Austin, Texas local news reports the police department has named Heartland in a payment card breach at Tino’s Greek Cafe.

“Through our investigation and through the investigation of the credit card companies, we’ve determined the compromise was not at the restaurant itself. It was somewhere in the network,” APD Sgt. Matthew Greer said. APD said a computer hack at Heartland Payment Systems, where the payments were processed, is a possible source of the problem.

Possible source. Not very encouraging. This has left the door open for Heartland to register disbelief and uncertainty.

“Recent reports of data theft at one Austin-area merchant clearly point to a localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud,” Heartland Payment Systems said in a statement.

So this time (or should I say so far) Heartland has not pointed the finger at auditors and QSAs or other payment card processing companies for leaving them in the dark. Quick flashback: Heartland’s CEO last year gave an odd reason for being breached.

The false [PCI DSS] reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn’t understand the limitations of PCI and the entire assessment process.

PCI compliance never meant an entity could not be breached. A CEO can say he was misled, or misinformed, but it is not the responsibility of the QSA for that CEO to know the rules.

The Heartland CEO is saying the equivalent of a citizen should rely on a police officer to know the driving laws and if they crash they should be able to litigate against their driving test examiner. That is not how compliance works.

Complicating Heartland’s position is another recent Austin retail payment card breach, which also used them as a processor. Their image in the public eye is not exactly one of security so they should have to prove that a “localized” incident actually removes them from the fix.

As it happens the fix reported in the news makes Heartland appear involved more, not less. The police say the breach came from a weak link between the point-of-sale and the processor. The fix is to stop sending Heartland payment information over the Internet — processing is done over plain old telephone service (POTS) again. An architecture change such as this is usually not due to a localized flaw. Other retailers who connect to Heartland over the Internet might be asking themselves if they should dust off their modems.

One might think that Heartland’s recent efforts with end-to-end encryption would play directly into this issue and they would step up and wave their giant hand over the tiny merchant to make the problem go away. Instead they take a tough negotiation stance that angers the merchant.

Heartland issued a statement denying any involvement in the Tino’s breach, saying the problems, “clearly point to a localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud…the company is unaware of any broader issue.”

“I think that’s very irresponsible of them to issue a statement like that,” said [Tino’s restaurant co-owner] Nouri.

It might not be a broader issue, just a misconfiguration or flaw in communications security, but that still implicates Heartland. They do seem responsible.

When they use words like “unaware” it reminds me of when I presented in November 2005 at the Retail Security Forum in Chicago, Illinois a model for end-to-end encryption that would solve the problem described above. It was called “Manage Identities and Keys for the Retail Risk Model”. In fact, it described exactly a solution for what Heartland’s CEO started to discuss publically three years later (after the Hannaford Brothers breach) and their CIO started talking about four years later.

True end-to-end encryption to us, and what we’re putting forward as the standard, [starts] from the time the digits leave the magstripe on the consumer’s card, and is turned from analogue data into digital data, [and continues] all the way through the terminal, through the wires, through our host processing network until we securely deliver it to the brands. That’s end-to-end encryption.

They do seem aware of the broader issue. Whether or not this breach turns out to be on the point of sale or the network, I hope the APD will be able to push Heartland towards more awareness and accountability and get them to drop the “unaware” defensive line.

This seems like a nice idea: better parents would make kids safer online.

This astonished me. Here I was, only 23 and childless, and I was telling adults how to parent their teen! At that point I realized the awful truth: lots of people just don’t know how to raise their kids.

The same situation holds true for MySpace. The company can hire all the security officers it wants, and it could replace every ad with a flashing banner that says “DO NOT TRUST RANDOM STRANGERS!!!”, and send fliers to every parent in America … and bad things would still happen to kids connected to MySpace. A lot of parents aren’t very good at parenting, and part of being a teenager is saying and doing stupid things (I’m example number one for that particular precept), trying to socialize as much as possible, and worrying at the same time about your hair and your weight and your zits and your clothes.

It is a story from 2006. The MySpace reference might have given it away. Remember how 2006 was full of stories about the need for better parenting and education of parents?

Symantec marketing published a product press release. Politicians in America rattled ideas around on the hill. Microsoft released a guide in 2006 that was last updated in 2008 (a dead link in 2019, try this instead). You can blame me (at least partially) for the https://security.yahoo.com/ site. The result?

That was then. If the goal was to make parents better, I do not think the mission succeeded. Educating parents about threats and vulnerabilities has not generating a market for better parenting skills and eduction tools but rather fueled demand for surveillance. That is probably because a lot of the parenting lists include phrases like “supervise and monitor”.

Kids who are growing up today are less likely to be able to benefit from a hypothetical “if only your parents were better” discussion and more likely to be faced with a barrage of parental surveillance controls. In other words they are being raised not so much to be informed about choices but rather the presence of perimeters and monitoring controls. I suppose this is not much different than before (e.g. learning to sneak out the bedroom window) but it is interesting to me how the discussion has chilled and changed since 2006; not many progress reports to be found.

Interesting look at the economics of security: Nairobi’s motorbike boys improving their own slum

“Sometimes I use these bikes when I’m late from work, because the road is not safe at night,” one passenger said. “So these bikes really help us a lot!”

The irony is, the Dirt Island’s motorbike taxi service is being run by precisely the kind of young men who might have menaced their passengers in the past. Many of the motorbike boys were once offenders.