Search similar:
|
|
uniqs
11722 |
|
 |
|
3 edits
1 recommendation |
MGD
MVM
2009-Jan-21 12:20 am
[Credit Card Fraud] Heartland Payment Systems Card Data Hacked.quote:
Payments processor heartland Payment Systems Inc. said Tuesday its system used to process Visa, MasterCard, American Express and Discover Card transactions was breached last year, but asserted that merchant and customer data were not affected.
Robert H.B. Baldwin Jr., president and CFO,......
.....
...
heartland, based in Princeton, N.J., said the breach did not involve merchant data, cardholders' Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers......
...
.
Baldwin said in an interview that the only information breached were card numbers and cardholders' names, or one or the other.
heartland said it was alerted by Visa and MasterCard of unspecified suspicious activity surrounding processed card transactions and enlisted the help of auditors to investigate. The investigation last week uncovered "malicious software" that compromised data in heartland's network, it said.
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said.
......
...
..
Ref:» www.msnbc.msn.com/id/28758856Possibly related to all the recent massive reports of card pinging. FOR IMMEDIATE RELEASE
heartland Payment Systems Uncovers Malicious Software In Its Processing System.
No merchant information or cardholder Social Security numbers compromised.
Princeton, NJ — January 20, 2009 — Payments processor heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. heartland believes the intrusion is contained.
"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin, Jr., heartland's president and chief financial officer. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."
No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.
After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed heartland's network.
heartland immediately took a number of steps to further secure its systems. In addition, heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.
heartland has created a website — www.2008breach.com — to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.
"heartland apologizes for any inconvenience this situation has caused," continued Baldwin. "heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective."
ref: » www.2008breach.com/[EDIT ADD] A tad optimistic, "enable law enforcement to expeditiously apprehend cyber criminals.". If they are not within the jurisdiction, the best you can hope for, is that they decide to roll quietly into Turkey for a few days of R&R. MGD | | MGD
1 edit
2 recommendations |
MGD
MVM
2009-Jan-21 2:15 am
Re: [Credit Card Fraud] Heartland Payment Systems Card Data HackThis could be one of the largest card data breaches ever. In reading Brian Kreb's Washington Post Security Fix article on the subject: » voices.washingtonpost.co ··· y_b.htmlquote:
.....heartland Payment Systems may have compromised tens of millions of credit and debit card transactions, the company said today.
Processors are juicy targets to hackers for card data as they make it more difficult for the financial processing system to detect by fraud patterns. When fraudulent use occurs, cardholders may not have a vendor in common to enable early detection by pattern. It will usually take a lot longer to detect fraud when the common link is a processor and not a specific vendor. The leak may have gone on for some considerable time before this common link was detected. According to the quote below, heartland processes 100 million transactions a month. Also, the stated compromise was via interception of traffic passing over their network. If correct that vector appears to have a lot in common with the recent Hannaford grocery store compromise. Except that it was now at the other end of the pipeline. quote:
.....Baldwin said heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.
"The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of what was grabbed.
The interception method would have yielded the track 2 data from card swipes. Which would be the cardholder's F&L name, Card #, and Exp. Date. MGD | |  pcdebbbirdbrain
Premium Member
join:2000-12-03
Brandon, FL
1 recommendation |
pcdebb to MGD
Premium Member
2009-Jan-21 3:49 am
to MGD
my heart kinda started beating differently when I heard about this  when they ran the story, they stated they dont even know how many companies and their customers may be affected. i'm glad I already log into my account daily | | | |
Breached to MGD
Anon
2009-Jan-21 10:09 am
to MGD
Don't believe what you read about no personal data loss. I received a "fraud notification" from AMEX yesterday (1/20) on a charge. Checked online and found my card had been breached. Called AMEX to get new cards and found out my personal information was changed, email, mothers birthday and my address. The email was almost close to mine so I might have missed that if I wasn't checking close. OK, so let me check my Visa and voila, another bogus charge. The charges were all under 1K. These charges were done starting 1/11, 1/15 and 1/20. Why did it take this long to report? Why are they saying no personal data was lost when I guarantee it was? Obviously I know why they aren't saying!!! New cards are on the way, with fraud protection paid for by me!!! Be forewarned..... I hope they catch them!!! Matt  ) | |
1 recommendation |
MGD
MVM
2009-Jan-21 12:03 pm
There have been a few other recent reports on this forum where fraud victims had their card account personal data changed. Such as their mailing address for their statements, etc.
