[harmonious1]

boston2boulder wrote:
"Obviously I am an employee. I am also a Magna cum Laude graduate in
Business Finance and have run two companies with gross sales in excess
of $80M. My employment does not stop my brain from working. On the
contrary, it arms me with information you do not have."



Magna Cum Laude? Well, whoop-de-doo! Not that you shouldn't be proud of it but it's hardly worth bragging about. Your biased viewpoint does not benefit from your limited scholastic achievements, nor does it benefit from your alleged business acumen. You claim to present FACTS FACTS FACTS when all you can show as proof is a company press release.



The PC World article alleges that Heartland became aware of this issue in late fall of 2008, almost 6 months after the breach first occurred. Based upon the press release which you present as FACTS, this breach was just found last week- yet Heartland was able to identify said breach, enlist the help of several forensic auditors, uncover the malicious malware and take "a number of steps to further secure it's systems" all in less than one week's time? AMAZING! Somehow, I am inclined to believe that the timeline provided by PC World is juuust a bit more accurate.



The declaration that this breach is "believed to be contained" is less than comforting. Additionally, I would ask that if these additional "steps" to secure Heartland's systems were readily accessible, why were they not already implemented? Finally, shame on Heartland for trying to fly under the radar by making this announcement on Inauguration Day.

[GDHoss]

"What do I do? Simple. Twice a year I close my account and start a new one with fresh account / routing numbers. It takes about 30 minutes." Wow what good would that do? And that would take longer than a half hour. Let's say you do open close your accounts, they are still at risk while open. If you open and close credit card accounts your credit report will soon be a mile long. May have a negative impact on your credit score. Most retailers frown at a new checking account. I am required to have direct deposit from my employer. I also have direct deposit from companies I receive royalties from. What a pain that would be. I keep my uninvested money in a savings account with no debit card access. Pay bills with my checking account and keep a balance to cover them. Use a credit card for shopping and internet and don't charge more than I can pay off. With major credit cards (American Express, Discover, Visa, Master Card) most banks currently cover fraud. On debit cards and checks that money is gone until you get it back if ever.

[boston2boulder]

{font:Arial}{size:10pt}Now, who
among you has a shred of evidence your account has been violated? Who has
disputed a mystery charge that was a result of this? You can not, because all that is “missing” is
the same information every waiter you deal with has - (once the card is out of
site, it is not too tough to write down your name, numbers and expiration date.) Oh, and those on line purchases? Same info (except they can backtrack to you
through your ISP. Hmmmm… So.
The same infroamtion you put out there daily is out there again. And those processors who allow your whole
number to be printed? Wow. You really do
need to do something about that. I am
not kidding. If you see that. Raise holy hell.{size}{font}

{font:Arial}{size:10pt} {size}{font}

{font:Arial}{size:10pt}Show of
hands. Who has evidence in your account
you have been hurt? Why? Again, I will bet you all $100 you have
processed through Heartland.{size}{font}


(PS: GDHoss- Very true points and frankly the best thing I have seen here yet...you are correct...kudos)

[nx1701]

The issue is NOT that any of us has already been hurt by this breach of security against Heartland - it's that Heartland should be taking more steps than they are to inform unsuspecting consumers who do not know that their personal info may be in the hands of someone who has stolen it, so that they can keep a watch over their credit card/bank accounts for fraudulent transactions!

The average consumer (unfortunately) probably does not check every transaction that posts to their accounts. That Heartland has not made more of an effort to inform those consumers (Heartland knows whose transactions have been processed through their network - I'm sure they keep records) is unconscionable. The same goes for any other company that would handle/has handled a similar situation.

[boston2boulder]

{font:Arial}{size:11pt}Did you go nuts about the RBS breach
in the fall of 2008? Nope. Why?
They kept it a secret! Fifth
Third Bank in Ohio
was fined in 2007 for the TJMax issue, which was over 100 million card numbers.
Did you miss the call when they reached
out to you and your friends?{size}{font}

{font:Arial}{size:11pt} {size}{font}

{font:Arial}{size:11pt}Heartland is alone in simply
stepping up to the plate and letting you know what’s up.{size}{font}

{font:Arial}{size:11pt} {size}{font}

{font:Arial}{size:11pt}Your numbers are out there, known
and exploitable long before heartland got hacked. Clearly, your faith in Bill gates knows no
bounds. You share information on his
hacked to heaven software every day.{size}{font}

{font:Arial}{size:11pt} {size}{font}

{font:Arial}{size:11pt}You have used Heartland. Where are the charges? They have had months to exploit this, and
have chosen not to? They robbed the bank
but do not want the money? Ridiculous. If that data had value, they would be all
over it, not waiting for the FBI, Home Land Security and the IRS.{size}{font}

{font:Arial}{size:11pt}I believe you might work for one of our
competitors, since your blind eye to common sense and stubborn echo of half
truths is amazing. {size}{font}

[boston2boulder]

Note to PC World. For a bunch of tech wizards...your site is a sad joke. Did your wizards ever stop to think we just might cut and paste from Word? My replies are full of code and bizarre format errors. You are a fine bunch to critique other's technology. Yes, I know you spell check too...but not working with Word? Do you live in a cave?

