Comments on: Don’t be like: Heartland Payment Systems http://nessence.net/2009/08/20/dismantling-heartland-payment-systems/ Technology; until we all find something new. Wed, 07 Jul 2010 05:21:42 +0000 hourly 1 http://wordpress.com/ By: Alex Leverington http://nessence.net/2009/08/20/dismantling-heartland-payment-systems/#comment-153 Alex Leverington Wed, 30 Sep 2009 22:06:10 +0000 http://nessence.net/?p=187#comment-153 @Rick You probably drive a car back and forth from work every day, that car keeps you safe from amazing risks, and I bet you're insured; but, if you weren't driving a safe vehicle: a) you wouldn't be insurable, and b) you could die easily. For this reason, automobiles are very safe, people trust them, and manufacturers are mandated to certain levels of safety and security standards. Fortunately, people don't die when bank security is breached or software programs fail, but at the same time, nobody is liable either because the attitude you have -- that just because others fail, nobody should be held to a higher standard. This is why I composed my post, to single out a company -- if I had any evidence to single out others, I would. Most of the time though, that evidence is either kept confidential or may even be under gag order which is unfortunate to everyone whose personal data is exposed. I think it's good Heartland is doing end-to-end security but that's really nothing special. Public key infrastructure has been around since before online banking was prevalent and it's a technology that's more than a decade old -- Heartland has had over a ten years to implement end-to-end data encryption and they've waited until after their system was compromised. Sure, you could say such an upgrade prior to now would've been expensive, and you would be right -- such levels of security should be mandatory and expected. I also composed this post to support share holders' actions and because the exploit was via SQL injection. Being vulnerable to SQL Injection is like leaving your car running with the windows rolled down. Moreover, end-to-end encryption doesn't hinder SQL Injection attacks. You can google more on "SSL TLS" to find out the history of security and how end-to-end encryption has been done for quite awhile now. I suppose if Heartland wasn't so loud with PR about how they're catching up to 1999, I wouldn't say anything. All things considered, 1 out of 601 is a start. @Rick

You probably drive a car back and forth from work every day, that car keeps you safe from amazing risks, and I bet you’re insured; but, if you weren’t driving a safe vehicle: a) you wouldn’t be insurable, and b) you could die easily. For this reason, automobiles are very safe, people trust them, and manufacturers are mandated to certain levels of safety and security standards. Fortunately, people don’t die when bank security is breached or software programs fail, but at the same time, nobody is liable either because the attitude you have — that just because others fail, nobody should be held to a higher standard. This is why I composed my post, to single out a company — if I had any evidence to single out others, I would. Most of the time though, that evidence is either kept confidential or may even be under gag order which is unfortunate to everyone whose personal data is exposed.

I think it’s good Heartland is doing end-to-end security but that’s really nothing special. Public key infrastructure has been around since before online banking was prevalent and it’s a technology that’s more than a decade old — Heartland has had over a ten years to implement end-to-end data encryption and they’ve waited until after their system was compromised. Sure, you could say such an upgrade prior to now would’ve been expensive, and you would be right — such levels of security should be mandatory and expected.

I also composed this post to support share holders’ actions and because the exploit was via SQL injection. Being vulnerable to SQL Injection is like leaving your car running with the windows rolled down. Moreover, end-to-end encryption doesn’t hinder SQL Injection attacks.

You can google more on “SSL TLS” to find out the history of security and how end-to-end encryption has been done for quite awhile now.

I suppose if Heartland wasn’t so loud with PR about how they’re catching up to 1999, I wouldn’t say anything. All things considered, 1 out of 601 is a start.

]]> By: Rick http://nessence.net/2009/08/20/dismantling-heartland-payment-systems/#comment-152 Rick Mon, 28 Sep 2009 04:14:31 +0000 http://nessence.net/?p=187#comment-152 If attacks are so "preventable" as you claim then why have over 600 banks in the U.S. also been hacked? Simple truth is that there will always be criminals who look for ways to get into the computing systems of large corporations. Heartland Payment Systems is now leading the industry with an end-to-end data encryption service that no other credit card processor currently has in place. And by the way, most if not all of the other major credit card processors have also been hacked during the past few years so Heartland is in "good" company. While I agree that better precautions need to be taken by all corporations who process data let's not unfairly single out Heartland Payment Systems. If attacks are so “preventable” as you claim then why have over 600 banks in the U.S. also been hacked? Simple truth is that there will always be criminals who look for ways to get into the computing systems of large corporations. Heartland Payment Systems is now leading the industry with an end-to-end data encryption service that no other credit card processor currently has in place. And by the way, most if not all of the other major credit card processors have also been hacked during the past few years so Heartland is in “good” company.

While I agree that better precautions need to be taken by all corporations who process data let’s not unfairly single out Heartland Payment Systems.

]]>