Malware Swipes Millions of Credit Cards
A security breach shows failings in security rules.
Tens of millions of credit cards could be at risk of fraudulent use thanks to a serious computer-security breach at financial-transactions company Heartland Payment Systems. Earlier this week, Heartland revealed that a piece of malicious software, apparently installed inside the company’s transaction-processing system last year, had compromised credit-card data as it crossed the network.
The breach was announced on Tuesday–the day of the U.S. presidential inauguration–and, according to some experts, it shows that attackers are successfully defeating the financial industry’s tough computer-security rules. “The potential is certainly there for this to be one of the biggest, if not the biggest breach we’ve seen,” says Rich Mogull, founder of computer-security consulting company Securosis. “Something huge had to have gone wrong here.”
It’s not clear precisely what kind of malicious software was used, or how many credit-card accounts were compromised. But company president Robert Baldwin has said that Heartland handles as many as 100 million transactions per month.
From a consumer perspective, the level of danger stemming from the Heartland breach is uncertain but significant. Heartland has declined to say which merchants were involved in the fraudulent transactions, or how long the malicious software was operating. But the company serves more than 250,000 locations, with a particular focus on small businesses such as restaurants and hotels.
Heartland has created a website to answer customers’ questions regarding the break-in. Some credit-card companies are already notifying subscribers, and others may simply issue new cards. But consumers have been warned to keep a close eye on their statements. Most credit-card companies will cover the cost of unauthorized activity completely, as long as the fraud is reported within several months.
Heartland executives say that their first danger sign came in the form of warnings from MasterCard and Visa regarding suspicious transaction activity related to the company’s business. Heartland hired forensic computer specialists to investigate, and last week discovered the malware on its system, according to statements issued by the company.
Heartland says that the compromised data did not include personal information such as addresses, PIN numbers, Social Security numbers, or phone numbers, reducing the threat of full-blown identity theft. However, security experts say that the data stolen could be used to create cloned versions of the original credit cards, with nothing more complicated than blank magnetic-strip cards and a sub-$200 card writer. In most cases, these false cards would have to be used at a physical location since online purchases and other “card not present” transactions typically require a customer’s address or other identifying information to be supplied.
Given the size and sophistication of Heartland’s business–it is one of the top payment-processing companies in the United States–computer-security experts say that a standard, in-the-wild computer worm or Trojan is unlikely to be responsible for the data breach. The company itself believes that the break-in could be part of a “widespread global cyber fraud operation.” Heartland is cooperating with federal authorities.
Some computer-security professionals say that incidents of this kind have become more targeted in the past year, with attack tools often customized to specific industries, or even specific companies. Often this is accomplished by attacking weaknesses in software known to be commonly used in a particular industry sector. Another payment-processing company, RBS Worldpay, was the victim of an attack last December.
Security professionals say that a key question–perhaps even more pressing than how the attackers accessed the network–is how the breach went undetected for so long.
Heartland has promised to install a “next-generation program designed to flag network anomalies in real-time,” as part of its attempt to bolster its network against such attacks in the future. In fact, many financial and other companies already use real-time network intrusion and anomaly-detection technology. Most such tools have a couple of functions: identifying signatures of known malware, but also looking for unfamiliar patterns of network activity that may indicate unauthorized access.
Yet even the best of these systems is no magic bullet, professionals say. The weak link is often still human: employees who aren’t monitoring the system closely enough or haven’t updated the tools’ profiles to reflect network changes. “It’s not about having the best, most expensive next-generation software,” says Inno Eroraha, founder of NetSecurity, a computer-security and -forensics company. “You have to get human beings involved. If nobody’s monitoring those systems, it may already be too late.”
Credit-card payment processers such as Heartland are already bound to follow a set of security standards known as the Payment Card Industry Data Security Standard (PCI DSS), covering issues such as maintaining secure networks, protecting stored cardholder data, and keeping antivirus software up to date. Heartland was certified as PCI compliant last year, and other recent victims of break-ins, including RBS Worldpay, can make similar claims. But professionals say that the standards are evolving, as technology–and attackers–become more sophisticated. “From what we’ve seen, PCI has been effective, but it is a starting point,” says Mike Hrabik, chief technology officer of Solutionary, a computer-forensics company. “Is it where it needs to be? No.”
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today