backtop


Print 15 comment(s) - last by tedrodai.. on Aug 11 at 10:57 AM

Hacking ring that made off with more than 40 million credit card numbers caught

A hacking ring found swiping more than 40 million credit and debit card numbers was caught Wednesday, in a stroke of good fortune that the U.S. Department of Justice is calling their largest hacking break ever.

The unnamed hacking ring’s resume is as impressive as it is devastating, with its 11 members accused of stealing card numbers from a wide variety of US retail stores, including OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, Marshalls, and T.J. Maxx.

The group appears to be responsible for the massive data breach that began in 2005 against clothing retailers T.J. Maxx and Marshalls, as well as other stores owned by parent company TJX, that ended up costing close to $200 million in damages.

Group members, only three of which are U.S. citizens, will appear before a Boston court facing a wide variety of charges, including conspiracy, computer intrusion, fraud, and identity theft.

Despite the Justice Department’s boasting, reports have described the security community’s response as muted, with researchers unimpressed by the groups’ reportedly simple tactics – which consisted, mainly, of wardriving for networks with open wireless access points and security vulnerabilities, and exploiting those holes to install a packet sniffer that spies on transactions as they occur.

“It’s not rocket science,” says Department of Defense cybercrime investigator Jim Christy.

The issue of identity theft is so big, say researchers, that the group’s arrest is unlikely to make a dent in the overall “carding” scene. The size of their theft also likely contributed to the group’s capture, as attempting to offload 41 million card numbers is a considerably larger transaction – and a far more noticeable one – than typical trades, where quantities are usually in the thousands.

“It’s almost an embarrassment of riches – how do you move 41 million credit card numbers?” says Black Hat and DefCon hacker conference founder Jeff Moss. “That’s like trying to rob Fort Knox by yourself.”

Reports indicate that the group’s ringleader, Miami-based Albert Gonzalez, was formerly an informant for the U.S. Secret Service. The group’s other members hail from a “hodgepodge” of countries, including Estonia, Belarus, Ukraine, and China. Their composition is viewed as snapshot of the larger carding community, much of which consists of groups from Eastern Europe.





Comments     Threshold


This article is over a month old, voting and posting comments is disabled

hate retailers
By mdogs444 on 8/8/2008 8:39:53 AM , Rating: 4
quote:
accused of stealing card numbers from a wide variety of US retail stores, including OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, Marshalls, and T.J. Maxx.


What I find interesting, is why is it legal for these companies to keep my personal credit card numbers on file? I can understand that certain things could happen - returns, unpaid balances to card companies, etc. But couldn't the card processors keep the numbers, and only provide the retailers with some sort of random number to correspond to the order/transaction?




RE: hate retailers
By Kenenniah on 8/8/2008 9:46:29 AM , Rating: 2
I know that a lot of companies do keep the numbers, however in the article that's not how the numbers were obtained.

quote:
and exploiting those holes to install a packet sniffer that spies on transactions as they occur


They captured the transactions as they ocurred by sniffing, not by hacking the existing databases.


RE: hate retailers
By Domicinator on 8/8/2008 10:11:46 AM , Rating: 3
This makes me sick. Experts have known about this problem for years, and a lot of it started with places like TJ Maxx using the severely out of date WEP encryption to secure their data networks. People could literally sit in the parking lot of a TJ Maxx with a WEP cracking program and get whatever info they wanted. It's similar to the packet sniffing that hackers do in a coffee shop to read peoples' e mail. These days, if you have the right software, it only takes a couple of minutes (if that) to crack WEP encryption.

The reason this has still been possible is because these big companies still aren't taking network security seriously enough and they don't want to spend the money to upgrade their networks. Ridiculous.


RE: hate retailers
By Kenenniah on 8/8/2008 10:57:06 AM , Rating: 4
Upgrading to WPA would help and wouldn't cost that much, however I wonder why they even need wireless at all. In a retail store setting, how hard is it to just use wired? If you want to have wireless for certain purposes, use segmented networks, wired for secure information and the wireless for other. There's no reason that credit card information would have to be transmitted on the wireless.