[boston2boulder]

NX1701 - Extra Extra, read all about it.



It is actually your responsiblity to keep a watch over their credit card/bank accounts and inspect them for
fraudulent transactions! It is not too tough. Something along the lines of taking a minute to scroll down and look for odd ($1) transactions. My Chase accounts have alarms set up for any debit less than 10 dollars, and greater than 100. Whew! That took about 5 minutes on line.

By the way, back to my original thesis. What is your problem, neither you, or anyone you know, or anyone they know...etc...who has lost a dime.

I am curious about you, what you do for work (if you do) and the high ethical standard of your world. What industry are you in? I am guessing academia, since you have no grasp of real world issues and solutions.

[nx1701]

Ummm, boston2boulder, your previous post said "it is my responsibility to watch over their credit card/bank accounts" - whom do you refer to by "their"?!! I am under no responsibility to check over anyone's accounts but mine and my fiancee's! As a matter of fact, I am sitting at my PC right now going over the transactions in my checking account I downloaded from Chase into Microsoft Money - I keep a VERY close watch on the joint checking account I share with my fiancee, as well as her credit card accounts (since her own son stole her account info last year and took money out of her account and used her credit cards)!

Of course I work (as does my fiancee), as a delivery driver for a distributor of Pella windows and doors. So, I am out their in the "real world" every day!

By the way - my fiancee's daughter is an employee of Heartland, so it's not like I'm totally unfamiliar with them.

[nx1701]

I just HAVE to ask you this - why in the world would you cut-and-paste your posts to this forum in MS Word, instead of just composing them here?!!

Your posts are the only ones with all that formatting crap in them, and one of your previous posts was about a mile long!

[cpfoutz79]

Boston,

I'm getting a kick out of you putting the responsiblity on the customer. It is your legal responsiblity to protect the information via various regulations. It is also your duty to protect that information per your agreements with the payment card companies. The fact that you were hit so hard, and most importantly, that it took you so long to discover the problem, is indicative of you falling short of those responsibilities. Working in a bank, I know the need to log the heck out of things and review said logs. At the very least, i'm guessing you fell short on that. Not knowing the details (which we likely never will given your stance), it's hard to say.

We can't hold the hacker responsible...we've already shown he can't be trusted. Maybe we should write a law that if you hack a system, you need to inform the cardholder that you have their number? It's a given this guy needs to go to jail...it's a given we can't expect him to make some level of attemt to take care of us. however, being, in a roundabout way, your client, I would expect you would go through some level of effort to protect us.

You missed a couple of things.

#1 - You disclosed the breach because in many states you are required by law to make a public statement. It wasn't out of the kindness of your heart. On top of that, you made the announcement on a day when no one would be paying attention. Coincidence? I think not.

#2 - Regarding the TJ Maxx incident, they warned all involved parties...i got one of those letters and I don't believe I live in a mandatory notification state. That's all I'm asking for from you. Unless of course, you were using substandard security measures, in which case hope you lose your clients and go out of business like Cardsystems. This letter allowed me to ensure my cards were replaced, which TJ Maxx arranged to have done for me.

#3 - There is a huge difference between a waiter stealing my number and you having your system hacked...its the difference of a few million people. Not to mention, despite your claim that no numbers were used....who knows if those numbers were used. My wife had fraudulent activity on her card a few months ago...maybe the theives got the info from your system. This is exactly why you need to inform all of your customers and work with their banks to have new cards issued. If I lose my card number to a waiter, it costs my credit card issuer $5 to issue a new card. If you lose 2 million of their account numbers it costs them 10 million...if you were negligent in losing that number, then you should pay the cost.

#4 - To another poster talking about changing their bank info 2 times a year...

I use only credit cards for my transactions. 1) This provides better insurance against fraud 2) If someone uses my account, it prevents Insufficient funds fees etc. 3) When I hear about these companies all I have to do is call my CC companies and tell them I lost my card. My banking info is relatively safe b/c I never provide it to anyone except my employer. 4) I triage my accounts. Credit card whenever i can use it. Bank account with just enough money to pay my bills...this is linked to my credit card, work deposits, and any bills that don't take credit card. It's also linked to a bank where I keep all my money, yet that bank never gets accessed except for the bank that I make my transactions in.

[cpfoutz79]

BTW...I do use Windows. I consider my personal internet browsing to be a low risk thing...but even still i set up a virtual machine to do web browsing via firefox and blow it away frequently.

My banks use multifactor authentication.

I have various network and host based controls in place to make up for the OS. I've properly instructed my wife in internet browsing and while she doesn't use the VM, I reformat the drive biannually. it's been 10 years since I've found a virus on the machine. When a virus is found, the machine is not cleansed...it's formatted.

[GDHoss]

In 2004 I received my Bank of America Visa Bill. I had not used my card for several months. Somehow my account was charged $2100.00 to an online clothing store out of New York state. The clothing was shipped to a place Nigeria. When I contacted Bank of America, I found out they had tried to bill more but the transactions declined. After the bank did an investigation, I was credited for the charges. The case was turn over to the Secret Service. I'm glad it was not my debit card issued from a local bank. My checking account would had been wiped out. I to this day don't know how the breach of security happened.

[boston2boulder]

[~194157]

Yours is certainly the best informed and thought out response to this issue. Your lucid and succinct argument makes sense in many ways, and certainly does reflect on your rather unique set of standards and methodology for securing your personal world. Certainly, few are as careful, educated and disciplined as you. Kudos.

Might I ask which bastion of ethical reporting, responsible money management, and client transparency you are paid by? In other words, how dare you, standing in line for my tax dollars bail out rise to the crow's nest and shout the alarm. A banker judging an acquirer! I am weeping from laughing so hard. Thank you for that... whew! damn! That IS funny!

[boston2boulder]

I stand in awe of this---

BTW...I do use Windows. I consider my personal internet browsing to be
a low risk thing...but even still i set up a virtual machine to do web
browsing via firefox and blow it away frequently.

My banks use multifactor authentication.

I have various network and host based controls in place to make up for
the OS. I've properly instructed my wife in internet browsing and while
she doesn't use the VM, I reformat the drive biannually. it's been 10
years since I've found a virus on the machine. When a virus is found,
the machine is not cleansed...it's formatted.

Now, let me ask you a hypothetical question. Lets say you are responsible for your friends data stored on your machine. You feel you are running the cleanest machine out there. In some ways, cleaner than a NEW machine.

Let me ask you. How can you prove it is not infected? How can you prove it is not a slave machine? How do you know who is inside it...right now?

I would assume the answer is...you don't. You rely on reporting best and most current reporting tools. Tools which may too have been compromised.

So lets say in 6 months I call you and prove you are infected. You tell your peers, who trusted you thier secrets. Shall they stone thee for not knowing, and telling when you finally did?



Is it a crime to be outsmarted? Where I agree with you is in the principle I used to teach when I managed an $80M firm. We get the problem. OK. Enough. Show us a solution. I too shall see how exactly this nightmare is handled. Also, in the next month or two, when you discover a few of our peers have the same problem, and did not report it...I will log in to read your comments. Frankly, I think you are the only one on this site who actually gets it.

[boston2boulder]

GDHoss,

Wow. That is a terrifying story. it is doubly terrifying that to this day, no one can explain how it happened. The only part that makes sense is that it was BofA. I have been to hell and back with them, and only after 5 years did I just recover $7,500 they essentially stole from me when they screwed up my $30K LOC. They deserve a flogging for thier excessive charges, charges on charges, and slow response to resolution, which incredibly leads to more charges! Best to you, and thank you for your posts. I do enjoy your view.

[cpfoutz79]

The bank i work for has not asked for or recieved any "bailout" "cash infusion" or whatever you may call it from any government...nor has it had to issue stock in order to recapitalize.

My anger is due to the fact that in most of the publicized instances where data was lost by a financial institution, there was common sense things that were missed. In the beginning it was thngs such as unencrypted backup tapes or laptops where the technology wasn't widely deployed enough to fault the company.

nowdays encryption is cheap. Most companies are encrypting tapes, or on the verge of implementing it. Laptops are encrypted. In fact, we just had a scenario today where someone misconfigured a tool deployed to our laptops and it knocked everyone out of service...the laptops are so locked down that even though it's a minor misconfiguration, I can't even recover my own file off my laptop.

IDS's should be deployed on the network and on the server, developers should be locked out of the servers, data on the server should be encrypted (mainframes can be forgiven), firewalls hardened. Access should be reviewed on every server regularly. Pen tests should be performed regularly at the app level and the platform level.

With all of these controls in place and MANY more it would be very difficult to get into a system for a long period of time...if someone really wanted to target you, then sure...but likely they'd move on to an easier target...and believe me there are plenty of easy targets...I know some scary stories...hence the unleashing of my rage.

The only stories I'm sympathetic to anymore are inside jobs...but even with those, we are locking down our production support people so tightly they can barely do their job.

As for my employer...I cannot disclose. In my last post, I gave enough that you could probably figure it out...but I won't even confirm or deny guesses.

By the way...most importantly...

If I did lose my customers information (on occasion the most secured fortress will still be attacked if that's where the money is) I would:

1) Perform the proper forensics and get law enforcement envolved

2) After LE told me I was clear to inform my customer, i would do so. As much as practical, i would disclose to them why I feel we were secure (eventhough I know PCI is overrated, I'd still pull it out as a CYA), how the data got lost and what we're doing to fix it.

3) I would eat the cost of them protecting themself...if I lost their SSN,I'd give em a year or 6 months of credit monitoring, if it was a Credit Card, I'd pay their bank to replace the card. I'd also send them a booklet on protecting your identity and bast practices for picking up the pieces.

That's the point...people understand when you own up and work with them to make it right. Your actions give the appearence of evasiveness. In times like this it's all about customer perception....

Anymore technical protection takes a back seat to process protection. I know my number is going to get lost annually for the next 5 years...but I also know my credit card company will go to bat for me anytime I report a fraud. I don't care about the loss, it's the picking up the pieces that i need. When you're evasive like this, who's going to trust you.

Anyway...based on your changed tone, I hope I've helped. It appears you're rather senior in the organization...hopefully you can have some influence on responding more appropriately to the scenario.

[dan372x]

boulder2boulder said,
"What do I do? Simple. Twice a year I close my account and start a new one with fresh account routing numbers. It takes about 30 minutes."
What TERRIBLE advice! Just "lose" your card, get a new one, and 13 FICO points are deducted. I had a card compromised (never left my possession, but the account number was obtained, somehow), the bank replaced the card, and my 831 FICO was now 818. Nothing else changed in my credit profile. I then researched this issue to see if other people who had reported a lost or stolen card also suffered a FICO hit and the answer was affirmative.
boston2boulder, you're a little too smug. And don't tell me you don't suffer a FICO hit; a bit of research shows others who do, including me, when reporting a lost card, so your "solution" is no solution at all.

[RUSecure]

I concur with cpfoutz79.


I also wanted to add that the credit card data should of been encrypted en route to the Heartland's processing centers, per PCI DSS requirement 4 - Encrypt transmission of cardholder data across open, public networks.







Boston, you should get Heartland's Security and Compliance team to response here. They would concur with our comments.

[boston2boulder]

Thank you for your interest. I actually have no more time to spend explaining how the real world works, the problems we face and the solutions we must implement.

I am weary of your judgmental attitude and uninformed opinions. My tone is a product of what I infer is a question of both Heartland's ethics and mine. Heartland screwed up and will pay the price. I make mistakes too. Obviously, the chorus from PC World has no need for the back Space key or erasers on pencil, since you never make mistakes.

I have no more time, because of the mission I have been given. By the end of business tomorrow I must contact every single one of my clients, inform them of this issue, educate them about the facts, allow them to ask questions and offer solutions. Over 1,000 people spent today doing just that. Guess what? We are not losing any clients. Why? Because we have never lied to them and have lived up to every promise (yes, we actually offer more than low prices. Our personal relationships and service have value.)

I am on my way to drive 2 hours to see a new client (he will be once his fax is sent in properly.) I made an error on his contract, and undercharged him 2 basis points (if you don't know what that means, I will not be surprised.) To make the change to the contact for this tiny sum, I need his initials next to the change.

Let me tell you, those wet behind the ears plaid pants salesmen for First Data and others would never do this. They would make the change and send it in, since the client would never even know it happened.

There are two reasons I would never do that.

(1) It is wrong

(2) Heartland would terminate me instantly if it was discovered.

This new client and I will also be discussing the data breach, since it would not be ethical to sigh him up without allowing him the option of opting out. he is from Palatine and just lost a friend in the missile attacks. I am positive he does not know about the breach. He will before the night is over.

So, oh yea without sin. Remember that a company is really defined by its employees. We set the standard every day, and I have no knowledge of anyone at Heartland breaking our rules.

I would LOVE for you all to include your occupation and parent company. I bet it would be easy to open a few closets and shake the skeletons. Yes, I am calling some of you hypocrites. Prove me wrong, and write no more until we know who you are.

OK. More work to do. More ethical behavior to exhibit. More clients to send e mails to. (Oh, and two more contracts to fax in, even after our conversation about the breach. Referrals from happy customers are a true blessing.)

Good Night. God bless. Now, he who is without sin, cast the (next) stone.

[RUSecure]

My statement is not an opinion. I stated the facts and referenced the PCI DSS requirements. You on the other hand, did not reply properly.





Edited by MPHEnterprises - Please keep the tone of the posts civil