Showing posts with label Breach. Show all posts
Showing posts with label Breach. Show all posts

Friday, 31 January 2014

Protecting Your Yahoo Account

So, apparently Yahoo has suffered yet another breach. A quick search of the news sites (Bing Search) would bring up more info.

Sign in to Yahoo and change the account password as soon as possible.

Then, enable Second Sign-In Verification:

image

We suggest using SMS as the primary method for protecting the account as opposed to the security questions.

Under Account Info:

image

Once the mobile is confirmed make the following setting:

image

This at least will provide a layer of protection unless the verification system itself also gets compromised. But, if that's the case Yahoo would probably have bigger problems on their hands! :S

While you're at it please enable 2FA (2 Factor Authentication) on all Microsoft IDs and download the Authentication App to your mobile device and _use_ it!

Now that online service providers are starting to allow us to protect ourselves with additional security steps the onus is on us to use those features!

Philip Elder
Microsoft Cluster MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book

Chef de partie in the SMBKitchen
Find out more at
Third Tier: Enterprise Solutions for Small Business

Posted by Philip Elder Cluster MVP at 10:46 1 comments
Labels: , , , ,

Monday, 2 April 2012

Global Payments Inc. Breached: How Many Credit Card Numbers (says 1.5 Million) This Time?

NOTE: This is a _very_ opinionated post.

When are our government representatives going to stand up for us when it comes to data breaches that impact our day to day lives?!?

We can’t seem to embed the Bloomberg video at the following URL:

It is a good discussion of the unknown status around the hacking of payment processor Global Payments Inc.

We had our issues around the breach of Heartland Payment Systems (blog Breach category) given the way the whole thing played out. We were directly impacted by that particular breach.

Whether or not we are impacted by this current breach has yet to be seen but rest assured that we will be watching our CC online statements daily, as we regularly do anyway, for any fraudulent activities!

It is time to have legislation in place that does not allow breaches like this to fly under the radar or remain undisclosed as is the case here for _weeks_ after the breach. Our governments need to step up to protect their constituents.

It is _NOT_ up to the CEO of Global Payments Inc. to weigh things out with regards to breach disclosure.

Good on VISA for pulling their support of Global Payments Inc. Now, MasterCard, American Express, Discover, and others need to follow suit.

It is time for the credit card industry to start outright punishing payment processors for not having proper security elements in place to protect our credit card information.

Multi-Tier type authentication like AuthAnvil is not that expensive to implement. Training folks up and beyond the lowest common denominator is also a good step. That’s the cost of doing business in today’s hostile online environment.

And, no, there is NO excuse for a payment processor to not have our data protected using the best possible methods. Period.

Just ask the people that lose their life to trying to recover their identity, credit, and any other aspect of getting things straightened out after their credit card(s) and/or identity have been stolen.

Original Hat Tip: Susan Bradley

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Posted by Philip Elder Cluster MVP at 14:38 1 comments
Labels: , , , , , , ,

Wednesday, 12 May 2010

Update – Heartland Payment Systems Breach Costs

Computerworld has an updated figure on the approximate breach costs to Heartland Payment Systems.

The breach dollar amount is arrived via Heartland’s published quarterly financial results.

What does that tell us?

Not a lot since Heartland has been quite closed about publishing any information on the real impact that the breach has had on their clients that use them for payment processing.

We have a number of posts on this particular breach since we were directly impacted by it.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Posted by Philip Elder Cluster MVP at 12:36 0 comments
Labels: , , , , ,

Monday, 11 May 2009

Heartland Payment Systems, Visa, and PCI Compliance

Attrition has a very good read on how they regard PCI compliance in relationship to the Heartland Payment Systems breach as well as the RBS Worldpay breach:

From the article:

security curmudgeon

I am so fed up with this entire ordeal. As a customer who was twice affected by Heartland's security breach (two different cards through two institutions were re-issued because of the breach), I am disgusted with Visa and Heartland. PCI and its cheerleaders make me angry.

We have been keeping an eye on the whole Heartland breach fiasco since we found out about it due to the fact that one of our credit card providers, and thus us, was directly impacted by the Heartland breach.

One of the promises made by Heartland was “openness” around the whole incident. To date, other than the initial press releases made by Heartland, there has been very little information on the impact the breach has had or the how/when/where/what on the intrusion itself.

Visa, MasterCard, and other credit card providers surely know but it is in their best interest to keep things as mum as possible too.

