Monday, February 16, 2009

Heartland Payment Systems Breach - First Arrests Made

StorefrontBacktalk has further detail about the Heartland Payment Systems data breach, including the fact that the malware hid in the slack space on the disk, and that it was detected with temp files. The current suspects are Eastern European, but three arrests have been made in Tallahassee after suspects used cards with data stolen in the breach. Interestingly, the suspects were using gift cards, rather than credit cards, and according to the article Wal-Mart was a favorite location.

Heartland's next step according to StorefrontBacktalk is to investigate end to end encryption, noting that PCI is not sufficient. The article points out that card data is unencrypted, requiring connections to be encrypted, rather than the data that travels over them. This process of pushing encryption to the endpoints would require a significant infrastructure change - every endpoint card might well require an encryption key and a PIN. The good news is an approach with endpoint encryption and in-transit encrypted data means that your vulnerable points are decreased to points owned by the issuing bank, and that PCI compliance would become much simpler. The comments are well worth a read for the technically inclined.

No comments: