Electronic Theft Occurring Despite Security Measures

The latest large-scale cyber attack against Heartland Payment Systems Inc and Hannaford Brothers supermarket chain shows the security challenges facing the U.S. credit-card industry.

Heartland and Visa Inc, both of whom say their computer networks meet tough new security standards, did not have strict enough security to keep hackers at bay.

On August 17, Albert Gonzalez, a 28-year-old Florida man, was indicted along with two other hackers for breaching the computer networks of Heartland and Hannaford.

Both companies say their networks are up to the security standards set by the world’s largest credit card networks, Visa and MasterCard Inc, McDonald’s Corp, Exxon Mobil Corp, Bank of America Corp, and Royal Bank of Scotland Plc.

According to Visa, 5 percent of the largest retailers and restaurants have not met compliance deadlines set in 2007, despite the increasing fraud complaints.

Of the 275,284 complaints received last year by the Internet Crime Complaint Center, 24,775 were tied to credit or debit card fraud, up from 13,033 in 2007.

According to Visa security executive Ellen Richey, companies that are in compliance are still vulnerable if they let down their guard.

"It was the lack of ongoing vigilance in maintaining compliance that left the company (Heartland) vulnerable to attack," she said.

Merchants have taken up the issue with Visa and MasterCard, claiming the credit companies are asking them to pay more than their fair share for security upgrades.

Retailers also say Visa and MasterCard have been slow to adopt new technologies such as encryption, and high-security computer chips.

"I can’t even tell you how many sour, disgruntled calls I get from retailers," said Gartner Inc technology consultant Avivah Litan.

At Heartland, Gonzalez pulled off a record breaking heist, stealing 130 million payment card numbers. 

He’s accused of breaking his own record of stealing 100 million card numbers during an electronic break in at TJX Cos Inc, which began in 2005.

Gonzalez is currently awaiting trial, and has pleaded not guilty to the TJX related charges.

Prosecutors say Gonzalez breached Hannaford and Heartland’s system in late 2007 with “structured query language,” a method companies are required to protect themselves against.

Gonzalez and his team of hackers are also charged with breaching 7-Eleven Inc systems in August 2007. 

A Heartland spokesman said their systems had been checked by audit firm Trustwave of Chicago as recently as April 2008, which would have occurred after hackers had begun to steal from the network.

Security standards represent "the lowest common denominator and the bad guys have figured out how to get around some of the weaknesses," the spokesman told Reuters.

Trustwave would not comment on the situation.

Heartland, which processed card payments for merchants, saw its stocks drop sharply after the attack was discovered.

According to Cynthia Larose, an attorney at Mintz Levin, the payment card industry could face more government regulation if it fails to stop electronic theft.

"If the stakeholders cooperate, we would see much better security," she said.