arstechnica.com — Move over TJ Maxx, payment processor Heartland Payment Systems has potentially leaked up to 100 million credit and debit accounts into the black market. That number, if verified, would make this the largest data breach on record. It also means the United States has managed to set two national records in the same day.
Jan 21, 2009 View in Crawl 4
stvidguyJan 21, 2009
New Priority for Obama Administration: Establish a new system to ensure that our credit card information is safe.
mediablitzJan 21, 2009
They released this information on inauguration day? How much harder could they try to not get this noticed?
Closed AccountJan 21, 2009
Yes, the story mentioned malware was to blame. Malware strikes Windows boxes.
mrethiopianJan 22, 2009
Bullshat the PII was not compromised, this story and Hartlands CFO Mr Baldwin is misleading and or is giving an incomplete summery of what can / was on the PIN, the PIN has three tracks of data and can include (VISA) user name, PAN, Service code, Account number (FSAN), etc etc a plethora of your data!Yes the data is encrypted but the DES key is included in the data stream and can be reversed rather easily.
Closed AccountJan 22, 2009
I was quiet nice, I didn't miss a payment, it was their mistake, and the only time I got upset was when they refused to fix it. Not to mention that Discover had cashed my check, I provided proof AND they STILL refused to fix it. What more do you want? Discover may have changed, but I highly doubt it.
fritzedJan 22, 2009
Charredo is correct about the the fact that mod10 validation doesn't provide you real cards. However, he's wrong about the CVV value. CVV is absolutely NOT stored on the magnetic strip. The CVV is a security measure specifically for the fact that it is not recorded by magstripe readers or a card imprinter. This is also why the CVV code is not raised on the card like the card number.This is most definitely a breach, it includes card numbers and expiration dates known to be good within the past year. Along with the cardholder's name. Heartland's CFO is indicating that this won't help with online payments because it doesn't include the address. However, a clever hacker can use the BIN number (first 6 card number digits) to find what bank branch issued a card (if it is bank issued) and in conjunction with the customer name they could probably find the customer address with a phone book search.
jmubaneJan 22, 2009
To explain I worked for a very VERY shady guy. He did everything as cheap as possible and his customers weren't any different. All the CC companies ever did (while I was doing POS at least) to try to enforce security was charge additional fees if certain standards weren't met but my boss didn't care and neither did the business owners (which I guess runs counter to them being cheap bastards but whatever).I would never under-estimate the technical prowess of digg users though... what with all the linux crap that gets a million and a half diggs on here. ;)
Closed AccountJan 22, 2009
Food is cheaper at the market. The market only takes cash..
Closed AccountAug 7, 2009
<a class="user" href="http://www.manifestmoneytalks.com/business-credit-cards/" rel="nofollow">http://www.manifestmoneytalks.com/business-credit- ...</a>Just trying not to be so paranoid. Guess I'll go back to the sheeple herd
johnnysoftwareDec 9, 2009
[CAUTION!?]There is a warning at the top of the ARS Technica web page this article points to that says:===Reported Attack Site!This web site at csengdesign.co.uk has been reported as an attack site and has ben blocked based on your security preferences.Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.===Then, below text above that I see two buttons, which I am not going to click:(Get me out of here!) and (Why was this site blocked?)The whole things is in a brown-background box with white text.I have "Warn when visiting fraudulent web site" checkbox CHECKED in Safari "Security" preferences. I have loaded the web page this Digg article links to TWICE; both times, the same result.I popped the page out of the Digg frame and the warning image is still there. So I drilled into the IMG tag for the image and it is served from the ARS Technica site itself, which is realy really strange - since the article in no way refers to it or comments on it. (???!)Here is the contents of the src attribute for the IMG tag:<a class="user" href="http://static.arstechnica.com/assets/2009/01/malware-thumb-640xauto-223.jpg" rel="nofollow">http://static.arstechnica.com/assets/2009/01/malwa ...</a>Examining the surrounding HTML tags, this image lies in the main/content/news-item/news-item-figure/news-item-figure-image area of the article. It is NOT in the advertising content portion(s) of the page, which would have been less surprising and overtly bad.If anyone can tell this is legitimate, spurious, or can somehow be addressed - then please reply to this comment with something helpful/insightful, I guess.
johnnysoftwareDec 10, 2009
Yeah, they were using Windows. According to their own want-ads at Yahoo jobs, they use ASP, VB, and MS SQL Server. Nothing cries "I use Windows" like that list of technologies. Means they use Windows: on their database server, on their web server, and on their development workstations as well.In other words: Microsoft Windows shop
johnnysoftwareDec 10, 2009
Well, Heartland's want-ad posting on Hotjobs makes it clear they are a Windows shop (VB, ASP, MS SQL Server now, converting to C# in future) and they plan to stay one.