic Asshole day."

There, is that better?

Re:WTF??? (5, Funny)

idontgno (624372) | more than 5 years ago | (#26535083)

And Linux is always better than Windows on Slashdot, because every day is Pedantic Asshole day here!

Re:WTF??? (1)

box4831 (1126771) | more than 5 years ago | (#26535085)

On Slashdot, every day is Pedantic Asshole Day!

Obvious Troll is Successful? (0, Troll)

mfh (56) | more than 5 years ago | (#26535053)

What does the inauguration have to do with this?

Nice troll! Wow.

I'll bite, since it was a really good troll you posted.

To answer your question, the best magician does his dirty tricks when everyone's attention is fixed on a good distraction. What better way to hammer into a site and steal all kinds of info when everyone is staring at a TV?

I would be actually somewhat surprised if this was the only major crime committed today.

Nothing to do with the inauguration (0, Troll)

Geoffrey.landis (926948) | more than 5 years ago | (#26535561)

Yeah, that was my take on it-- that "inauguration" headline has nothing to do with the actual story, and the data breach has nothing whatsoever to do with the inauguration. The inauguration is just there because, hey, all the news stories today have to mention it. It's, like, a rule or something.

I don't think it's a rule that slashdot article summaries have to mention the inauguration even if it's not relevant to the story, though. Can't somebody here look at who wrote the summary and moderate them -1 irrelevant?

Re:WTF??? (1)

christianT (604736) | more than 5 years ago | (#26536419)

I don't think they were trying to implicate our new President in this with the title, it was more of an implication that those announcing it were trying to announce the breach while most of the nation was distracted by the inauguration in hopes that it might fall under the radar of the news media.

Re:WTF??? (1)

Landshark17 (807664) | more than 5 years ago | (#26537611)

The inauguration has absolutely nothing to do with this, but it's the biggest story today. No other story is going to get higher billing, so it's the best way to hide the story about how your company fucked up royally.

First CC (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26534355)

8263-9361-9041-8253
exp. 02/11

Re:First CC (1)

Chabo (880571) | more than 5 years ago | (#26534729)

Hey, that's mine!

Re:First CC (0)

Anonymous Coward | more than 5 years ago | (#26534981)

Thanks, I needed a name and adress....

Re:First CC (4, Funny)

Janek Kozicki (722688) | more than 5 years ago | (#26535029)

Then prove it - what is the security code on the back?

figures (1, Funny)

Anonymous Coward | more than 5 years ago | (#26534381)

As soon as Barack Obama became President, the world started falling apart.

I warned this would happen but you were just too damn proud to listen.

Game over, man. Game over.

Re:figures (2)

hicks107 (1286642) | more than 5 years ago | (#26535371)

Nice

Burying the News? (-1, Flamebait)

corsec67 (627446) | more than 5 years ago | (#26534415)

Yeah, releasing news about the largest breach ever during the inauguration of a popular half-white president isn't trying to hide what they did wrong?

Re:Burying the News? (2)

philspear (1142299) | more than 5 years ago | (#26534623)

If that was their plan, then that's a foolish one. It would have to be an EXTREMELY slow news day for this to get picked up on by the major news outlets, and even slower for most viewers to bother understanding it. And it's going to be picked up by people who are interested, like here, reguardless.

Burying it effectively would be waiting for something like the newest release of some major open source software, or waiting until China or Australia or other nation did something major about censorship.

Suckers (5, Funny)

htnmmo (1454573) | more than 5 years ago | (#26534663)

This is why I never go on the internet. It's just not safe.

Re:Suckers (2, Funny)

blair1q (305137) | more than 5 years ago | (#26536513)

Neither do I. Unless I'm posing as you.

Re:Suckers (1, Informative)

Anonymous Coward | more than 5 years ago | (#26536897)

Except that the large majority of payments that they process are from actual storefronts, not internet transactions. You're not safe anywhere, sucker.

No Big Deal (0)

Anonymous Coward | more than 5 years ago | (#26534741)

Obama will fix it.

Re:No Big Deal (0)

Anonymous Coward | more than 5 years ago | (#26536479)

Do I smell a new meme?

Re:No Big Deal (1)

Hordeking (1237940) | more than 5 years ago | (#26536855)

That new meme is old news.

I've been saying that for weeks.

Re:No Big Deal (1)

Hordeking (1237940) | more than 5 years ago | (#26537227)

Actually, you're only smelling the unwashed masses as they exalt Obama.

Missing Address (4, Insightful)

wiz31337 (154231) | more than 5 years ago | (#26534745)

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said.

Because as we all know it is impossible to get someone's address by having only their full name and credit card number.

They are trying to down play a very serious incident by disclosing the breach on a day heavily focused on the inauguration. Then they have the nerve to say "don't worry they didn't get your address" as if to say someone smart enough to embed malicious software which gathers credit card numbers is not smart enough to find someone's address. Common!

Re:Missing Address (4, Informative)

n0dna (939092) | more than 5 years ago | (#26535195)

Let's also not overlook that while some stores/merchants may have a policy to ask for address when doing Cardless Transactions, the processing houses (at least the ones I've used) will more than happily process the transaction successfully without anything more than the card number and the expiration date.

Some processors will refuse to process transactions within the month that the card expires, but you simply add 4 years to the date and it'll go through just fine.

The Credit Card companies have pushed very hard and very long to make credit transactions more painless than cash. You have to drop some safeguards to do that though.

Re:Missing Address (0)

Anonymous Coward | more than 5 years ago | (#26536489)

Common what?

Perhaps you mean "come on"?

Re:Missing Address (0)

Anonymous Coward | more than 5 years ago | (#26536503)

Plus a lot of bad guys have set up shop to easily print credit cards, so even if they couldn't do "card-not-present transactions" it doesn't protect you much.

Re:Missing Address (3, Funny)

sorak (246725) | more than 5 years ago | (#26537515)

Hmmm...B.H. Obama. Jeffery, get out the phone book. We need to determine where this guy lives.

Re:Missing Address (0)

Anonymous Coward | more than 5 years ago | (#26537607)

Plus I personally know that some online businesses do not do the address checks. Some don't even check the CVV2 (that 3-4 digit security code on the back of the card.) Maybe Heartland requires it, but I doubt that.

Re:Missing Address (1)

NoobixCube (1133473) | more than 5 years ago | (#26538039)

ID thief: Hi, I've moved recently, and I just wanted to check you guys have my new address.

Every time I've done that with my bank, they've asked for my full name, date of birth, and account number (or if I go through the automated channel, the only ID I need is my phone or online banking pin). After those are provided, they tell me what address they have on file.

It's a blog post! (1)

Reality Master 201 (578873) | more than 5 years ago | (#26534767)

The guy posted to his blog about it. On the same day as the inauguration.

Seriously, the tone of the summary is dumb as fuck. The press release is from today, as is the blog post. It's not even a fucking newspaper article.

Re:It's a blog post! (1)

whoever57 (658626) | more than 5 years ago | (#26536097)

The guy posted to his blog about it. On the same day as the inauguration.

Did he? I would RTFA, but I've given up trying to read white-on-black web pages. Seriously, whoever thought that dense white text on a black background is easily readable?

I'll agree that it is a little more readable on LCD monitors than it was on slightly old CRT monitors, but it still isn't easily readable.

Re:It's a blog post! (1)

Reality Master 201 (578873) | more than 5 years ago | (#26536275)

Dunno; I don't have much problem with white on black text. I prefer green or amber on black, though, but that's mostly nostalgia for the VT-220s I spent so much time in front of.

