Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Justice: Hackers steal 40 million credit card numbers
CNN.Com ^ | 8/5/2008 | CNN

Posted on 08/05/2008 4:48:54 PM PDT by F15Eagle

(CNN) -- Eleven people were indicted Tuesday for allegedly stealing more than 40 million credit and debit card numbers, federal authorities said.

The indictments, which alleged that at least nine major U.S. retailers were hacked, were unsealed Tuesday in Boston, Massachusetts, and San Diego, California, prosecutors said.

It is believed to be the largest hacking case that the Justice Department has ever tried to prosecute.

Three of the defendants are from the United States; three are from Estonia; three are from Ukraine, two are from China and one is from Belarus.

The remaining individual is known only by an alias and authorities do not know where that person is.

Under the indictments, three Miami, Florida, men -- Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey -- are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall's and T.J. Maxx, BJ's Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

The three men installed "sniffer" programs designed to capture credit card numbers, passwords and account information as they moved through the retailers' card processing networks, said Michael Sullivan, the U.S. attorney in Boston.

(Excerpt) Read more at cnn.com ...


TOPICS: Front Page News; News/Current Events
KEYWORDS: credit; crime; doj; fraud; hackers; identitytheft; idtheft; mastercard; retail; visa

1 posted on 08/05/2008 4:48:55 PM PDT by F15Eagle
[ Post Reply | Private Reply | View Replies]

To: F15Eagle
Great! I better check my credit card statements.

FuzzySnake.com

2 posted on 08/05/2008 4:50:19 PM PDT by GaryLee1990 (www.FuzzySnake.com)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GaryLee1990

Probably too late. Better off getting new cards for anything you used at those stores.


3 posted on 08/05/2008 4:55:34 PM PDT by driftdiver (No More Obama - The corruption hasn’t changed despite all our hopes.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: F15Eagle
Under the indictments, three Miami, Florida, men -- Albert "Segvec" Gonzalez, Christopher Scott and Damon Patrick Toey -- are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall's and T.J. Maxx, BJ's Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others. The three men installed "sniffer" programs designed to capture credit card numbers, passwords and account information as they moved through the retailers' card processing networks,

It sounds like the retailers were broadcasting credit card numbers in-the-clear.

There is a thing called encryption that could help.

4 posted on 08/05/2008 4:58:37 PM PDT by HAL9000 ("No one made you run for president, girl."- Bill Clinton)
[ Post Reply | Private Reply | To 1 | View Replies]

To: F15Eagle
My bank contacted me a couple of months ago early one weekend morning to inquire about a suspicious charge on my debit card. It was for a small amount, roughly $3.29. We immediately locked the card, and I received a new one within a few days.

The bank indicated these small charges are often phishing for an active account, then they sell/use the card number to clean it out.

5 posted on 08/05/2008 5:12:39 PM PDT by NautiNurse (Plants are people too)
[ Post Reply | Private Reply | To 1 | View Replies]

To: F15Eagle

How about indicting the retailers for keeping personal information in places readily accessible by a hacker in the first place. Idiots. There is no excuse for it.


6 posted on 08/05/2008 5:16:55 PM PDT by AndyJackson
[ Post Reply | Private Reply | To 1 | View Replies]

To: F15Eagle
Unless the bank has a document with my signature on it, my response is...

"Oops! Looks like you folks got scammed by an imposter. Might wanna be more careful next time somebody pretends to be one of your customers. That way you won't be losing your money to con men."
7 posted on 08/05/2008 5:19:09 PM PDT by LearsFool ("Thou shouldst not have been old, till thou hadst been wise.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000
There is a thing called encryption that could help.

Firewalls and data bases that can only be accessed from certain internal accounts. Encryption and secure passwords. Block all mass data requests accept from a local administrative account. Etc. etc. Such data should be buried so deep no one could get it.

8 posted on 08/05/2008 5:19:49 PM PDT by AndyJackson
[ Post Reply | Private Reply | To 4 | View Replies]

To: F15Eagle

These a-holes are too lazy to run wire to the cash registers and too lazy to secure their WIFI.

The Execs should be held personally liable.

I hope they all go out of business. They will never get any of mine again.


9 posted on 08/05/2008 5:20:11 PM PDT by ImJustAnotherOkie
[ Post Reply | Private Reply | To 1 | View Replies]

To: AndyJackson

I don’t know enough about the technology or the case to comment intelligently, but it certainly sounds like piss poor security was the cause. Especially considering that no other chain has had this problem.


10 posted on 08/05/2008 5:23:11 PM PDT by Lonesome in Massachussets (His Negritude has made his negritude the central theme of this campaign)
[ Post Reply | Private Reply | To 8 | View Replies]

To: ImJustAnotherOkie
These a-holes are too lazy to run wire to the cash registers and too lazy to secure their WIFI.

I was in a computer store (national chain) while a friend was checking out new printers. I was examining one of the demo laptop WIFI capable computers and realized it had an active WIFI signal. The wireless router was a commercial off the shelf brand like the one I have at home. The password was still set a the default, and in less than 5 minutes I was all over the store network, including the Point of Sales network. I convinced my friend he didn't need to spend his money at a store where they can't even use minimal security measures on their own network.

- Traveler

11 posted on 08/05/2008 6:38:54 PM PDT by Traveler59 (Truth is a journey, not a destination.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: F15Eagle
This all happened in 2006. Our credit cards were part of the group that were stolen, and as soon as our Credit Union found out, they re-issued new cards to its members. We haven't had any more problems in the last couple of years, so that's good.

I can't believe this is just now coming up for indictments!

12 posted on 08/05/2008 7:15:29 PM PDT by SuziQ
[ Post Reply | Private Reply | To 1 | View Replies]

To: F15Eagle
Three of the defendants are from the United States; three are from Estonia; three are from Ukraine, two are from China and one is from Belarus.

And the majority of the countries "represented" take very few steps to investigate such hacking and fraud (other than the US).

13 posted on 08/05/2008 7:21:17 PM PDT by TheBattman (Vote your conscience, or don't complain about RINOs!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Lonesome in Massachussets

In general, your correct. But anything can be broken into. I get new cards every year and pay close attention to the detail in each months statement. It’s a necessity these days. On another related topic, careful of your local or regional bank. ‘Kiting’ is becoming a lot more common practice. I just went through this with my bank. They kited for a week off a payroll check drawn from my business account at the SAME bank. Every check I wrote for a week was considered ‘bounced’ by the bank and charged $40 each item and but the bank extended the ‘loan’ to me as a courtesy. How nice of them. Now I can go spend an hour with a dolt at the bank to recover $240 dollars of charges. Thieves comes in all shapes and sizes, some desperate and some just clever, watch your back in the digital world of ‘credits’.


14 posted on 08/05/2008 7:40:45 PM PDT by iThinkBig
[ Post Reply | Private Reply | To 10 | View Replies]

To: NautiNurse

My bank told me that it was far easier and cheaper for them to issue you a new card if you thought that yours was compromised, than to wait and see if some charges showed up that weren’t yours as proof. Then they had the mess of prosecuting the ID theft and absorbing the costs.


15 posted on 08/05/2008 7:45:26 PM PDT by metmom (Welfare was never meant to be a career choice.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: SuziQ

That’s good to know. About that long ago, our bank told us that our credit card number was part of an ID theft and even though we never had any problems, they issued us a new card. It was easier for them than the mess if we kept the old number and it got used by the crooks.


16 posted on 08/05/2008 7:48:34 PM PDT by metmom (Welfare was never meant to be a career choice.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: iThinkBig

What’s *kiting*?


17 posted on 08/05/2008 7:49:49 PM PDT by metmom (Welfare was never meant to be a career choice.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: Hyzenthlay; evilrightwingconspirator

ping


18 posted on 08/05/2008 7:50:54 PM PDT by metmom (Welfare was never meant to be a career choice.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: AndyJackson
The “sniffers” reside parallel to the data stream and clone the account information while the transaction is taking place. Visa and Mastercard have rigorous security requirements requiring third party verification of security in any vendor systems that maintain credit card information. That may not do much for the emotional pain of people who lost their account information but at least somebody will pay dearly. Visa, Mastercard, and the issuing banks should cover any fraud related charges up front and then likely go after the businesses if their systems weren't up to snuff.
19 posted on 08/05/2008 7:56:23 PM PDT by kitchen (Any day without a fair tax thread is a good day.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: F15Eagle

Because it’s so easy for hackers to do this. Companies really don’t do a good job of securing their wireless networks. I’m glad I don’t have a credit card and I don’t want one either.


20 posted on 08/05/2008 7:59:15 PM PDT by Force of Truth (Legalize the Constitution::::The power to tax is the power to kill.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GaryLee1990

My question is: why aren’t credit card companies pulling out of these store chains if they won’t protect the card info?


21 posted on 08/05/2008 8:01:03 PM PDT by aimhigh
[ Post Reply | Private Reply | To 2 | View Replies]

To: F15Eagle

Having worked software for many years, NONE of the copmanies I have worked with have ever encrypted the credit card numbers. Those numbers are available to anyone with system access and there is rarely any restrictions on who gets that. They give out full access to all software developers, testers, systems admins, managers, etc. Everyone has access.


22 posted on 08/05/2008 8:01:46 PM PDT by CodeToad
[ Post Reply | Private Reply | To 1 | View Replies]

To: ImJustAnotherOkie
I hope they all go out of business. They will never get any of mine again.

No, congress will probably use more honest taxpayer money to bail them out too.

23 posted on 08/05/2008 8:05:37 PM PDT by Force of Truth (Legalize the Constitution::::The power to tax is the power to kill.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: SuziQ
I can't believe this is just now coming up for indictments!