Since the volume of compromised data is so large in this case, do not expect that all banks will automatically reissue cards if they are notified. Many may determine that the entire cost of card replacement at ~$15 to $20, each may exceed the total potential fraud loss. They may choose to flag the cards for extra transaction scrutiny, and address it on the fly. If that is the case, then there should be a waiver of the sixty day reporting requirement for victims. As the data volume is so large, cyber criminals may decide that processing small recurring charges will yield a greater cash return, than burning up the card with a one time large transaction.
Also focus criticism on VISA and Mastercharge if your bank tells you that your current card may be compromised, but they do not know from where. They may be telling you the truth. When banks are notified of potential compromised card accounts, VISA and Mastercharge forbid the disclosure of the source of the data. So though VISA / MC may turn the data over to the relevant financial institutions they will not tell them the source. Many institutions are frustrated by that ridiculous and archaic rule. It hinders them from making additional decisions with respect to their customers.
At 100 million transactions a month, and the obscure reference to the initial compromise being "late last year" we can assume somewhere around the last quarter, maybe. That potential covers 3 hundred million transactions, ouch !!.
This compromise vector "data sniffing" somewhere on the network, does not appear to be covered during PCI compliance inspection. Neither is this the first time that this form of compromise has shown up.
MGD | | | |
florida to MGD
Anon
2009-Jan-21 7:16 pm
to MGD
"A potentially huge security breach at heartland Payment Systems in New Jersey includes its partner, the Florida Restaurant & Lodging Association." from: » www.bizjournals.com/sout ··· y30.html | | pcdebbbirdbrain
Premium Member
join:2000-12-03
Brandon, FL |
pcdebb to MGD
Premium Member
2009-Jan-21 10:24 pm
to MGD
i somehow feel at some point that these data breaches are from an inside track. a band of criminals getting jobs that gives them some sort of access to make this happen. i could be wrong, but it wouldnt surprise me either. | | | |
Breached to MGD
Anon
2009-Jan-22 12:44 pm
to MGD
Well, I did some of my own investigation and since one of the fraudulant charges was recent 1/20, I called the company processing the order. I dealt with a nice woman who appreciated my call and stopped the order. I figured by the time AMEX gets around to calling, this laptop would have delivered.
That's one laptop that we all won't be paying for! | | | |
to pcdebb
said by pcdebb:i somehow feel at some point that these data breaches are from an inside track. a band of criminals getting jobs that gives them some sort of access to make this happen. i could be wrong, but it wouldnt surprise me either. Most of these tend to have an 'inside' component, given stolen card pricing like: $12 for Visa Classic $19.50 for Visa Gold $16.50 for MasterCard $36 for American Express Baddies can throw around lots of cash to get insiders to help them make barrels of money and then there are places like this where you just can't shovel the stolen cash fast enough. So how much is this going to cost heartland, likely more then investing in better security up front would have. Blake | | | |
Credit card transaction handling isn't that much different from what it was 50 years ago. Every store clerk is a potential "insider". With that many insiders, there are bound to be leaks.
It is high time the credit card industry moved to cryptographic methods (as with digital signatures). | | | | |
to MGD
Where would you use your stolen account number?I was contacted by Star, who keeps track of fraud on my Master Card debit card, on Saturday December 6th. A really nice woman asked me if I had made these charges in West Corvina California that day and I told her I was sitting in front of my computer in Ohio and I had never been to California. She started asking me questions which is when my "BBR Security Forum" training went into effect. I asked her for a phone number so that I could return her call and she very nicely gave me her number, with the ext, and told me her name. After I confirmed the information I made her give me she canceled my Master Card debit card and said I needed to contact my credit union first thing on Monday.
My credit union doesn't open until 8:00am but when I tried to call at 7:30am the phone was busy for almost 30 minutes. Everyone that has a card through my credit union was effected by this and I was told that it wasn't just my credit union and that was the only thing they would tell me.
My credit union still has not refunded all of the "over-draft" charges that they started to withdraw from my savings account after my checking account was empty. This is a mistake on "their" part and I think they still don't have everything straightened out yet.
I've been a member of this credit union for 25 years and I have never bounced a check and I have over-draft coverage. I had to apply for another Master Card "debit" card and the new one came 3 days before Xmas, with only 3 different numbers!
12/5/08 Rite Aid Drug Store $5.12 Baltimore MD
12/5/08 Toys R Us $337.86 West Corvina California
12/5/08 Marshalls Family Clothing Store $370.34 West Corvina California
12/6/08 BCF Family Clothing Store $247.23 West Corvina California
12/6/08 Ralphs Grocery Stores $110.80 West Corvina California
Someone needs to get their act together and fix this system!
My card was not stolen and I have never done any banking online and if I want to buy something from an online web site they better have a phone number for me to contact them if they want the sale.
It's a good thing my family decided to spend less for Xmas this year because someone else had already spent my Xmas money! | |
1 recommendation |
MGD
MVM
2009-Jan-27 5:33 am
said by GotGhosts:... Someone needs to get their act together and fix this system! .... There is at least one report that states the heartland intrusion began in May of 2008. If that is confirmed, then the hackers had sustained access for six months prior to the discovery. Based on heartland's own figures of 100 million transactions a month, that would put the potential exposure at up to 600 million transaction. In fact, prior to this disclosure there were multiple comments made by people who keep their ear to the card fraud ground, that there had to be an ongoing breach. The noise and activity levels in the fraud underground, indicated such an event was taking place. It is also reasonable to assume there are other ongoing intrusions that have yet to be discovered. There should be considerable dismay at this breach since there were repeated warning alerts about this exact attack vector, beginning in mid 2008. There was a similar vector used in the Hannaford's grocery chain intrusion is early 2008. Ironically Hannaford had just passed a PCI compliance audit less than a few weeks earlier. Probably the greatest intelligence information, which was later dispersed out as alerts, came from the exhaustive TJMAX investigation. Any company involved in securing financial transaction data, would, or should, have been aware of this potential attack vector. It is disingenuous for heartland to state that it was targeted by sophisticated software, as if it were an unknown. The evidence uncovered in the TJMAX case did in fact reveal a very sophisticated data sniffer was used. Not only that, but the FEDS even knew who created that sniffer. The author was a knowledgeable security expert, who had worked for data security companies, testing systems security. He had developed many tools to show that discovered "proof of concept" exploits were feasible. The individual is a 25 year old New Yorker named Stephen Watt. Though it did not generate a lot of media attention Stephen Watt was indicted by the FEDs in October of 2008 for designing and subsequently modifying the worm and sniffer that was used in the TJMAX case. It is not clear from the indictment as to whether Watt knew that he was participating in the conspiracy, or if he was duped into providing that sophisticated sniffer as a testing tool. The indictment makes no mention of how much he profited from the venture, which might indicate his knowledge of the purpose of the tool. In fact the indictment makes no reference to the TJMAX case at all. However, it does state that the program was made for, and modified, at the request of "Albert Gonzalez". Albert Gonzalez was the individual who first gained access to the TJMAX network. Gonzalez subsequently partnered with the Ukrainian cyber criminal Maksym Yastremskiy to exploit the recovered card data. Maksym Yastremskiy was recently sentenced to 30 years in jail in Turkey, where he was arrested when he dropped in for a quick vacation. Clearly, the information and alerts were out there for heartland to be aware of this sophisticated attack vector. By any form of measurement, heartland knew that they were a juicy target based on the volume of card data that they processed. Surprised that they were a target, no, surprised that they were unaware that their data was being intercepted for 6 months, very! In the October indictment of Stephen Watt, it states that the worm was modified while it was on a server in Latvia at IP 195.3.144.9: 
Incidentally, Latvian Banks come up repeatedly as a card fraud laundering conduit.
The sniffer named "blabla" that went undetected on the TJMAX network, was clearly in the hands of cyber criminals and "out there". After all, it was stashed on a server in Latvia, and could have been modified and improved after the TJMAX uncovering. That is why multiple "HEADS UP" alerts were out there. Besides Latvia being the location of the malware, much of the fraud proceeds were laundered thorugh Latvian banks. That has a familiar ring to it.
Look at the huge motivation for cyber criminals to continue attacks using that vector. In the Feds original indictment of Maksym Yastremskiy their forfeiture list included, but was not limited to:
$846,762.18 in E-Gold accounts
$ 87,517.36 in Parex Bank account
$3,781,436.36 in an Asia Universal Bank account
$4,862,884.96 in Western Union money transfers
$1,931,047 in US currency
Around 12 million in fraud proceeds, just from Yastremskiy. Though not the only player involved, he was the mastermind behind converting the card data. If the original intruder had been smarter, and every one less greedy, that TJMAX intrusion could still be underway. Believe it or not, Albert Gonzalez, was actually an informant for the FEDS during the time he was pulling off the TJMAX caper. He had been previously nailed for card fraud, and became an informant. All while committing one of the largest card data heists in history.
It was clear since mid 2008 that there was a proved capability for financial networks to be infiltrated and for card data to be intercepted. Not only that, but the first alerts were coming from the card issuers who, after considerable time, detected common patterns in the fraud. That detection can take considerable time when processors are infiltrated, due to the range and assortment of card data.
Based on the known sophistication of the sniffers that existed, the word back then would have been "assume that you are already infiltrated unless you can prove otherwise". Sit on, and analyze every outgoing packet of data from your network, until you can establish and confirm the legitimacy of every source.
Only when all card authorization data is sent encrypted from the point of origin to completion, can this potential intrusion vector be ruled out.
MGD
| | | |
to MGD
Re: [Credit Card Fraud] Heartland Payment Systems Card Data HackThanks for posting that MGD, I was not aware of all the public data available. I am a member at » inboxrevenge.com We do a lot of research into the websites advertised in spam. Criminal websites aren't going to be registered with the criminals' real names, and generally aren't paid for with their own money. One of the brands I track not only doesn't use the real criminal's name to register their domain names, they use other people's real names and credit/debit cards. It easy to confirm this. Domain names for .com/.net/.info domains have public whois information. In this particular case, the phone numbers are generally real or can be found in the phone book. I have a list of over 3000 of these domain names now. I posted a list on the Spamwiki of the ones where I had either contacted the "registrant" or confirmed other erroneous whois data (usually superficially changing the data to make it appear a US address was in Ireland or Australia, or else using a non-existent US area code): » spamtrackers.eu/wiki/ind ··· bo_whois . I haven't updated the wiki article in over six months, but you get the idea. So, can I get anyone interested in investigating? Nope. All the individual losses are small, though there are tens of thousands of dollars involved total. But some of the people whose cards had to be replaced subsequently were victimized a second time, so there is an ongoing leak. And I can't blame it on victims having malware on their computers or visiting sleazy web sites -- I've talked to too many of them, and I don't buy that. Some don't even own computers or have email addresses. That's not to say that I think the heartland breach was related -- unless they are lying (not inconceivable, I know), the data lost was only what was on the card itself, not other account info. These people's addresses and home/work/cell phone numbers were also taken. No, I think this is just one of many ongoing similar problems. And the mindset that it's too expensive to investigate a small loss means that these will continue to be revealed, and people will continue to express shock, because it's just not sinking in that any missing money/data has to have an explanation, and that analyzing the pattern evident in small losses will likely reveal the leak. Whatever happened to, "Take care of the pence and the pounds will take card of themselves?" | | | |
florida to MGD
Anon
2009-Feb-2 1:31 pm
to MGD
heartland reps answer questions, and exact date of breach possibly not released because of possible insider stock trading before public knowledge. etc etc.: (from information security resources via rense) » information-security-res ··· estions/ | |  JLevinworthJames Levinworth
Premium Member
join:2004-11-21
Muddy Field
1 recommendation |
to MGD
quote:
heartland Data Breach Update: Now More Than 500 Institutions Impacted.
» www.bankinfosecurity.com ··· _id=1200According to their interactive map here, the count is now at 519.» www.bankinfosecurity.com ··· each.php | | | JLevinworth |
to MGD
And in related news from the same source: Class Action Suit Filed » www.bankinfosecurity.com ··· _id=1181quote:
The law firm says it is suing on behalf of consumers whose sensitive financial information was compromised in the data breach at heartland. The complaint raises a claim pursuant to the New Jersey Consumer Fraud Act, and asserts causes of action for negligence, breach of implied contract, breach of contracts to which Plaintiffs and Class members were intended third party beneficiaries, breach of fiduciary duty, and negligence. The payments processor did not disclose how many credit card account numbers were compromised as a result of the breach.
