We shouldn’t be surprised. Albert Gonzalez didn’t stick those 130 million numbers in his pocket and wait for the Feds to break down his door with an arrest warrant. He sold the numbers- probably all 130 million of them. They’re still out there and I’m willing to bet that, now that the heat on Gonzales has cooled a bit, those in possession of the information will start to use it.

And I’m not just picking on Heartland. TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority and Dave & Buster’s were all in the similar time frame and Gonzalez had a hand in all of them. All told, we’re looking at somewhere over 170 million at-risk or exposed accounts. The population of the US is about 308 million so it wouldn’t be too far fetched to say that almost half the population was exposed.

They are still out there, fellow merchants, and the fallout has probably just started.

Be careful, and if you need to learn how to protect yourself, have a look at our webinarSimilar Posts:

• Anther data breach victim identified
• 300 Banks, 3 Arrests, and the Saga Continues
• Anther data breach victim Part 2
• More on the Heartland Breach
• The Latest on the Data Breaches

I put the full blog post over on the Cardholder911 site because it looks like, in this case, it’s going to be the card holder and not the merchant that’s left holding the (empty) bag.

If you’re in the USA, you probably don’t have one of these yet but you can bet that it won’t be long. You should probably read the post.Similar Posts:

• Chip and PIN Fraud
• Chip and PIN, terrorism, and boy are we in trouble
• Real Time Keylogging
• Card Companies Insecure About Security
• Smart Card will “Totally Eliminate Identity Theft”

A webinar by Tom Mahoney, Founder and CEO of Merchant911
and Peter Goldmann, MSc., CFE, President of White Collar Crime 101

Attention E-commerce Merchants, Issuers, Acquirers
and Processors:
Get The Tools You Need To Protect Against The Ruthless Army Of On-Line Fraudsters
Out To Get You.

Preventing E-Commerce Credit Card Fraud is the first Webinar training
program designed to help you navigate the fraud-infested minefield of on-line
credit card commerce. This 75-minute Webinar cover will cover the critical
aspects of the growing on-line credit card fraud threat:

* Who the E-Commerce "fraudsters" are and how they steal
your money
* How to spot the tell-tale signs of fraudulent E-Commerce transactions—before
it’s too late
* Fraud prevention secrets the credit card companies don’t tell you
* Proven methods to verify suspicious Internet credit card orders
* How to prevent most fraudulent chargebacks and reverse those you can’t
* Best sources of up-to-the-minute fraud prevention information

Your Presenters:
• Tom Mahoney, Founder and CEO, Merchant 911—the
only Web resource devoted exclusively to protecting E-merchants against credit
card fraud

• Peter Goldmann, MSc., CFE, President, White-Collar Crime
101, publishers of White-Collar Crime Fighter newsletter and providers
of FraudAware® detection, prevention and investigation training.

Date: March 31, 2010
Time: 11:00 AM – 12:15PM Eastern (GMT-5)
Cost: $65 (Early Bird Price: $50 before March 1, 2010)

Generous Group Discounts Available at Registration

Sign up now and receive two valuable FREE BONUSES
—
• FREE Exclusive Special Report, E-Commerce Credit
Card Fraud Insider
• FREE Merchant 911’s List of Useful Anti-Fraud
Information Sources

For additional details Click
Here:

Don’t Miss This Valuable Opportunity to Beat the Bad Guys
at Their Own Games!!

Similar Posts:

• iovation Partners with Merchant911 to Educate Online Retailers About Device-based Fraud Prevention Solutions
• The State of Merchant911
• E-commerce Merchants Beware
• Disposable Credit Card Numbers – Not All Bad
• Visa Pushes More Fraud Toward E-commerce

Please do some research before donating to ANY relief effort that appears to be set up specifically for aid to Haiti. There will be scammers out there setting up websites and sending out tens of thousands of spam email. These guys will get your money and your credit card information and use it to drain you of your hard-earned money.

If you want to make donations, stick with the Red Cross, known church-organized relief efforts and other reputable organizations. Please use extreme caution when making donations to Haiti relief.

In the last three hours, I have seen a couple of press releases saying that AT&T has set up a way to text message donations. I have confirmed this on the AT&T webisite.

Wireless customers of AT&T* (NYSE:T) can send $10 donations to the Red Cross International Relief Fund by typing the word HAITI and sending it to 90999 via text message from their mobile device. Standard text messaging rates may apply.