Re:It's a blog post! (0)

Anonymous Coward | more than 5 years ago | (#26537889)

From this day forward, all time will be counted from the moment of OUR MESSIAH'S inauguration. Tomorrow will not be January 21, 2009, it will be THE SECOND DAY OF OUR LORD, OBAMA!

what the bad guys didn't steal (4, Informative)

Gary W. Longsine (124661) | more than 5 years ago | (#26534773)

Nearly every company that suffers a breach like this tries to assure people about what the bad guy's didn't manage to steal. Don't believe it. Even if it might be true at the strict technical level, it's still not relevant to the analysis of the severity of this issue. The bad guys already have databases full of names and addresses which they will cross reference against the data they stole.

Re:what the bad guys didn't steal (2, Funny)

noidentity (188756) | more than 5 years ago | (#26536695)

Come on, use the right word! They COPIED the data, not STOLE it, unless they really did delete it from the original server, in which case they would have noticed it missing immediately.

Re:what the bad guys didn't steal (1)

innocent_white_lamb (151825) | more than 5 years ago | (#26537529)

The bad guys already have databases full of names and addresses which they will cross reference against the data they stole.
 
I think they're called telephone books.

"Actually quite difficult"? (2, Informative)

MozeeToby (1163751) | more than 5 years ago | (#26534789)

The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address.

Because we all know that it's impossible to spoof the magnetic strip on the credit card.

needess to ask what OS .. (0, Troll)

rs232 (849320) | more than 5 years ago | (#26535027)

Partner profile [microsoft.com]

Re:needess to ask what OS .. (1)

Whuffo (1043790) | more than 5 years ago | (#26535247)

And visiting that link brought up an "invalid security certificate" warning. Good old Microsoft - they can't even get their own servers set up right.

Re:needess to ask what OS .. (1)

jgtg32a (1173373) | more than 5 years ago | (#26535321)

You do know that has nothing to do with the server itself right?

Re:needess to ask what OS .. (1)

rs232 (849320) | more than 5 years ago | (#26535721)

"You do know that has nothing to do with the server itself right?"

Do you have any citations for that?

'A piece of malicious software [washingtonpost.com] planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients'

Re:needess to ask what OS .. (1)

Kalriath (849904) | more than 5 years ago | (#26536059)

And this is somehow anything to do with the server? We're talking about a payment processor, who has to comply with PCI DSS. One thing that requires is that the server managing payment data be isolated from all the client PCs, and run appropriate security software etc. If anything, this is Heartland's fault (and their PCI assessors, of course). Nothing to do with Microsoft, who for the most part make good servers (even if everything else sucks).

Re:needess to ask what OS .. (1)

pallmall1 (882819) | more than 5 years ago | (#26536807)

Nothing to do with Microsoft, who for the most part make good servers...

Damn straight. Just ask any malicious software author what their server platform of choice is.

Re:needess to ask what OS .. (1)

Whuffo (1043790) | more than 5 years ago | (#26535905)

Did you check the security certificate that is being used by that Microsoft site before posting? I'm sure you understand what role these certificates serve in relation to https connections.

Of course, the connection to their site might be being intercepted by aliens who are replacing a valid certificate with a bad one. Or maybe they're using an old skool coal fired server and forgot to shake down the clinkers.

I'll just use Occam's Razor here - and the simplest explanation is that that server is running Windows and it wasn't configured correctly.

Re:needess to ask what OS .. (1)

Fulcrum of Evil (560260) | more than 5 years ago | (#26536183)

Sure, if you want to be pedantic, but the rest of us include the software that the server is there to run and its config in server setup. Invalid security certs don't give me a warm fuzzy.

Re:needess to ask what OS .. (1)

Kalriath (849904) | more than 5 years ago | (#26536001)

Actually, they can. It isn't invalid at all, it was merely issued by Microsoft's certification authority (which itself has a CA certificate issued by GTE CyberTrust). The problem is your browser (my Firefox 3 didn't even blink twice at it).