The suit also states that heartland only became aware of the breach after it was notified of patterns of fraudulent credit card activity by VISA and MasterCard. "Analysts have stated that the fact that heartland did not detect the breach on its own suggests that it had not implemented (or was not using) all of the security controls called for by the Payment Card Industry Data Security Standard ("PCI"), a set of security controls mandated by the major credit card companies," the suit asserts.
Key points in lawsuit: » www.bankinfosecurity.com ··· ling.pdfquote:
2. Sometime in 2008, unknown and unauthorized third persons hacked
into heartland’s computer network and gained access to the Sensitive Financial
Information of an undetermined number of consumers.
3. heartland only became aware of the data breach after it was notified of
patterns of fraudulent credit card activity by Visa and MasterCard. Analysts have
stated that the fact that heartland did not detect the breach on its own suggests
that it had not implemented (or was not using) all of the security controls called for
by the Payment Card Industry Data Security Standard (“PCI”), a set of security
controls mandated by the major credit card companies.
4. heartland apparently learned that its computer systems might have
been hacked in late October of 2008, and only determined that its systems had
indeed been breached in mid January 2009. On January 20, 2009 – the date of the
Presidential Inauguration – heartland silently issued a press release that publicly
revealed for the first time that a data breach had occurred.
5. While it has belatedly disclosed the data breach, heartland has
refused to identify which of its merchants are affected by the breach. Upon
information and belief, heartland has also failed to personally notify the consumers
whose Sensitive Financial Information in a sufficiently timely manner, as required
under various state statutes that require notice of a data breach without
unreasonable delay.
6. The Sensitive Financial Information that was compromised in the
heartland data breach – which reportedly includes names and all of the information
contained on a credit card’s magnetic strip – can be used to make fake credit cards.
7. While heartland has advised cardholders to carefully monitor their
credit card statements and has set up a website with information regarding the
data breach, it has not offered affected consumers anything that may protect or
compensate them for their injuries suffered as a result of the breach, such as free
credit monitoring, identity theft insurance, or payments for freezing/unfreezing
one’s credit.
8. heartland has not revealed the number of consumers whose Sensitive
Financial Information has been compromised. However, analysts have stated that
the data breach at heartland may rank among the biggest ever reported.
| | | |
And what should arrive in the mail today but a new debit card with a new account number plus a buck slip saying that it was being issued because of a security breach that may have compromised my account.
Yes, one of the institutioons on the list. | |  DC DSLThere's a reason I'm Command.
Premium Member
join:2000-07-30
Washington, DC
1 recommendation |
to pcdebb
I've been saying since the 90s when stuff started going offshore that it was opening the door to abuse, theft, and fraud because the laws in the performing countries require nowhere near the level of security, certification, or recourse as here in the US. No one gave a hoot. It (along with raising a stink about how they were violating the law by fabricating a shortage of qualified US workers to get more H-1B visas to push out American IT workers) cost me my big-bank clients.
You can count on it being insiders here and offshore cohorts that are the reason that so many newly-issued cards get compromised even before the Postal Service has picked them up. The banks universally deflect scrutiny of their use of offshore contractors, because it would open them to ruinous federal penalties and lawsuits from every direction since, even though they are contractors, a bank bears ultimate responsibility for agents operating on their behalf. They also want this kept away from public scrutiny, because fraud losses rival consumer defaults...you can be sure that taxpayers would demand banks that are turning a blind eye to their practices losing them countless billions be put out of business instead of bailed out.
