Heartland Systems data breach
January 20, 2009 3:39 PM   Subscribe

It's probably just the government... trying to get a little of the $700 billion before April 15.
posted by terranova at 3:43 PM on January 20

TJ Maxx's breakin was a sophisticated job. The attackers broke into poorly-secured store wifi, and used that to leapfrog to the wired network, where they then installed a sniffer on routers in front of the databases, allowing them to capture virtually any traffic they wanted to--that's why the breach was so big. Initial reports are that the same attack was used here, meaning that software was installed on internal routers, a traditionally overlooked area of security.
posted by fatbird at 4:08 PM on January 20 [1 favorite]

TJ Maxx's breakin was a sophisticated job.

Aw yeah, dogg, much mad handspins.
posted by fleetmouse at 4:13 PM on January 20 [4 favorites]

Wow. Custom domain and everything.
posted by niles at 4:26 PM on January 20

2009breach.com is already registered, but 2010breach.com is still available (if you can wait that long).
posted by Combustible Edison Lighthouse at 4:33 PM on January 20

Aw yeah, dogg, much mad handspins.

???
posted by fatbird at 4:41 PM on January 20

fatbird: Breakin'
posted by sadiehawkinstein at 4:47 PM on January 20

A bad movie reference
posted by mrzarquon at 4:48 PM on January 20

I thought it was interesting that they emphasized that "No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach."

So the only thing the bad guys got was all the information necessary to put through illicit charges on credit cards.

250,000 merchants? They may have compromised nearly every credit card on the planet.
posted by Class Goat at 5:50 PM on January 20

Not really much of a surprise. The way we do credit cards is just such a fundamentally bad system, these things are going to keep happening until we seriously overhaul it.

A good transaction-authorization system would put some minimal amount of logic in the customer's card, so that having a captured transaction wouldn't let you simply replay it and debit more money from the account. The method that's been tossed around for years is with smartcards, but I'm not a big fan of them (they would make internet purchases difficult by requiring you to have a card reader, and telephone transactions impossible; the system is opaque to the user, which a good one shouldn't be). I think a better way would be something like the RSA SecureID — a rolling code that you could just read off the card, based on hashing the current time and a secret card number. It wouldn't need special reading equipment, and it wouldn't make internet or phone purchases impractical.

However, some things just wouldn't be possible: I can't think of a way to do pre-authorized reoccurring payments without throwing security out the window, and the cards would have to have a power source that would keep them ticking, meaning they'd need periodic replacement. (Although maybe you could have the display run from solar cells, so they'd run for a long time — as long as they last longer than a card's typical expiration date, it's fine.) And it would cost more.

I doubt we'll do anything about the problem for a while, because the current system — insecure as it is — is convenient. Any security upgrade would mean giving up some of that security: either by making some things flat-out impossible, or adding time and expense. I think we're well past the point where those tradeoffs are worthwhile in general, but right now the right people — those who could actually force changes in the system (the card companies) — aren't bearing the costs of insecurity.
posted by Kadin2048 at 6:09 PM on January 20 [1 favorite]

Any security upgrade would mean giving up some of that security convenience…

Ugh, messed up the punchline there.

Just to restate: virtually all security comes at a cost. If you lock your car, you give up the convenience of being able to get stuff out of the trunk without rummaging for your keys. If you use good password practices, you give up the convenience of never having to remember anything other than your birthday (or whatever).

Today, our credit cards are like unlocked cars, and we seem to be addicted to the convenience that allows. Want to let your phone bill pay itself every month, without doing a thing? No problem — just give them your number and forget about it. Want to get in and out in 30 seconds flat? Just swipe and go. We take these conveniences for granted, but the price of them is rampant fraud and theft.
posted by Kadin2048 at 6:17 PM on January 20

In the sense of a good reference to a bad movie.
posted by Mister_A at 6:23 PM on January 20

This was pretty big news around the office. But they were PCI certified!

Yeah, and compliant != secure.

The Washington Post is calling it possible the largest breach ever. There was also this breach at the Kennebec Bank in Maine, apparently they were informed by Mastercard, who aren't forthcoming with many details.. I wonder if it's related.
posted by These Premises Are Alarmed at 6:33 PM on January 20

In the previous FPP about the TJ Maxx breach, I explained why our credit card security is complete crap. It comes down to who builds the system and who pays for the fraud. For credit card transactions, these are not the same people. Therefore the companies in a position to fix the problem simply don't care.
posted by ryanrs at 6:43 PM on January 20

Yeah..you know what kind of hoops we had to jump through to get PCI certified with them? Who certifies the certifier?
posted by spicynuts at 6:43 PM on January 20

Kadin2048: The way to set up recurring transactions with a device that can build transaction-specific identifiers would be to create several classes of transactions, e.g. to define in the spec that Recurring purchases are sent to the credit card processor as Recurring Purchases (so that when the merchant sends the data to your credit card company, it's flagged as recurring the first time it's sent and all subsequent times — bonus points for setting up the card to have a special mode to specifically enable this), and One Time Purchases as the default.

I suspect that the reason that a RSA SecureID-type system of unique IDs for transactions haven't been implemented is that it's cheaper to deal with fraud and to pay it out, than to overhaul all point-of-sale systems all over the world. Either that or gross incompetence.
posted by amuseDetachment at 6:46 PM on January 20

Also from the TJ Maxx thread: my plan for secure credit card transactions. I describe how to perform secure point-of-sale transactions, online transactions, and automatic recurring payments. All with cheap off-the-shelf commercial equipment that is already widely deployed within the banking industry.

Honestly, this stuff is not that hard if they would just give it some thought.
posted by ryanrs at 7:07 PM on January 20

Through the years my credit cards have been stolen or lost a few times, a lot of times in small or large amounts due to my own stupidity. But in my entire life I have never paid one cent due to resulting fraudulent use of my cards. I believe the law limits my liability to something like $50 or $100 as long as I report missing cards reasonably soon, but none of the issuers has even tried to hit me for that.

So in contrast to when some vendor foists buggy / insecure software on me and it becomes my problem, the fact that the credit card companies are chugging along with a pretty weak system overall doesn't bother me so much. They're footing the bill, and when it gets high enough they'll do something about it.
posted by Bokononist at 7:46 PM on January 20

Wrong. The credit card companies and banks do not pay for fraud, retailers do. Naturally these costs are passed on to you.
posted by ryanrs at 8:18 PM on January 20

I think a better way would be something like the RSA SecureID

I worked at RSA, and this idea came up now and then. The minor problem was that the thinnest cards containing SecurId tech were about the width of three credit cards, so looked bulky and unweildy, and thus unlikely to gain acceptance from users; there was also the problem that they wouldn't fit in swipe readers. The major problem was that Visa and Mastercard were, from what I heard by way on internal gossip, completely uninterested in transitioning to something like this due to cost and predicted low customer acceptance.
posted by fatbird at 9:02 PM on January 20

Wouldn't CVV numbers make the raw numbers kind of useless? Or are there still a lot of places that don't require them?
posted by delmoi at 9:07 PM on January 20

At Etrade brokerage, they charge $50 for an RSA SecurID—unless your account has a balance over $50,000, then it's free. You can probably compute their fraud rate from the ratio of those two numbers...
posted by ryanrs at 9:21 PM on January 20

The credit card companies and banks do not pay for fraud, retailers do.
D'oh! I see.

Wouldn't CVV numbers make the raw numbers kind of useless?
It's just a longer raw number, no? I suspect they might be useful for a short period of time if they were only requested for a small percentage of 'high-value' transactions. No doubt related to the above point, every seller has decided their transactions are 'high-value'. I think, at least online, they're just universally expected with the rest of the numbers.
posted by Bokononist at 10:16 PM on January 20

And it's not even the retailer that lost the data who pays the cost. The cost of fraud gets charged to the retailer where the stolen data is used to make a fraudulent transaction.
posted by ryanrs at 10:32 PM on January 20

I wonder if this is related to Adele Services (25 cent transactions), Pluto Data (fake CD/DVD purchases), or perhaps Vertrue aka AP9* Shopping Essentials. Or are all those comparatively "above-board" scams?
posted by dhartung at 10:46 PM on January 20

This was pretty big news around the office. But they were PCI certified!

At work we have "validated" systems which basically means "as thoroughly debugged as any of the code I wrote for a 200 level Pascal class I took in the early 90's".

At one point the plan was for our compliance experts (or however they branded themselves) to review the source code of the software running on each machine. I had great fun explaining the underhanded C contest works.
posted by Kid Charlemagne at 10:53 PM on January 20

cyberpunk is now.
posted by Smedleyman at 11:11 PM on January 20 [1 favorite]

It really doesn't matter. Breaches are meaningless when the credit card companies themselves don't care and happily participate in any fraud with no repercussions at all.

My wife and I were part of HSBC Visa's great UK data loss. As a result HSBC canceled our cards (without notice!) leaving us stranded with credit for a few days until the replacements came. Then several months later charges started showing up on our account from an Eastern European payment processing firm that handles toll road or congestion charge billing. Turns out the charges were against our old card numbers and made after they were canceled but they were helpfully forwarded to our account by HSBC effectively negating their security measure of canceling our cards.

It also doesn't help that they also seem to have little to no information on who is billing us and why that they are willing to share with us.

The charges are still showing up and every month and every month we call and complain. We would change banks if we could but the current climate means we can't get another credit card with a decent interest rate (No thanks Citibank we don't need a 38.5% rate).

What is the justification for the interest rate on the cards again?
posted by srboisvert at 1:01 AM on January 21

Wrong. The credit card companies and banks do not pay for fraud, retailers do. Naturally these costs are passed on to you.

Sorry, you're wrong. The banks and credit unions that issue the cards are liable for transactions made on the counterfeit cards that result from this kind of breach. If a physical card is present, the transaction isn't eligible for "chargeback" under Visa/MC operating regs.
posted by Hlewagast at 7:49 AM on January 21

This was pretty big news around the office. But they were PCI certified!

Yeah, and compliant != secure.

How were they compliant without proper WiFi security and lack of separation between the wired and wifi networks? AND they transmitted secure and insecure data on the same network?
posted by odinsdream at 8:10 AM on January 21

odinsdream: I was talking about Heartland being compliant (an assumption due to the number of transactions, but true), I think the breach you're describing is TJ Maxx.

And either way, that's the point. Being PCI certified means that, at a point in time, you were deemed acceptable by your QSA.
posted by These Premises Are Alarmed at 10:45 AM on January 21

TPAA: You're right, I am confusing the TJ Maxx breach with Heartland.
posted by odinsdream at 11:28 AM on January 21

HSBC effectively negating their security measure of canceling our cards.

When I moved from the U.S. back to Canada, I cancelled several credit cards, and had several conversations like this:

"Okay, the card is marked as cancelled. If you want to uncancel it, just use it again within six months."

"What do you mean? I want it cancelled. Dead. No more use. And I want it now, not six months from now."

"Yes sir, it's cancelled. But if you want to keep using it, just charge something on it within six months."

"But if I can still make charges on it, it's not cancelled, is it?"

"No sir, it's cancelled. If you made a charge it would be uncancelled, though."

"I don't want it to be uncancellable. I want it forever unusable for anything from this point forward."

"Yes sir, I've already cancelled it for you."

"sigh."
posted by fatbird at 12:25 PM on January 21 [3 favorites]