Re:needess to ask what OS .. (1)

Cajun Hell (725246) | more than 5 years ago | (#26536727)

Actually, that's an example of Firefox3 screwing up in a situation where every other browser (even Firefox2) does a better job. It ought to allow me to see the page, without "adding a security exception" and risking accidentally leaving the 'permanent' box checked.

Re:needess to ask what OS .. (1)

wastedlife (1319259) | more than 5 years ago | (#26537277)

Perspectives [cmu.edu] is an excellent add-on for Firefox 3 that checks pages with self-signed certs from several locations and then bypasses the terrible Firefox 3 warning page if everything checks out. This is pretty effective at negating man-in-the-middle attacks.

Re:needess to ask what OS .. (1)

WiiVault (1039946) | more than 5 years ago | (#26536449)

How did this get marked troll? I mean it is relevant what software was used when a system is breached isn't it?

Re:needess to ask what OS .. (0)

Anonymous Coward | more than 5 years ago | (#26537481)

I apologize for bringing that despicable thing called reality into this, but you really need to get some perspective. Operating systems are not relevant to the story. The story is about an attempted cover-up of a massive data breach. It is not an excuse to scramble to find justification and validation for your own beliefs in operating systems.

Now that we've covered the failure of reading comprehension, let's review it from a technical perspective. Heartland handles a huge number of transactions, and someone breached their network, knowing the internal layout of it. Now, I hate to break it to you, but regardless of OS, if someone cracks the outer layer of security and makes it inside, you're screwed. They could find a rogue machine and sniff all packets for weeks on end, then ship them home covertly and analyze them to try to find details. You'd need to have every box on the LAN side to be ultra-hardened. Security for many companies consists of a Big Ass Cisco Firewall and warning employees not to open suspicious email attachments. I'm sure Heartland's security policy is better (hopefully), but security is not this black and white issue that hinges totally on operating system choice. It is far more complicated than that, and the Slashdot rhetoric in this regard is one of sheer ignorance.

This is why CC zero-liability is a good thing. (1)

brunes69 (86786) | more than 5 years ago | (#26535123)

When stuff like this happens, it is not the consumers who end up paying, but Visa / MC - who end up putting pressure on these guys to get their act together.

Re:This is why CC zero-liability is a good thing. (4, Informative)

Chuck Chunder (21021) | more than 5 years ago | (#26535493)

Some clueless person says this every time there is a story on credit cards.

Visa/MC do not end up paying. Merchants on the receiving end of fraudulent transactions do. Visa/MC may even profit from it as the fees they charge merchants for chargebacks can be quite steep.

Re:This is why CC zero-liability is a good thing. (1)

javelinco (652113) | more than 5 years ago | (#26536175)

And? Most of the time, the reason the chargeback happened is because the merchant didn't bother to follow procedures - they didn't validate the identity of the person using the CC.

Re:This is why CC zero-liability is a good thing. (2, Informative)

Todd Knarr (15451) | more than 5 years ago | (#26536401)

Save that Visa and Mastercard rules prohibit the merchant from validating the identity of the person using the credit card. For instance, a merchant is prohibited from requiring the customer to present ID (such as a driver's license) before they'll take the card. If a merchant refuses to take cards without identification, Visa/MC will terminate their merchant account.

Re:This is why CC zero-liability is a good thing. (1)

nolen (803875) | more than 5 years ago | (#26536761)

If a merchant refuses to take cards without identification, Visa/MC will terminate their merchant account.

You're right about the rules, but nine times out of ten, large retailers will deny you if you don't show ID, just because the clerks don't know better. Visa is not about to terminate the merchant account of a Macys or Best Buy. (Yes, I've even complained with Visa about it, but I have given up on this one.) They are allowed to check your signature against the card, of course.