Folks need to start contacting their Congresspeople and Senators and demand that banks repatriate all sensitive financial data. Keep that stuff under lock and key here, with access tightly controlled and restricted to vetted US employees. Require banks pass annual and surprise inspections of their facilities and security. And require banks to act immediately when fraud is reported to them, not when and if it becomes a necessary evil for them. | |
1 recommendation |
to K Patterson
said by K Patterson:And what should arrive in the mail today but a new debit card with a new account number plus a buck slip saying that it was being issued because of a security breach that may have compromised my account. Yes, one of the institutioons on the list. I am thinking aloud here, one of the oddities from the beginning, when the list of affected banks was being published and continually updated on bankinfo security (posted by JLevinworth  ,) was that the majority were regional or localized institutions. In fact many of the people, including you, K Patterson who have reported receiving new cards as a preemptive move, were also from regional institutions. I have gone back and reread the original breach disclosure, and unless I am missing something, the focus has been on the interception compromise of transaction data coming from heartland's merchant account vendors. That disclosure does not appear to reconcile with the aftermath behavior of the financial institutions. Why are mostly regional institutions preemptively replacing cards that have not yet been fraudulently compromised. I mentioned earlier that it was unlikely that there would be wholesale card replacement due to the significant cost involved. If every card that went through heartland's 250k merchant accounts was replaced, that cost at roughly $20 a card, could far exceed the combined total cost of fraudulent usage. In looking for clues, it appears that heartland may have actually been the settlement processor for many regional bank institutions. If that were the case then transaction reconciling data for all of those institution's cards would have passed though heartland, regardless of whether the originating vendor had a merchant account from heartland or not. If true, then those institutions cards would have been far more exposed than a random cardholder who happened to have made a purchase from a vendor who had a heartland merchant account. Every single card transaction for such an institution's card regardless of where it was made at, would pass through their network. That may explain why it is these regional and community banks that are replacing their entire stock of cards, and not the national banks who settle their own transactions. Their cards would have reduced exposure, and only if the holder had made a transaction with a vendor who had a heartland merchant account. Maybe someone can pick apart that theory, or find published information that confirms or denies this speculation. I did find a heartland "About Us" piece that does refer to "community banks" as being their customers. 
Since banks do not generate card transactions, the assumption is that heartland is contracted to be their settlement provider, and thus would have routed all transactions for all cards from a given institution through their systems.
Maybe that has been reported and I have missed it, but there is surely some reason as to why regional banks are disproportionally replacing cards as a precaution.
MGD
| |  SnowyLock him up!!!
Premium Member
join:2003-04-05
Kailua, HI |
Snowy
Premium Member
2009-Feb-24 12:17 am
said by MGD:Maybe that has been reported and I have missed it, but there is surely some reason as to why regional banks are disproportionally replacing cards as a precaution. A few things come to mind quickly. Maybe the smaller regionals have considered the cost of replacement vs the potential cost of not replacing them & have decided to go with the known cost of replacement. The larger the bank, the larger a loss it should be able to absorb, or the larger banks have the deep pockets to go after the processor(s) if the losses are large enough where the regionals am not be so well equipped. Thing is the larger banks can play by a different set of rules than the regionals just by virtue of their clout. | | JLevinworthJames Levinworth
Premium Member
join:2004-11-21
Muddy Field
2 edits |
to MGD
I think you're onto something MGD. Have you seen anywhere a list of merchants and not institutions that have been affected? This blurb also fits your theory: quote:
A bank in Texas reports that its customers are being targeted in a phishing scam related to the heartland breach. Extraco Bank in Killeen, TX had to replace 9,000 cards that were compromised. On Saturday, the bank told customers in an email that if they received a text message or page that told them to call an 866 number and asked for debit or credit card number, expiration date and PIN numbers, to contact the bank. It is a phishing scam, the bank told its customers.
» www.bankinfosecurity.com ··· _id=1227In reading this interview with Doug Johnson of the American Bankers Association, titled " heartland Data Breach: What Can Banks Do?", I also get the impression there is some kind of of a wholesale relationship with HPS processing Visa/Master Cards directly with the institutions. This quote jumps out, "So because of the community banking concerns that have been expressed, Visa and MasterCard obviously do have their own processes whereby they communicate with the issuers of their respective cards." » www.bankinfosecurity.com ··· 223&pg=2When you read the entire interview, the "members" he refers to are the institutions themselves who are members of ABA. Hmmmmmmmmm | | | |
to Snowy
said by Snowy:........ Thing is the larger banks can play by a different set of rules than the regionals just by virtue of their clout. Indeed, and also increased capability to selectively adapt to and block specific incoming transactions at the merchant account level. Yours is certainly a plausible explanation. That original scenario is hypothetical, though I felt it worthy of discussion because some of those regional / community banks were not located in markets areas where heartland was heavily concentrated. Your scenario could well be a plausible explanation. Also if my hypothesis were even remotely accurate, then it would raise serious questions about that omission in the initial release. It would have no bearing on a pending LE investigation, and since they are a public company, it would be an intergal component in a material event that should be disclosed. MGD | |
|
when they ran the story, they stated they dont even know how many companies and their customers may be affected. i'm glad I already log into my account daily
)