A confirmation message will arrive within a few minutes, to which the customer replies “yes” to finalize the donation.

100 percent of all money donated will be passed on to the Red Cross.

Also, there is some good advice here.

Cash often serves as the best donation. Slate.com notes, “First responders call the deluge of unsolicited goods they receive the ’second disaster,’ as shipping, sorting, storing and distributing the goods takes valuable staff time away from other necessary tasks.”

If I identify any suspected Haitian relief scams, I will attempt to verify them as legitimate and report the results here. I urge you to bookmark or subscribe to the RSS feed and check back. But don’t assume that if a relief effort you’re checking out isn’t here, that it’s a good one.

Also – please use the comments to report any relief effort that you suspect. We’ll do our best to check them out.

Update

Here is CNN’s list of recognized legitimate relief efforts.
Similar Posts:

• Credit Card Fraud as a Business
• Friendly Fraud on the Rise
• Symantec Issues Security Threat Report
• New twist on an old scam
• Street Level Credit Card Fraud

Probably not solar flares; at least that would be my guess. I suspect that the article at at the Open Security Foundation doesn’t think so either but they’ve done a good job of listing possible reasons. They mention better security, but don’t seem to analyze it much.

I’d admit that they can only analyze reported breaches. If they aren’t reported, we don’t know about them unless we have some insider information. I’d like to think that the number of breaches are really decreasing – but I can’t. I have to think it’s at least one of the Open Security Foundation’s possibilities.

Some of the article is meant to be humorous but it’s still a good read.Similar Posts:

• More ATM Hacks – A Disturbing Trend
• CardNet Hides Their Secrets
• Top Fraud Incidents of 2008
• More on the Heartland Breach
• Why Identity Theft is such a problem!

Small merchants are NOT immune to data breaches

What concerns me more about all the publicity surrounding this Gonzalez thing is that small merchants will look at the names of all the large retailers that were breached and think it can never happen to them. Wrong. It can. It does. The only reason we’re hearing so much about this one is the fact that they were large retailers and the perpetrator got caught. Don’t think for a minute that small merchants aren’t hacked. They are! But when they are, it won’t make any headlines. These are the hacks that the Secret Service, the FBI and even local law enforcement just don’t get involved with.

Albert Gonzalez is behind bars and may not be masterminding any more breaches for a while, but he wasn’t alone and he won’t be the last. And there’s a lot of small-time crooks out there with just as much know-how. We’re not going to see the end of data breaches any time soon and PCI compliance is an absolute must.

PCI compliance issues

Although we’ll probably never know for certain, most of the breached entities continue to argue that they were PCI compliant at the time of the on-going breaches. At the same time, the PCI Security Standards Council continues to argue that no compliant site has ever suffered a breach. One of them is wrong but one thing is clear; merchants had better be compliant. Being able to certify compliance is the only thing that might save a small merchant from certain death if a breach occurs. And if a merchant isn’t compliant by October, it’s certain death anyhow.

For those merchants that aren’t compliant, especially the small merchants that comprise 70% of Merchant911 members, the thought of getting there is daunting. That’s understandable but it doesn’t change the fact that all merchants must be compliant by October of 2010. You should be compliant already.
Similar Posts:

• Top Fraud Incidents of 2008
• The Last of the Heartland Breach
• Anther data breach victim identified
• The Hannaford Data Breach – It’s Unique
• Data Breach Double Talk Spin?

It’s certainly no secret that Albert Gonzalez is a bad guy. If you’ve followed his rather unsavory career, you know that back in September he plead guilty to major breaches of TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority and Dave & Buster’s. According to court documents those breaches amounted to 170 Million credit cards. It’s believed that some of those long-lasting breaches occurred during the time he was an informant for the FBI.

Yesterday, on December 29, he plead guilty to breaches of transaction data from Heartland Payment Systems, Hannaford Brothers supermarket chain, 7-Eleven and “two unidentified companies.” That’s another 130 Million cards. The unidentified companies have been known about at least since the September guilty plea but have somehow managed to remain unidentified, thus avoiding a bit of bad publicity and state notification laws that didn’t seem to do much damage to the other companies.

Yesterday, one of the unidentified companies came out of the closet. Think concentric red and white circles; think Target. Of course Target is saying that Gonzalez and his cronies got relatively few numbers, if any. Personally, I doubt that. If they were able to suck data from Heartland for at least six months, they wouldn’t have much trouble with Target.

To put the Gonzalez capers in perspective, the population of the U.S. is in the neighborhood of 307.7 million. If we believe the news reports and the court documents, the breaches masterminded by Gonzalez got him 170 million card numbers That’s over 55% of the U.S. population.

The good news is that only a small portion of those cards has been used against merchants. The bad news is that only a small portion of those cards has been used against merchants. They are all still out there floating around the Internet at cheap prices. All 300 Million of them.

There’s two very major issues here that E-commerce merchants need to think about. I’ll discuss them in my next post so be sure to subscribe to the feed or follow on Twitter.

I’d like to know what you think. Click on the comment link below and tell me what you think are the implications to e-Commerce.

Similar Posts:

• Anther data breach victim Part 2
• Credit Card Data Breach at Heartland Payment Systems
• The Hannaford Data Breach – It’s Unique
• Top Fraud Incidents of 2008
• CardNet Hides Their Secrets

Complying with the PCI Data Security Standard may seem like a daunting task for merchants. This book is a quick guide to understanding how to protect cardholder data and comply with the requirements of PCI – from surveying the standard’s requirements to detailing steps for verifying compliance.

PCI Compliance for Dummies arms you with the facts, in plain English, and shows you how to achieve PCI Compliance. In this book you will discover:

Download this E-book for free while it’s still available!

This is a limited time offer from

Similar Posts:

• Merchants Struggle to Comply With PCI Security
• Version 1.2 of the PCI DSS is Official
• The Legal Implications, Risks and Problems of the PCI Data Security Standard
• Heartland PCI Compliance Revalidated
• Nevada says PCI is Law

Why did they bother? Members tell me there is good stuff in there. I get comments like:

… awesome resource for business owners and merchants.
Merchant Solutions

I spent weeks looking for the information you have here and still came up short
Drew – DigitaEye Designs

… awesome resource for business owners and merchants.
Merchant Solutions

We joined Merchant911 in 2003, and haven’t had a single charge back since we have followed their excellent tips, enabling us to negotiate lower fees from our payment service provider.
Martin-Pierre Frenette – President, Cablan.net

Of course, from the end of January until March, new memberships will surge when e-Commerce merchants are hit with the Holiday chargebacks. Sorry folks, you’re too late. You have to prevent fraud because if you’re the victim as a merchant, you loose. You have about a 10% chance of recovering what you lost. In 2008, merchants lost $4 Billion. That’s billion with a B.

It takes time to look through the member pages and use what’s there. I know, we’re all busy. Tell me about it! I hold a full time job as a network manager and I maintain Merchant911.org and Cardholder911.info in my “free” time. Now and then I also help out with my wife’s Brick and Mortar store and three on-line stores. I also have a family, although my wife sometimes wonders if I know that.

It’s your hard-earned money that’s at risk. If you are an on line merchant, don’t think about joining Merchant911, just do it while you’re here. And if you can find a cheaper than free resource let me know.Similar Posts:

• Still Another Attempt to Prevent Credit Card Fraud
• Chargeback Survey Results
• Friendly Fraud Isn’t!
• Merchant911 Celebrates 8 Years
• Disposable Credit Card Numbers – Not All Bad

I’m sure that more awareness and more extensive implementation of fraud screening has a lot to do with it. A service like IP Geo-location is one of the quickest and easiest fraud screening methods available and merchants are catching on. There’s also no doubt that the newest weapon against fraud, device reputation has had an impact.

Maybe, and hopefully, PCI compliance has had the biggest impact. I reported back in September that the payment industry is now forcing compliance on even the smallest merchants. I’d be willing to bet that almost every merchant, large and small, either is compliant or has gotten a notice that they have to be or they’ll be fined large sums.Like it or not, October is the cut-off date. PCI compliance can be expensive in terms of dollars and time, but I support it because I believe that if properly implemented it will reduce fraud and this year’s statistics seem to verify that.

But is the rate really down this year? Merchants, I’d like to hear your take on this so feel free to leave a comment!Similar Posts:

• Internet Crime Complaint Center Report is a Joke
• United States – Credit Card Fraud is about to increase
• Disposable Credit Card Numbers – Not All Bad
• “It’s worse than we thought”
• Chargeback Survey Results