RE: hate retailers
By BioHazardous on 8/8/2008 10:01:58 AM , Rating: 4
I'm no expert on the matter, but didn't the article explain that it had nothing to do with these companies storing your credit card info?

I took the trouble to read the whole article instead of the first couple paragraphs and then jumping to conclusions.

quote:
with researchers unimpressed by the groups’ reportedly simple tactics – which consisted, mainly, of wardriving for networks with open wireless access points and security vulnerabilities, and exploiting those holes to install a packet sniffer that spies on transactions as they occur.


RE: hate retailers
By Ratinator on 8/8/2008 11:28:56 AM , Rating: 3
The fault still lies with the company as it is "their" network that is transmitting the information. Safeguards need to be in place to protect all data including that traversing your network. The responsibility even goes as far as data which may exist in memory.


RE: hate retailers
By Polynikes on 8/8/2008 10:55:04 AM , Rating: 2
quote:
But couldn't the card processors keep the numbers, and only provide the retailers with some sort of random number to correspond to the order/transaction?

Sure they could, but that would make sense. And cost more.


RE: hate retailers
By omnicronx on 8/8/2008 11:49:01 AM , Rating: 2
quote:
What I find interesting, is why is it legal for these companies to keep my personal credit card numbers on file?
They are not keeping your credit card on file, the 'hackers' are merely 'sniffing' or watching every transaction that goes through in real time, which could potentially give them access to any information in that transaction, this includes credit card information. Once the transaction is processed, they are no longer 'storing' your credit card information at the store level. Well.. probably not your whole number, they will keep the first or last (or possibly both) digits on file because its part of the receipt.

What surprises me, is why on earth do these stores have wireless access points at all? The only perceivable reason I can think of is wireless debit machines. Its 100x more difficult to access this information if they actually had to be connected to the store LAN itself. Wireless is not secure, regardless of what setup you have, if it can be made, it can be hacked, and regardless of encryption its much easier to access something when all you need to do is get within 100 feet of a store...


No pin-code?
By Clauzii on 8/8/2008 9:42:58 AM , Rating: 2
"Some credit and debit card numbers were sold on the Internet, and were "cashed out" by encoding the numbers on the magnetic strips of blank cards. "The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs," authorities said."

So they burned those numbers to fresh, empty cards. But don't one need to know some access code to actually use it?




RE: No pin-code?
By TomZ on 8/8/2008 10:19:36 AM , Rating: 3
Makes me wonder if PINs are stored on the card itself. Last couple of times that I changed my PIN on an ATM card, I had to do it at the bank branch office, and they had me enter it on a special machine with a mag stripe reader. I remember thinking, I wonder if this thing is actually writing the PIN onto the mag stripe. From a security standpoint, this approach seems insane.


RE: No pin-code?
By Grast on 8/8/2008 11:20:10 AM , Rating: 2
The pin is not stored on the card. However since they were using a unsecure wireless network to transmit, the card number and pin were both sent unencrypted across a unsecure media.

The result is that not only did the crooks get your number. They also saw your pin. This is the reason why financial transaction data needs to be encrypted from source to destination.

Your average ATM uses that methodology. The pin pad and the card reader do not send information unencrypted. All of the data in a ATM request is encrypted. In fact, multiple leves of encryptions are used. The information is scanned or entered as the case maybe and then transmitted to the destination encrypted.

In the end, the only ones at fault are the retail locations. I would remember the names of these retailers and pay only in cash.

Later...


RE: No pin-code?
By tedrodai on 8/11/2008 10:57:02 AM , Rating: 2
quote:
I would remember the names of these retailers and...


Shop elsewhere until they get their head screwed on straight.


Good catch
By Mithan on 8/8/2008 8:15:23 AM , Rating: 4
Now nail their balls to the wall.




Old News
By TomZ on 8/8/08, Rating: 0
RE: Old News
By Clauzii on 8/8/2008 9:32:04 AM , Rating: 2
"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation
Related Articles













botimage
Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki