Skip to comments.Justice: Hackers steal 40 million credit card numbers
Posted on 08/05/2008 4:48:54 PM PDT by F15Eagle
(CNN) -- Eleven people were indicted Tuesday for allegedly stealing more than 40 million credit and debit card numbers, federal authorities said.
The indictments, which alleged that at least nine major U.S. retailers were hacked, were unsealed Tuesday in Boston, Massachusetts, and San Diego, California, prosecutors said.
It is believed to be the largest hacking case that the Justice Department has ever tried to prosecute.
Three of the defendants are from the United States; three are from Estonia; three are from Ukraine, two are from China and one is from Belarus.
The remaining individual is known only by an alias and authorities do not know where that person is.
Under the indictments, three Miami, Florida, men -- Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey -- are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall's and T.J. Maxx, BJ's Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.
The three men installed "sniffer" programs designed to capture credit card numbers, passwords and account information as they moved through the retailers' card processing networks, said Michael Sullivan, the U.S. attorney in Boston.
(Excerpt) Read more at cnn.com ...
Probably too late. Better off getting new cards for anything you used at those stores.
It sounds like the retailers were broadcasting credit card numbers in-the-clear.
There is a thing called encryption that could help.
The bank indicated these small charges are often phishing for an active account, then they sell/use the card number to clean it out.
How about indicting the retailers for keeping personal information in places readily accessible by a hacker in the first place. Idiots. There is no excuse for it.
Firewalls and data bases that can only be accessed from certain internal accounts. Encryption and secure passwords. Block all mass data requests accept from a local administrative account. Etc. etc. Such data should be buried so deep no one could get it.
These a-holes are too lazy to run wire to the cash registers and too lazy to secure their WIFI.
The Execs should be held personally liable.
I hope they all go out of business. They will never get any of mine again.
I don’t know enough about the technology or the case to comment intelligently, but it certainly sounds like piss poor security was the cause. Especially considering that no other chain has had this problem.
I was in a computer store (national chain) while a friend was checking out new printers. I was examining one of the demo laptop WIFI capable computers and realized it had an active WIFI signal. The wireless router was a commercial off the shelf brand like the one I have at home. The password was still set a the default, and in less than 5 minutes I was all over the store network, including the Point of Sales network. I convinced my friend he didn't need to spend his money at a store where they can't even use minimal security measures on their own network.
I can't believe this is just now coming up for indictments!
And the majority of the countries "represented" take very few steps to investigate such hacking and fraud (other than the US).
In general, your correct. But anything can be broken into. I get new cards every year and pay close attention to the detail in each months statement. It’s a necessity these days. On another related topic, careful of your local or regional bank. ‘Kiting’ is becoming a lot more common practice. I just went through this with my bank. They kited for a week off a payroll check drawn from my business account at the SAME bank. Every check I wrote for a week was considered ‘bounced’ by the bank and charged $40 each item and but the bank extended the ‘loan’ to me as a courtesy. How nice of them. Now I can go spend an hour with a dolt at the bank to recover $240 dollars of charges. Thieves comes in all shapes and sizes, some desperate and some just clever, watch your back in the digital world of ‘credits’.
My bank told me that it was far easier and cheaper for them to issue you a new card if you thought that yours was compromised, than to wait and see if some charges showed up that weren’t yours as proof. Then they had the mess of prosecuting the ID theft and absorbing the costs.
That’s good to know. About that long ago, our bank told us that our credit card number was part of an ID theft and even though we never had any problems, they issued us a new card. It was easier for them than the mess if we kept the old number and it got used by the crooks.
Because it’s so easy for hackers to do this. Companies really don’t do a good job of securing their wireless networks. I’m glad I don’t have a credit card and I don’t want one either.
My question is: why aren’t credit card companies pulling out of these store chains if they won’t protect the card info?
Having worked software for many years, NONE of the copmanies I have worked with have ever encrypted the credit card numbers. Those numbers are available to anyone with system access and there is rarely any restrictions on who gets that. They give out full access to all software developers, testers, systems admins, managers, etc. Everyone has access.
No, congress will probably use more honest taxpayer money to bail them out too.
The wheels of Justice turn, uh... slowly. :-)
It is the practice of a bank holding your deposit for XXX number of days. That is a legal right for a bank to do this but it is VERY bad business practice, especially when it is a simple matter of transferring from one account to the other (my business account in the form of a payroll check to my personal checking account). I have already set-up an account with TD North and after these charges are cleared will move all my business away. They are losing a very nice business and consumer.
The bank that did this was Citizens. I enjoyed working with Citizens up until about a year ago when the credit crisis started. An underwriter for Citizens regional banking was kind enough last July to ask me if I knew the difference between a credit crisis and an insolvency crisis. As a CEO, I had to pause for about twenty second to think about this while I was on the phone with him. I planned accordingly for this economy.
Not too many companies encrypt on their local wired LAN. Physical security of the LAN is more effective and encryption puts a huge amount of overhead on the system. Plus... If you got bad guys inside the fence you've got way bigger problems. These guys had ownership of machines. Encryption wouldn't have fixed it.
Sounds to me like they got somebody inside.
You're kidding, right? What do you think the ratio of valid sales revenue to fraudulent charges is? Please... they're not going to cut off an arm for the wart on a finger.
Correct, but there are also random number generators that pop out 16 and 17 digit blocks that are then proffered in payment for low dollar items. Transactions below a certain level receive minimal or no review as long as the number is valid. If they work then it's off to the races.
A couple years ago I had a call from an issuer asking if I was buying construction steel in Australia. There was also a 5 or 10 dollar purchase the day before somewhere else in the world. The account was closed, charges cleared, and I got a new card in a few days.
Last month I got a call from another issuer asking if I was trying to buy $600 in electronics from "XYZ" company in the last few minutes. "No." ... "Then how about these other charges the day before?" ... "Not them either." The account was blocked right then. While on the phone the thief tried another transaction that was naturally declined. Funny thing was that my business has a business relationship with XYZ. I called them and they provided what information was still in their system, including the thief's ISP and dotted quad. If I had paid more attention in cracker class I would have fried the SOB. As it was I passed it on to the card issuer's fraud department. You would have thought I was Father Christmas. Hopefully somebody is dangling by their p** p** over a slow fire.
This area of computer/credit card security is known as PCI (Payment Card Industry) Standards. It is a rather recent measure that was, in part, necessitated by problems at TJX, the company that was hacked - big time.
Basically payment card data should not be transmitted in clear text in an open, public network. In addition, data cannot be stored on disk in clear text. There are lots of other administrative requirements to ensure that the payment card data is secure. For instance, the following data CANNOT be stored by the merchant: full mag stripe data, CVC2/CVV2/CID (the 3 digit number on the back of the card), and PIN numbers.
If you’re a geek and really want to know the details, they can be found here:
I don't understand why your bank talks to you about my cards. Very strange.
Scary stuff in this nearly cashless society.
Ain’t THAT the truth!
They’re really nice people. Very friendly and helpful.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.