The wheels of Justice turn, uh... slowly. :-)

24 posted on 08/05/2008 8:13:27 PM PDT by Ramius (Personally, I give us... one chance in three. More tea?)
[ Post Reply | Private Reply | To 12 | View Replies]

To: metmom

It is the practice of a bank holding your deposit for XXX number of days. That is a legal right for a bank to do this but it is VERY bad business practice, especially when it is a simple matter of transferring from one account to the other (my business account in the form of a payroll check to my personal checking account). I have already set-up an account with TD North and after these charges are cleared will move all my business away. They are losing a very nice business and consumer.

The bank that did this was Citizens. I enjoyed working with Citizens up until about a year ago when the credit crisis started. An underwriter for Citizens regional banking was kind enough last July to ask me if I knew the difference between a credit crisis and an insolvency crisis. As a CEO, I had to pause for about twenty second to think about this while I was on the phone with him. I planned accordingly for this economy.


25 posted on 08/05/2008 8:15:12 PM PDT by iThinkBig
[ Post Reply | Private Reply | To 17 | View Replies]

To: HAL9000
It sounds like the retailers were broadcasting credit card numbers in-the-clear. [...] There is a thing called encryption that could help.

Not too many companies encrypt on their local wired LAN. Physical security of the LAN is more effective and encryption puts a huge amount of overhead on the system. Plus... If you got bad guys inside the fence you've got way bigger problems. These guys had ownership of machines. Encryption wouldn't have fixed it.

Sounds to me like they got somebody inside.

26 posted on 08/05/2008 8:21:11 PM PDT by Ramius (Personally, I give us... one chance in three. More tea?)
[ Post Reply | Private Reply | To 4 | View Replies]

To: aimhigh
My question is: why aren’t credit card companies pulling out of these store chains if they won’t protect the card info?

You're kidding, right? What do you think the ratio of valid sales revenue to fraudulent charges is? Please... they're not going to cut off an arm for the wart on a finger.

27 posted on 08/05/2008 8:26:18 PM PDT by Ramius (Personally, I give us... one chance in three. More tea?)
[ Post Reply | Private Reply | To 21 | View Replies]

To: NautiNurse
The bank indicated these small charges are often phishing for an active account, then they sell/use the card number to clean it out.

Correct, but there are also random number generators that pop out 16 and 17 digit blocks that are then proffered in payment for low dollar items. Transactions below a certain level receive minimal or no review as long as the number is valid. If they work then it's off to the races.

A couple years ago I had a call from an issuer asking if I was buying construction steel in Australia. There was also a 5 or 10 dollar purchase the day before somewhere else in the world. The account was closed, charges cleared, and I got a new card in a few days.

Last month I got a call from another issuer asking if I was trying to buy $600 in electronics from "XYZ" company in the last few minutes. "No." ... "Then how about these other charges the day before?" ... "Not them either." The account was blocked right then. While on the phone the thief tried another transaction that was naturally declined. Funny thing was that my business has a business relationship with XYZ. I called them and they provided what information was still in their system, including the thief's ISP and dotted quad. If I had paid more attention in cracker class I would have fried the SOB. As it was I passed it on to the card issuer's fraud department. You would have thought I was Father Christmas. Hopefully somebody is dangling by their p** p** over a slow fire.

28 posted on 08/05/2008 8:30:47 PM PDT by kitchen (Any day without a fair tax thread is a good day.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: F15Eagle

This area of computer/credit card security is known as PCI (Payment Card Industry) Standards. It is a rather recent measure that was, in part, necessitated by problems at TJX, the company that was hacked - big time.

Basically payment card data should not be transmitted in clear text in an open, public network. In addition, data cannot be stored on disk in clear text. There are lots of other administrative requirements to ensure that the payment card data is secure. For instance, the following data CANNOT be stored by the merchant: full mag stripe data, CVC2/CVV2/CID (the 3 digit number on the back of the card), and PIN numbers.

If you’re a geek and really want to know the details, they can be found here:
http://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf


29 posted on 08/05/2008 8:42:35 PM PDT by vamoose
[ Post Reply | Private Reply | To 1 | View Replies]

To: metmom
My bank told me that it was far easier and cheaper for them to issue you a new card if you thought that yours was compromised

I don't understand why your bank talks to you about my cards. Very strange.

30 posted on 08/05/2008 8:55:14 PM PDT by NautiNurse (Plants are people too)
[ Post Reply | Private Reply | To 15 | View Replies]

To: kitchen

Scary stuff in this nearly cashless society.


31 posted on 08/05/2008 8:59:03 PM PDT by NautiNurse (Plants are people too)
[ Post Reply | Private Reply | To 28 | View Replies]

To: F15Eagle

bump


32 posted on 08/06/2008 12:20:52 AM PDT by AnimalLover ( ((Are there special rules and regulations for the big guys?)))
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ramius

Ain’t THAT the truth!


33 posted on 08/06/2008 10:49:56 AM PDT by SuziQ
[ Post Reply | Private Reply | To 24 | View Replies]

To: NautiNurse

They’re really nice people. Very friendly and helpful.


34 posted on 08/06/2008 1:06:58 PM PDT by metmom (Welfare was never meant to be a career choice.)
[ Post Reply | Private Reply | To 30 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson