Pierluigi Paganini April 01, 2012

The Krebs on Security blog reported that there has been a security breach at Global Payments that “may involve more than 10 million compromised card numbers.”  We are facing with a massive breach that could impact more over 10 million compromised card numbers, for this reason VISA and MasterCard are alerting banks across US about the event and the related risks.

Brian Krebs is the first expert to publish news on the breach noting the that MasterCard and Visa have disclosed non-public alerts warning of a possible risks arising the data exposure.

Global Payments handled $120.6 billion in Visa and MasterCard card volume, up 11% from the prior year, according to Nilson. It competes against First Data Corp. and units of big banks including Bank of America, J.P. Morgan and Citigroup Inc. C +0.11% to process transactions.

Global Payments (GPN) discovered the breach in the beginning of March 2012, the card associations have dated the breach between Jan. 21, 2012 and Feb. 25, 2012. According the warning to the banks the Track 1 and Track 2 have exploited, this tracks are used to store information of the card, this means the a criminal could use the stolen information to clone the card.

The Wall Street Journal is one of the first newspaper to report that the breached processor was Global Payments Inc., which processes credit and debit cards for banks and merchants. Atlanta based processor Global Payments confirmed yesterday the breach via press release, following the info reported:

“Global Payments Inc. (NYSE: GPN), a leader in payment processing services, announced it identified and self-reported unauthorized access into a portion of its processing system.  In early March 2012, the company determined card data may have been accessed.  It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact.  The company is continuing its investigation into this matter.

“It is reassuring that our security processes detected an intrusion.  It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said Chairman and CEO Paul R. Garcia.

It promised to release more details in a conference call with investors on Monday morning. Security Expert have immediately started the investigations on the transaction data on the compromised cards trying to discover common factors, sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.

Global Payments Inc. (NYSE: GPN), a leader in payment processing services, announced it identified and self-reported unauthorized access into a portion of its processing system.  This is not the first time that a breach is observed in the payment world, last June Citibank breach exposed 360,000 accounts but only 3,400 accounts resulted in fraudulent losses that cost Citi, not consumers, $2.7 million.

Once again, a cyber threat shakes the banking world after significant data breach andthe damages caused by viruses such as Zeus.

The biggest breach was related the Heartland Payment Systems (NYSE: HPY) company announced in January 2009 with more over that 130 million credit and debit cards exposed. The breach cost Heartland at least $140 million in fraud redemption, fines, and legal fees.

Again, according to Krebs, “Global Payments will hold a conference call Monday, April 2, 2012 at 8:00 AM EDT. Callers may access the conference call via the investor relations page of the Company’s Web site atwww.globalpaymentsinc.com by clicking the ‘Webcast’ button; or callers in North America may dial 1-888-895-3550 and callers outside North America may dial 1-706-758-8809 . The pass code is ‘GPN.’”

Of course VISA and Mastercard are working hard to discover the real entity of the breach and in the same time they are alerting its customers on the possible fraud.

Visa has specified that the breach has not interested its internal systems neither its network, however it could have serious impact on the credit card payment word with serious impact on third parts companies. The Visa has provided payment card issuers with the affected account numbers to the involved companies so they can start procedures to protect consumers.

U.S. Visa consumer cardholders are protected against similar incidents and frauds with Visa’s zero liability fraud protection policy, which exceeds federal safeguards, anyway Visa suggests cardholders to regularly monitor their accounts alerting their issuing financial institution promptly on any suspected activity.

Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises.”

What is really strange is that the Heartland company was compliant to the Payment Card Industry Data Security Standard (PCI DSS) at the time of its breach. The cause of its breach was a simple SQL injection attack raising doubts at how compliant Heartland had remained after its audit.

The cause of Global Payments’ breach hasn’t been confirmed but several hypotheses have been proposed, the most interesting of which says that the breach was caused by improper employee security that may have lead to malware inside internal networks.  We have learned from similar cases that is sufficient to open an infected attachment in an email to expose the entire infrastructure of a company.

Regarding the specific case we have to wait for the official communications of the GPN and further results of the specialist’s researches on the case.

Pierluigi Paganini

(Security Affairs – VISA, Mastercard)

[adrotate banner=”5″]

[adrotate banner=”13″]