Experts: More Heartland-Style Breaches Expected

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

The announcement by federal prosecutors that three hackers have been indicted for the Heartland Payments System breach comes a week before the payments processor faces a judge in federal court over two class actions suits.

In response to the indictments, information security experts say this activity might represent a battle won, but the war against hackers is nowhere near over. "The fact that three folks (assuming that that's all there were) can do all this says that it's pretty darn cost-effective to steal card data," says David Taylor, founder of the PCI Knowledge Base. "Talk about 'low overhead.'"

"It's always great to see the bad guys being hauled in, especially with a case this big, but it would be a mistake to assume that there aren't other criminals out there with similar goals and skill sets," says Tom Wills, Senior Analyst, Security & Fraud at Javelin Strategy and Research. Because law enforcement and the various victim companies' fraud departments did such a good job of investigating the case, it looks like prosecutors stand a good chance of getting a conviction, he notes. "Although we now know the form of attack that (Albert) Gonzalez and his accomplices used, it would be valuable for the information security community to get a detailed, blow-by-blow description of both the attacks and countermeasures adopted against them."

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Even with this high-profile indictment, the entire payment stream remains at risk, says Nick Holland, analyst at Aite Group. "These crimes are unfortunately not rocket science, and while the reward of card data outweighs the risk of being caught acquiring it illegally, this will continue to happen," Holland notes. In fact, Holland believes U.S. card data will increase in value, as almost all other major countries move to a smart card architecture, making counterfeiting more expensive for criminals. "This is probably just the start," he says.

The professionals entrusted with information security must realize there are more out there, says Brenda Eaden, head of IDTELi, an identity theft prevention workforce education firm. "The more sophisticated thieves are ingenious, and no company or government agency should rest easy with a false sense of security that our bad-guy days of worry are over," she says. "A few very skilled hackers slipped up and got caught, but one can only imagine that even smarter ones are still out there and hard at work."

When breaches occur, who knows how many other multiple hackers paid a price to be let in the door "and haven't left the party," Eaden says. "Sometimes they lie in wait, testing and testing, waiting for the coast to clear or for an open opportunity."

There Will Be More Breaches
In a review of the information released by the Department of Justice, Avivah Litan, Distinguished Analyst at Gartner Group, says, "It looks like Gonzalez started the attack on Heartland right when he was getting indicted for TJX." She speculates that while perhaps his activities "have been curtailed for the time being, no doubt he has cronies either above or below him that can carry on with more attacks."

Litan says this information validates the number of accounts she estimated were breached at Heartland. "I said over 100 million accounts, and it in fact it was well over that - and these accounts were all good, live card accounts, unlike TJX, for example, where a lot of inactive accounts were compromised."

U.S. card issuers and the industry need to strengthen the core of card payment security, Litan says, with technologies such as chip and PIN and true end-to-end encryption (retailer to issuer). "It's aggravating for the non-U.S. card issuers who spend millions upgrading to Chip and PIN cards, only to have their cardholders come to the U.S., use them as magstripe cards and get their data breached at companies like Heartland," she says. Those card issuers can't remove the magstripes from their cards if they want to enable their cardholders to shop in the U.S. or other countries that have not implemented chip and PIN. Litan asserts it's time for the U.S. card industry "to get on the bandwagon and upgrade payment card system security, and stop pretending that PCI is working."