Site News
Current section

July 30, 2010

StaffCop added!

Voting

Would you prefer to have 1 product that can fight both viruses and spyware or a specialized product for every threat?

1 multifunctional product
2 specialized products
VotingView results

September 15, 2009

Heartland CEO: Credit card encryption needed

Credit card transactions in the U.S. are often not encrypted, and credit card vendors, payment processors and retailers need to embrace an encryption standard to protect credit card numbers, the CEO of a breached payment processor said Monday.

Credit card numbers are not now required in payment card industry guidelines to be encrypted in transit between retailers, payment processors and card issuers, Robert Carr, chairman and CEO of Heartland Payment Systems, told a U.S. Senate committee. Heartland in January announced the discovery of a data breach that left tens of millions of credit card numbers exposed to a gang of hackers.

"I now know that this industry needs to, and can, do more to better protect it against the ever-more-sophisticated methods used by these cybercriminals," Carr told the Senate Homeland Security and Governmental Affairs Committee. "I believe it is critical to implement new technology, not just at Heartland, but industrywide." The purpose of the committee hearing was, in part, to determine whether new legislation is needed to fight cybercrime.

Heartland is pushing for the credit card industry to adopt an end-to-end encryption standard, he said, and the company is deploying tamper-resistant point-of-sale terminals at its member retailers. "Our goal is to completely remove payment account numbers of credit and debit cards and magnetic-stripe data so they are never accessible in a useable format in the merchant or processor systems," Carr said.

Heartland has asked credit card companies to accept encrypted transactions and the company has engaged standards bodies and encryption vendors, Carr said. The company has also helped to form an information-sharing council for payment processors, where the companies can share information about threats, vulnerabilities and best practices, he said.

"We are working on these solutions, both technological and cooperative, because I don't want anyone else in our industry, or our customers, or their customers ... to fall victim to these cybercriminals," he said.

Carr didn't give details about the Heartland breach, in which the company was compromised for about a year-and-a-half. The company remains involved in investigations and lawsuits involving the breach, he said.

However, Heartland paid about $32 million in the first half of 2009 for forensic investigations, legal work and other charges related to the breach, he said.

Senators asked Carr some pointed questions about the breach. Sen. Susan Collins, a Maine Republican, wanted to know how the company could be compromised from October 2006 to May 2008 without discovering the breach. "I was astounded at what a long period elapsed where these hackers were able to steal these credit card numbers," she said. "Explain to me how a breach of that magnitude could go undetected for so long."

Card holders were not reporting major breaches, Carr answered. "The way breaches are normally detected is that fraudulent uses of cards are determined," he said. "There was no hint of fraudulent use of cards that came to our attention until toward the end of 2008."

Collins pressed him further. "But are there no computer programs that one can use to check to see if an intrusion has occurred?" she asked.

"There are, and the cybercriminals are very good at masking themselves," Carr said.

Sen. Joe Lieberman, an independent from Connecticut, asked Carr about the extent of the breach.

In August, Albert Gonzalez of Miami was indicted in New Jersey for the theft of more than 130 million credit and debit cards, according to the U.S. Department of Justice. He was charged, along with two unnamed co-conspirators, with using SQL injection attacks to steal credit and debit card information from Heartland, 7-Eleven and Hannaford Brothers, a Maine-based supermarket chain. Gonzalez pleaded guilty last week to separate charges in Massachusetts and New York.

It's too soon to tell how many credit card numbers processed by Heartland were compromised, Carr said. "We don't know the extent of the fraud at this point," he said. "It's a significant compromise."



Source: ComputerWorld



All news for September 18, 2009:
20:13Microsoft Internet Explorer SSL security hole lingers
20:11Conservatives call for DNA databases to be reduced
20:09McAfee warns of bogus security suite
20:08Security market remains buoyant in choppy waters
20:07The good and bad of government in the cloud
20:05Vista, Windows 7 Are More Secure than Snow Leopard
20:04Will Google's Buy of reCAPTCHA Hurt Internet Security?
20:01HHS guts health-care breach notification law, groups warn
20:00Man gets 15 months for E-Trade skimming scam
19:59Sophisticated botnet causing a surge in click fraud
19:59Microsoft sues scareware scammers
19:58Software company fined for trading with the enemy
19:58Misdirected spyware infects Ohio hospital
19:57Firefox's Flash check drives 10M to Adobe's download
19:55Microsoft, Yahoo in informal talks with EU over search deal



All news for September, 2009
All news for 2009 year

DONATION: www.anti-keylogger.org and www.keylogger.org is an independent research projects supported by a team of enthusiasts. If you find this project useful and would like to help foster its continued development, please consider making a donation.
donate

Thanks in advance for your support!