For those that are keeping some track on the impact of the Heartland breach, here is a somewhat accurate tally of the costs to Heartland so far:

The Network World article covers Heartland’s push, and investment, in an end-to-end encrypted tunnel for payment processing between the merchant and the payment processor (Heartland).

The actual costs to those impacted by the breach, meaning all of those whose credit card information was taken, is an unknown and may never be known.

The reality is, we are ultimately the ones responsible for protecting our identities. We need to remain ever vigilant over our bank and credit card accounts by using their online transaction management systems on a regular basis. Anything out of the ordinary, especially those $0.65 and $2.73 transactions need to be questioned immediately.

Some past posts on the Heartland breach:

Heartland CEO Bob Carr’s Goldman Sachs Technology and Internet Conference presentation linked in the third blog post is available on the Talkpoint site linked to in the post.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

Posted by Philip Elder Cluster MVP at 12:36 0 comments
Labels: , , , , ,

Thursday, 26 February 2009

More Heartland Payment Systems Breach News and CEO Webcast today

The news keeps flowing from everywhere but Heartland! Their 2008Breach.com site has not been updated since January.

From the SEC article at PC World:

However, the investigation may relate to stock trades made by Heartland Chairman and CEO Robert Carr after Visa notified Heartland of suspicious activity on Oct. 28, 2008. According to insider trade filings, Carr sold just under US$8 million worth of stock between Oct. 29 and the day the breach was disclosed. Heartland's stock was trading in the $15-to-$20 range for most of these transactions, but it dropped following the breach disclosure. It closed Wednesday at $5.49.

During the conference call, Carr said that his trades were part of a 10b5-1 plan initiated in August -- months before Heartland knew of any problems -- to pay off his personal debt, and that he stopped selling shares as soon as the company discovered malicious software on its systems on the night of Jan. 12. "I had no discretion regarding the terms or timing of the sales," he said.

Carr sold just over 900,000 of his 5.8 million shares before pulling the plug on the 10b5-1 plan in January, Heartland said.

Wow …

And, to top it off, the company made the breach public on January 20, 2009. That was the day of President Obama’s inauguration. So, guess where the press’ attentions were?

While it is understandable that a business needs to keep their shareholder’s interests in mind when it comes to any kind of negative publicity, there needs to be a realization that the impact to the client/customer is more important than anything else. Period.

Ultimately, the client/customer walking away from that company will also have an impact on the company due to the breach of trust. And from there, that breach of trust has led to class action lawsuits being initiated with more to come.

In this case, the breach and the way the company and its management have been handling information about it has been, in our opinion, less than forthcoming.

Taking full responsibility for the devastating impact the breach has had on, we venture to estimate, millions of folks, including us, around the world would be a good step in the right direction.

Interestingly enough, Mr. Carr, Heartland’s CEO cited above, will be giving a presentation at the Goldman Sachs Technology Internet Conference today at 18:20hrs (6:20PM) Eastern (MSN Money Article): 

A Webcast of the Heartland fourth quarter 2008 conference call can be found here along with the original link for the above Internet Web Cast:

We as a company hold our business highly accountable for everything that happens for and to our clients. If we mess up big time, to the point where the only option is losing our business, then so be it. We will take full responsibility for our error and do everything we can to make reparations for that error.

Our clients should not have to rely on lawyers and the courts for restitution if something drastic ever happened. It is a point of principle.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac!

Windows Live Writer

Posted by Philip Elder Cluster MVP at 13:27 0 comments
Labels: , , , ,

Monday, 16 February 2009

Heartland Payment Systems Breach Update

A little while back, we posted about a breach of significant proportions at a credit card payment processor by the name of Heartland Payment Systems (previous blog post).

Here are some updates to the ongoing saga at Heartland:

We now have two known major breaches in recent memory with the TJ Maxx breach and now the Heartland Payment Systems breach.

The cost to us consumers as well as institutions that provide and service credit cards in this case has been and will be huge.

The catch is, how many more breaches of this magnitude need to happen before we consumers can be confident that the system is working at being reasonably protected?

Certainly the TJ Maxx and Heartland breaches do not inspire confidence in the way our data is being handled by companies that do so at this point.

As a result, it is ultimately our responsibility to keep an eye on our credit profiles, our credit card and debit card statements, and our online purchasing identities such as our PayPal or eBay accounts.

We are our only first line of defense.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac!

Windows Live Writer

Posted by Philip Elder Cluster MVP at 14:25 0 comments
Labels: , , , , , ,

Friday, 30 January 2009

Heartland Payment Systems - Credit Card Security Breach

It goes without saying, that no matter who promises what when it comes to our information, we need to be very careful about what we do with it anyway.

Some bits of information we would never publish to the Internet:
  • College or University graduated from and what city.
  • High School graduated from, what city, and what year.
  • Birth date.
  • Social Insurance Number (SIN - Canada), Social Security Number (US).
  • Major purchases made and where.
  • Banking information.
This type of information may seem to be inert on its own, but new services such as pipl are proving that data mining capabilities are becoming more and more sophisticated.

Keep this in mind when it comes to publishing personal information anywhere including social and business networking sites.

So, when it comes to our credit cards, we are quite diligent in our monitoring of the transactions on each card by checking our online statements at least two to three times a week. In our case, at least one of our credit cards have been impacted by this security breach.

And, when it comes to protecting our identity, we subscribe to one of the big three's credit profile monitoring services that sends out a weekly e-mail indicating whether anything has changed on our credit profiles. If the e-mail indicates a change, and we did not initiate that change, then it is imperative to jump on investigating what was up immediately. The e-mail gives an indicator, but we can log onto the report's site and take a closer look at the details.

Heartland Payment Systems has a Web site dedicated to the breach of their systems: Heartland Payment Systems Breach 2008 site: 2008Breach.com.

The front page of the site has a statement by the Chairman and CEO of Heartland Payment Systems.

One item of great concern to us in the CEO's letter:
"... we will not rest until we have the answers to how and why this breach occurred so we can prevent any future attacks at Heartland and elsewhere."

Let's stop and think about this for just a moment ...

They do not know "how" the breach happened?!? The "why" is irrelevant. How about telling us the "when"?

To get a clue on the when, we go to the site's FAQ:

Was Heartland the victim of a data breach?

Yes. During the week of January 12, we learned we were the victim of a security breach within our processing system during 2008.


Now give that answer a once over again: "...DURING 2008"!!!

While a forensic investigation may be on the go now, if the breach was an ongoing thing that has just been discovered, will the investigators ever be able to pinpoint whether the breach originated in 2008, or 2007, or even 2006 and beyond?!?

Not only that, it was VISA, MasterCard, and other credit car companies that had to trace suspicious transactions back to Heartland before the breach became known:

How did we learn about the breach?

After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, malicious software was discovered that potentially enabled data to be compromised as it crossed Heartland's network.


The magnitude of the breach and its implications are staggering in this case. It took a group of third parties to let the company know that there was a problem with its systems.

So, we have an indication of a breach, we have a Web site with some information on it, but that is about it?!? Not only that, Heartland chose to release the news on the day of President Obama's inauguration! One need not venture into the motivation behind this, but the implications are there ... where is the company's transparency?

It leaves us with an affirmation that our skepticism of the "system", and personal data protection, expressed in the first couple of paragraphs in this blog post are well founded.

We have seen a number of high profile security breaches in our headlines over the last couple of years or so. As a result, it is up to us to keep up that healthy skepticism and make sure we cover as many of the bases as possible when it comes to protecting our identity and financial information.
  • Only use one credit card for online transactions.
  • If possible, have an ultra low limit on that credit card.
  • Obtain the card from an institution that practices call-backs for out of the norm transactions.
  • Obtain the card from an institution that allows for card number rotations on an annual or bi-annual basis to further protect the card.
  • Where possible, utilize a trusted third party payment system such as PayPal for online transactions to keep credit card information out of the merchant's hands.
  • Monitor the transaction log for bank accounts, credit cards, and credit profiles (Canadian Trans Union Credit Monitoring).
And finally, when are our legislators going to get some laws in place making it mandatory for all companies to report a breach that would impact our identities, livelihood, and personal data?

It is high profile cases, such as the Heartland Payment Systems breach, that beg the question about breaches with companies that process personal information and never report it.

Lawyers and mitigating risk to a company should never trump a person's right to know their data has been compromised ... ever.

Searches on the matter:
Some further reading:

One quote of interest from WSJ:

"One hundred Million Transactions PER MONTH"

The depth of this breach is just mind boggling.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

Posted by Philip Elder Cluster MVP at 10:11 0 comments
Labels: , , , , ,

Tuesday, 8 May 2007

Information Security: What to do with those Trojans?!?

What do we do when a client brings in a system that has multiple infections? How do we know for sure when the system was infected or whether anyone still has any kind of control over the system?

We always advise a flattening of the system. Only non-active data such as documents and images would be recovered before the system is flattened by a system we have setup for this task.

What about the TJX security breach? The Wall Street Journal has an up to date article on where the initial breach has come from: How Credit-Card Data Went Out Wireless Door.

Ouch! *wince*

So, can the forensic experts guarantee that TJX's systems are now free of any further Trojans or Rootkits? I mean 100% free? As in, totally secure?

I don't think so.

Think about this for a minute. You have free access to a treasure of immeasurable proportions. You can come and go as you please. You can do this for months at a time, with no one none the wiser.

So, what do you do? Build a couple of back doors? Maybe. Build a large number of backdoors? Likely. Build time released back doors? Very likely. Hide those backdoors in the maze of locations on a network? Extremely likely.

Imagine if you will, that the folks who were on the up and up as to their credit card and debit card statements were not paying attention. Thus, there would have been no calls to their banks or credit card institutions questioning their statements and mysterious charges on them.

Where would we be now? Surely further along than the crooks in Florida and else where that have been fingered with credit card and debit card numbers procured via TJX.

Kudos to those people who vigilantly monitor their credit and debit card statements. It is solely due to your vigilance that more pain and sorrow, financial and identity losses have not taken place.

From the article:
The problems first surfaced at credit-card issuers such as Fidelity Homestead, the Louisiana savings bank. Its customers were dealing with the aftermath of Hurricane Katrina when they began seeing strange transactions on their credit-card bills in November 2005, says Richard Fahr, Fidelity's security officer. First there were unauthorized transactions from Wal-Mart stores in Mexico, and then fraud started surfacing in Southern California, Mr. Fahr says.
Gives a whole new meaning to, "An ounce of prevention can prevent a pound of pain".

Monitor your statements folks. Even better, get online with your financial institutions and check those online statements regularly. Question any seemingly benign transaction that you know doesn't fit your spending habits or purchase locations.

Sometimes the crooks will put through a small $2 or $3 transaction to test whether people are paying attention. If the credit/debit card number is still good in a couple of weeks, that person is likely not checking their statements.

Again, from the article:
Lobbying by banking associations since disclosure of the TJX breach has helped persuade lawmakers in several states and in Congress to consider new legislation. One bill in Massachusetts would impose full financial responsibility for any fraud-related losses, including costs of reissuing of cards, on companies whose security systems are breached. Another bill, in Minnesota, would bar any company from storing any consumer data after a transaction is authorized and completed.

Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, said in March he believes Congress will move to require a company responsible for allowing a breach to bear the costs of notifying customers and reissuing cards.
Um, TJX, you messed up. You messed up real bad. This is beyond a mistake. This is a critical no turning back error. You are responsible for all costs of this breach. Not the banks, not the credit card institutions.

Governments should not have to institute laws to protect their citizens from companies that do not do due diligence.

I do believe that the lawsuits that stem from this incident will teach other companies that it a lot more expensive to deal with a breach than to protect their client's data from a breach in the first place.

UPDATE: Just made some minor grammatical changes.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Posted by Philip Elder Cluster MVP at 12:29 0 comments
Labels: , , ,

Friday, 30 March 2007

Information Security: TJX cost of breach

27B Stroke 6 has a post, Data Breach Will Cost TJX $1.7B, Security Firm Estimates, on the possible costs to the company for a breach of their networks.

The breach compromised approximately 45,600,000 client records containing information like credit card numbers, personally identifiable information, and more.

Apparently the Black Hat was in there for a long time before someone picked up on it.

For those firms that handle personal data, if you don't already have an in-house "hackathon" to test your security, get one happening.

Hire a White Hat to try and compromise from the outside, inside, and where ever else one can discover weaknesses in your network security.

How many breaches, both corporate and government, is it going to take before our data is going to be safe? How many before we the consumer have some sort of agency with power, preferably independent, that can work on our behalf?

For those affected by the breach, get together and start a Class Action Suit! Companies have to learn, be it the hard way, that we mean business about protecting our sensitive data!

Protect yourself, subscribe to the Credit Agency's credit file monitoring services. "Loose" your credit cards once every couple of years ... the CC companies hate to have to change your cards on a regular basis. But, it changes your numbers and makes it that much harder for them to be compromised.

Beware of who you are giving your credit card information to, and never loose sight of them if it can be helped. Resteraunts are notorious for this.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Posted by Philip Elder Cluster MVP at 13:04 0 comments
Labels: , ,
Subscribe to: Posts (Atom)