Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Given the size and sophistication of Heartland’s business–it is one of the top payment-processing companies in the United States–computer-security experts say that a standard, in-the-wild computer worm or Trojan is unlikely to be responsible for the data breach. The company itself believes that the break-in could be part of a “widespread global cyber fraud operation.” Heartland is cooperating with federal authorities.

Some computer-security professionals say that incidents of this kind have become more targeted in the past year, with attack tools often customized to specific industries, or even specific companies. Often this is accomplished by attacking weaknesses in software known to be commonly used in a particular industry sector. Another payment-processing company, RBS Worldpay, was the victim of an attack last December.

Security professionals say that a key question–perhaps even more pressing than how the attackers accessed the network–is how the breach went undetected for so long.

Heartland has promised to install a “next-generation program designed to flag network anomalies in real-time,” as part of its attempt to bolster its network against such attacks in the future. In fact, many financial and other companies already use real-time network intrusion and anomaly-detection technology. Most such tools have a couple of functions: identifying signatures of known malware, but also looking for unfamiliar patterns of network activity that may indicate unauthorized access.

Yet even the best of these systems is no magic bullet, professionals say. The weak link is often still human: employees who aren’t monitoring the system closely enough or haven’t updated the tools’ profiles to reflect network changes. “It’s not about having the best, most expensive next-generation software,” says Inno Eroraha, founder of NetSecurity, a computer-security and -forensics company. “You have to get human beings involved. If nobody’s monitoring those systems, it may already be too late.”

Credit-card payment processers such as Heartland are already bound to follow a set of security standards known as the Payment Card Industry Data Security Standard (PCI DSS), covering issues such as maintaining secure networks, protecting stored cardholder data, and keeping antivirus software up to date. Heartland was certified as PCI compliant last year, and other recent victims of break-ins, including RBS Worldpay, can make similar claims. But professionals say that the standards are evolving, as technology–and attackers–become more sophisticated. “From what we’ve seen, PCI has been effective, but it is a starting point,” says Mike Hrabik, chief technology officer of Solutionary, a computer-forensics company. “Is it where it needs to be? No.”

0 comments about this story. Start the discussion »

Credit: Technology Review

Tagged: Computing, Business, security, business

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me