Albert Gonzalez, the mastermind behind most of the multi-million dollar credit card breaches in the past few years, is being sentenced this week. (Feds are asking for 25 years.) Now his former accomplice, Stephen Watt, has told Wired that while Gonzalez was busy stealing and selling credit card data he was also being paid under the table by the U.S. Secret Service to inform on others, earning as much as $75,000 in cash annually.
This fall, credit card processors will being rolling out a new approach to preventing data theft, based on the assumption that it’s impossible to thwart every attack. Instead of keeping 100% of criminals out, they’ll segment and encrypt the data into such small chunks that it will no longer be a cost-effective crime.
Visa has removed Heartland Payment Systems and RBS WorldPay, the two huge payment processors that suffered recent data breaches, from its list of companies that are in compliance with Payment Card Industry (PCI) rules. It says they can get back on the list when they recertify that they have proper security in place. While this may sound like a significant change in the status of the companies, in reality it does little to change how the three companies do business with each other or with merchants. It’s just a way for Visa to protect itself from any upcoming lawsuits by banks and credit unions against the payment processors.
The U.S. Secret Service has arrested three men in Florida on “hundreds of counts of credit card fraud” for using fake gift cards imprinted with account info stolen from Heartland Payment Systems last year. The Secret Service still thinks an Eastern European group is behind the Heartland breach, and that the Florida guys are smaller-time crooks who most likely purchased a subset of the stolen data.
The Secret Service has apparently “pinpointed” the location of a suspect in the massive Heartland credit card database breach. No surprise, it’s international. [Storefrontbacktalk]
The Washington Post has reported that Heartland Payment Systems, a payment processor that services “more than 250,000 businesses,” has had more than 100 million transactions compromised via malicious software that was installed on its network; it will likely turn out to be the largest data breach ever reported. The “good” news is that the criminals were only capturing credit card numbers, the names on the cards, and expiration dates—the info encoded onto the magnetic strip on the card. Because no addresses, SSNs or PINs were stolen, the prospect of full-blown identity theft is pretty small—which must explain why Heartland isn’t offering any sort of credit monitoring package as compensation. Instead, their CFO says, “We recognize and feel badly about the inconvenience this is going to cause consumers.”