Re:This is why CC zero-liability is a good thing. (1)

kalirion (728907) | more than 5 years ago | (#26537733)

You're right about the rules, but nine times out of ten, large retailers will deny you if you don't show ID

Let me guess, you're were buying tobacco, alcohol, or porn, weren't you? Or you look extremely creepy, since usually the retailer won't even look at the signature [zug.com] unless you buy an expensive big screen tv [zug.com] .

Re:This is why CC zero-liability is a good thing. (2, Informative)

Achromatic1978 (916097) | more than 5 years ago | (#26536981)

Not quite. The merchant agreement typically states that the merchant cannot use ID to validate the identity ONLY for card purchases. If they check ID for check purchases, too, they'd typically be free to do so. It's essentially "you cannot do anything that makes it more inconvenient to the customer to purchase via our card than via other methods".

Re:This is why CC zero-liability is a good thing. (0)

Anonymous Coward | more than 5 years ago | (#26537379)

According to your sig now you have to change. :P

who pays for security ? (1)

rs232 (849320) | more than 5 years ago | (#26535495)

"When stuff like this happens, it is not the consumers who end up paying, but Visa / MC - who end up putting pressure on these guys to get their act together"

It's the consumers who pay for it with higher charges to pay for things like the chip-and-pin upgrade. Similar to how the consumers pay for shop-lifting ..

Fp 6oat (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26535465)

solution to CC breeches .. (5, Insightful)

rs232 (849320) | more than 5 years ago | (#26535657)

What's needed is a totally new kind of online financial transaction system. One that don't use card numbers. A dongle on the client connects to the server generates a one-time session key,and identifies itself to the server and displays a random Pin code, the customer then types it in to verify the transaction. The session is encrypted and the data sent can only be used for the one transaction, no repeat man-in-the-middle hacks ..

Re:solution to CC breeches .. (1)

lectos (409804) | more than 5 years ago | (#26536047)

*redirects transaction and inserts own transaction for spare parts at someone else's expense*

*reports an error to original request so that they make a new request to server for another transaction*

*builds robot girlfriend*

Re:solution to CC breeches .. (1)

ducomputergeek (595742) | more than 5 years ago | (#26536061)

Please mod parent up. I have mod points, but posted elsewhere. Having just gone through PCI compliance (which is frankly a joke), there needs to be a better system out there.

Re:solution to CC breeches .. (1)

Hoi Polloi (522990) | more than 5 years ago | (#26536669)

I was just thinking the same thing today. Blizzard is offering this for WOW players to protect accounts. A loss in convienience is a small price to pay at this point to address the ever growing insecurity (not to mention costs to businesses) of the credit card system.

why were they even (1)

bugs2squash (1132591) | more than 5 years ago | (#26535785)

storing this information ?

Re:why were they even (4, Informative)

ducomputergeek (595742) | more than 5 years ago | (#26535969)

Because they are the ones processing the transactions. We don't use heartland, but when take online orders through our website, we don't store the credit card information, our CC Processor does. The processors are the one that actually run the transactions, take money from the customers account, take a percentage, then deposit to the merchants account. And they have to keep records of all that.

In order for CC payment to work someone has to store that data somewhere.

Re:why were they even (2, Informative)

cbiltcliffe (186293) | more than 5 years ago | (#26536267)

I don't think they were necessarily storing it, from the press release. To me, it basically says a network sniffer picked up network traffic on the wire. That can happen whether you store the info or not.

Card not present transactions (2, Informative)

CmdrPorno (115048) | more than 5 years ago | (#26536085)

This is BS. Anyone with a card terminal can key the number in, or the card could be cloned. I discovered that FIA categorizes keying the number into the terminal as a "card present" transaction, when I tried to dispute an unrecognized charge. They then use this as a reason that the charge was legitimate, even when the card was not in fact present.

Donations to Obama (1)

robert899 (769631) | more than 5 years ago | (#26536721)

One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Heartland just put up a press release on the breach.

You could have donated to the Obama campaign using a credit card without a correct address. Google "obama AVS".

