Mistakes worth billions

”The place where we are not at, is always better“, how often have we heard this phrase, and how often have we said it ourselves? But the situation is that sometimes it seems, the time has come when it is better where we are at not “them”. According to the analysts the two countries that will be the winners at the end of the world economic crisis, are Russia and China. But apart from this factor, there are many others that speak not in "their" favor. One such factor is the cyber-crime and growing volume of theft and system breach. This year, the Heartland Payment Systems (HPS) that is the sixth-largest processing center in the United States announced the leakage of data, perhaps the largest in the history of the United States, and indeed of the world itself.

In fact, the breaking of system was detected as early as in October, when companies Visa and MasterCard reported HPS management of suspicious activity on transactions, but the company preferred to keep silent, merely informing the appropriate authorities. The system has decided to break his silence only on 20 January, which “not purposely" “accidentally" coincided with the day of the inauguration of Barack Obama. As the financial manager of the company and its president, Robin Bolvin has stated in his interview with Washington Post Company, and there wasn’t even a thought on withholding anything, but the delay was caused by the fact that before the announcement it was necessary to carefully examine everything, and talk with companies who have been victims of this incident. All these procedures ended right on the day of inauguration, and the company decided that it was impossible to disrupt this fact as it is «unacceptable». Weak excuse, frankly ...

According to an official statement of the company plotters have managed to penetrate the system and install special software that allows obtaining data of credit cards owners. HPS does not show any specific figures, but taking into account the turnover of the company and the fact that it is still not known when the software was installed, it becomes clear, that account is not in dozens, not hundreds or even thousands, but in whole millions of compromised data. Speaking of timing, many experts are calling it May 2008, which means that the program had half a year to copy the customer information. Heartland Payment Systems serves more than 250 thousand organizations, among them eminent Western commercial banks, including such giants as the Bank of America (Bank of America). Each month, the company held about 100 million transactions, 40% of which were from small and medium-sized restaurants and cafes.

US secret service has already been involved into the investigation of the case, and they have been able to detect malicious code created specifically for HPS. According to the experts the code found is much more sophisticated, dangerous and, above these, is normally distributed on the Internet, and that probably helped it to remain unnoticed for a while. This case has caused a huge resonance in the society, calling into question the effectiveness of PCI standard. "Billions is being spent on PCI compliance, but it isn't really working," said Gartner analyst Agency Eviva Litan. "PCI's dirty little secret is that it doesn't mandate encryption inside a private network because then all the processors would have to encrypt". Heartland was compliant with PCI, certified by PCI assessor Trustwave in April, but PCI compliance isn't stopping the wave of attacks against payment processors, Litan notes. He also notes that the PCI standard does not require weekly inspections to verify the integrity of the system that gives the malicious program a long time to remain undetected. Gartner analyst also noted with irony that today, despite the prohibitions, some retailers still encrypt data within their own private networks, but they have to decrypt all data back before sending the information to the Processing Center.

On the day of the official press release on the case, the company had launched a website to keep everyone informed on the issue, reporting on everything happening and the progress of the investigation - http://www.2008breach.com. However, one must admit that the site is very badly loaded, and sometimes does not boot at all. Maybe the entire fault is IP address of the computer, which does not fall under the category of possible victims.

Talking about the victims, it should be noted that the representatives of HPS stressed that cardholders will not be held responsible for transactions made by third parties, with the proviso that these measures will be taken only if there is information that the card holder has suffered as a result of breaking the system.

Up to date there have already been several lawsuits against the company. The investigation is still ongoing. As HPS intended, twist of this scrape is yet unknown.

The saddest fact is that companies do not want to learn from the mistakes of others, as the case of breach of HPS is huge, but not the first.

So, on 17 March 2008 Hannaford Brothers Co. supermarket chain, has reported that some hackers managed to crack the system and steal data, at least 4.2 million credit and debit cards.

In December 2008 payment system of Royal Bank of Scotland, RBS WorldPay, reported the breach of the system in which the data of about 1.5 million people were compromised. The slogan of the company, "20 years of security in the payments business”, which it was so proud of, became not worthy any more and was quickly forgotten.

A year earlier, the American retail giant TJX Companies Inc., the parent company of such famous companies as Marshalls and TJ Maxx had shocked the Americans with a news of the theft of more than 45 million credit and debit cards as a result of hacking the system. Moreover, it is necessary to say that the leakage of data from this giant has continued for a period of 3 years.

In 2005, CardSystems Solutions the processing company had put under the risk of nearly 40 million credit and debit cards holders.

Why do companies having such rich anti-history still come to the same rake? The loss of the companies themselves amounted to millions and billions of dollars. Is this profitable? Would it not be cheaper to hire a team of professionals who will monitor the systems? Why knowing the imperfections of PCI standard they are not being tried to improve? Although we must admit that the case of HPS still drew the attention of the authorities, who have decided to be involved in this pool of binary codes, a firewall and other computer muddle of the world.

Thus, just "mounted the throne" 44th U.S. President Barack Obama has decided to initiate a large-scale fight against hackers and other mischief, revealing a program to combat cybercrime, in which one of the items is to establish a single standard of safety of nets.

There have not been any of such large -scale loss of data in Russia, although the reason for this is not the perfection of systems and unpopularity of plastic cards. Russia is still dominated by his majesty cash, people prefer to carry with them the usual to the touch, and closer to the heart crisp banknotes, including the ones with the depiction of American presidents. Perhaps we will come to this plague, but apparently not in the next few years, though closer look at the certificates and standards could be taken even now. Prepare sleighs in summer, so to say ...

---

Tell your opinion

Your name:

Your email:

Comment: