March 10, 2009
-
News: New Breach, or samo…?
Still no word on the mystery anomaly currently reverberating in the credit card security industry. After statements were leaked by a few credit card lenders of a VISA notification concerning a ‘third possible breach', rumors are abundant with the blogosphere. To the public, VISA is steadfastly denying that there is a ‘third' credit card payment processor.
Some believe that VISA is simply denying unannounced events for security reasons, some believe that others are blowing up ‘nothing' just to make a story and, yet, others believe that there is a third major ‘entity' that is linked to the Heartland credit card breach somehow. This would make it convenient for VISA to shift attention away from the new secrecy. Even the heartland credit card incident was covered up for months.
Computerworld ran an article last month stating that ‘sources' had divulged the possibility that this ‘third breach' may turn out to be the biggest one yet (ever). There is conflicting coverage that this breach included "card-not-present transactions between last February and this January." Most references to the Heartland breach stated that the only month affected was November and that ‘CVV2 codes' had not been exposed.
In addition to the much longer time period of this breach; these ‘card-not-present transactions' almost always require the ‘CVV2 code' which was generally denied as having taken place at Heartland. Does not match. Also, it was stated that this new breach did not acquire fully unencrypted ‘mag stripe' data. In the Heartland credit card breach, it was said that unencrypted ‘mag stripe' data had been breached. Again, this does not line up.
Responding statements were not publicly issued from the card associations concerning this third breach until after security bloggers like Steve Ragan of thetechherald.com, started publicizing it. VISA was quick to respond then but, they were very circumspect with the wording. Circumspect is the key word, here. As yet, we've only been given sketchy details about Heartland concerning the exact length of time, how many victims and the exact depth of the breach (how much detail ‘they' got). It could well be that there was ‘no other processor' and that the Heartland breach has evolved into a much bigger problem then was originally identified. That would make the new situation seem totally different then the one we thought we knew about.