AVS is optional (1)

Archon-X (264195) | more than 5 years ago | (#26536997)

AVS is not necessary to process a transaction.
Anyone with a merchant account has the full ability to control their scrub by adjusting their AVS settings, from full matching, partial or none at all.

Biometrics: When, How (1)

BoRegardless (721219) | more than 5 years ago | (#26537199)

We have been going through these issues for years. These problems are not created by consumers, but by the companies that want to legitimately take their funds in return for goods, yet the consumers wind up having their share of problems from this.

At some point facial, iris, thumbprint readers (of pattern or blood vessels) or something is going to have to be implemented.

Given that most computers/cellphones have cameras now, when will it happen?

cancel and re-issue lots of cards? (1)

Benjamin_Wright (1168679) | more than 5 years ago | (#26537411)

Mass re-issuance of cards may not be the best response. In the TJX experience, the cost of re-issuing cards far exceeded the actual risk [typepad.com] . Alternatives to re-issuance include tighter monitoring of and restrictions on affected card accounts. --Ben

Undisciplined users (-1, Flamebait)

erroneus (253617) | more than 5 years ago | (#26537421)

I'll tell you what has been getting under my skin a bit lately: Users who install software on their workstations.

In a perfect world, software makers wouldn't write software that demands that it run with administrator privileges. We don't live in a perfect world. This means in order to accomplish a task, security of a workstation must be weakened and compromised very often.

But with that said, I have a largely male population of users in my production area and they have very little trouble... almost zero incidents of malware infection. Meanwhile, I have a small number of female production users (I would estimate the ratio at about 15 to 20%) and most of them have gotten a malware infection on their PCs resulting in my having to reload them in order to ensure that the infection was purged. (It's okay, I keep a fairly up-to-date system image... not that big of a deal) But how am I supposed to NOT sound sexist for pointing this fact out? That women are more prone to trashing their computers because they play and toy with their machines more than men? That really gets under my skin sometimes... why can't they just not do whatever it is they claim not to be doing not knowing how it happens?

Re:Undisciplined users (1)

JustNiz (692889) | more than 5 years ago | (#26538189)

>> Users who install software on their workstations.
>> In a perfect world, software makers wouldn't write software that demands that it run with administrator privileges.

Both of the above statements seem to indicate that you're running MS Windows. If I were you I'd be thinking about how to change that.
Linux has a much stronger security model and generally does not require users to run apps as root.
Also, 99.999% of virusses are windows-only.
Also, most basic users aren't even going to be able to get their favorite windows apps running under Linux anyay.

The best lie... (1)

rickb928 (945187) | more than 5 years ago | (#26537475)

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address."

Hah.

Addresses in card-not-present transactions can in fact be gotten, and if they use AVS then at the least the AVS data is readily available.

In other words, you're getting pwned even if it was card-not-present.

For those not in the know, most Internet transactions, phone orders, mail orders, and eBay/PayPal transcations are card-not-present. In fact, virtually all of the above.

The quote from Heartland was just weasel-talk.

Can't blame Bush anymore. (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26537717)

With a new President in the White House, you can't blame Bush for all the world's ills anymore. Now it's Obama's fault. It happened on his watch.

First in a long line of discoveries to come (5, Interesting)

WillAffleckUW (858324) | more than 5 years ago | (#26537893)

Those who claim to be perfect but never admit mistakes usually are covering up for massive mistakes.

And the missing million emails we know of are just the observable symptom, as are the transactions in this health data breach.

The old truisms of data security still apply:

1. It's usually insiders that provided or passed on information used to get access.

2. Those who cover up problems only create even larger problems, due to the system of trust.

3. You can stop 99 percent of attacks with reasonable security measures, but a determined attacker willing to use human intelligence methods will almost always get through the other 1 percent - the trick is knowing what measures will dissuade the 99 percent and implement those, and use reporting to discover the other 1 percent instead of measures that will be defeated anyway.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?