Indictment of card hacker unlikely to end thefts

Aug 18, 2009 By JORDAN ROBERTSON , AP Technology Writer

(AP) -- This week's indictment of a hacker believed responsible for the biggest retail-store data breaches in U.S. history doesn't necessarily make shoppers safer from having their credit card numbers plundered.

Accomplices to the crimes are believed to be on the loose in Russia or other countries where U.S. authorities are less likely to get them. And the underlying security holes mined by the hackers still exist in many payment networks.

Albert Gonzalez, a Miami hacker who once worked as a government mole tracking down identity thieves, is accused of playing a critical role in all the largest credit-card heists on record.

With Monday's indictment of Gonzalez on conspiracy charges in U.S. District Court in New Jersey, the Justice Department says he helped steal 130 million card numbers from payment processor Heartland Payment Systems, 4.2 million card numbers from East Coast grocery chain Hannaford Bros. and an undetermined number of cards from 7-Eleven. He was previously charged in other computer break-ins, most significantly at TJX Cos., the chain that owns discount retailers T.J. Maxx and Marshalls, in which as many as 100 million accounts were lifted.

Gonzalez is in jail and awaiting trial next month in New York for allegedly helping to hack the computer network of the Dave and Buster's restaurant chain. Attorneys for Gonzalez did not comment to The Associated Press.

The fact that hundreds of millions of card numbers could be stolen from retailers illustrates the flaws in a payment system that's built more for speed than security, as an Associated Press investigation found this year. For instance, credit and debit card numbers are not always encrypted as they move from retail stores to banks for approval.

Consumers don't directly pay the costs of most fraud. Banks and retailers eat those charges. But consumers bear it indirectly, in the form of higher prices.

According to prosecutors, Gonzalez and his associates exploited vulnerabilities that remain widespread. Among them: flaws in the way retailers' computers handle requests in the so-called Structured Query Language (SQL), which is used to manage data - such as credit card information - stored in databases. Hackers who detect these holes can trick databases into coughing up more information than they should.

The vulnerability sometimes can be exploited as simply as entering a specially crafted command into, say, a search box on a badly configured Web site. Instead of returning normal search results, the site would surrender confidential information or allow a hacker to place malicious programs on the site.

Authorities allege Gonzalez and the others infiltrated the Heartland, Hannaford and 7-Eleven computer networks using SQL-based attacks.

In a statement Tuesday, 7-Eleven Inc., which hadn't commented on its breach before, said the attack affected ATMs operated by a third party inside its stores and lasted for 12 days in 2007. That is likely referring to an attack in which criminals infiltrated Citibank's network of ATMs inside 7-Eleven stores and stole the mother lode in the ID theft world: customers' PIN codes. Neither 7-Eleven nor Citibank would elaborate Tuesday.

Security experts also noted that Gonzalez's latest indictment charges two unnamed co-conspirators who live "in or near Russia" and allegedly helped with the attacks.

Dan Clements, president of CardCops, which tracks stolen credit card data online, called it a "cleverly written indictment" that suggests the government might be trying to squeeze its former informant for more information about Hacker 1 and Hacker 2. However, extraditing those suspects is unlikely, Clements added.

"We are not safe," Clements said. Gonzalez is "here on U.S. soil. That was his big flaw. If he were anywhere else, he's not going to jail."

Ori Eisen, founder of Scottsdale, Ariz.-based security firm 41st Parameter and previously worldwide fraud director for American Express, added that Gonzalez is "most likely not the kingpin. The kingpin would not risk being in the United States. They operate out of the Ukraine or Russia, and they're former militants or ex-KGB who know their way around just enough not to get caught."

As for Gonzalez, "by no means will catching him stop what's going on out there," Eisen said.

Consumers don't have many options for monitoring whether the stores they frequent are good at protecting their card numbers. Stores aren't given public grades on their computer security, like the scores restaurants get on their cleanliness in some places. The best advice: Regularly check your credit reports for suspicious activity, and set free fraud alerts with the credit-reporting agencies.

In this case, the thieves might have failed by being too successful. It's hard to unload hundreds of millions of stolen on the black market.

Clements said criminals usually sell stolen card numbers in batches of 10,000 or less. That helps avoid drawing the attention of law enforcement and the card providers, which might replace cards pre-emptively if they see a mound of them being fenced. Many of the card numbers stolen in the breaches cited in the Gonzalez indictment have already been canceled and replaced.

©2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Explore further: US warns shops to watch for customer data hacking

add to favorites email to friend print save as pdf

Related Stories

Prosecutors say man stole 130M credit card numbers

Aug 17, 2009

(AP) -- Federal prosecutors on Monday charged a Miami man with the largest case of credit and debit card data theft ever in the United States, accusing the one-time government informant of swiping 130 million accounts on ...

TJX reaches settlement with states on data theft

Jun 23, 2009

(AP) -- Discount retailer TJX Cos. said Tuesday it has reached a settlement with multiple states related to a massive data theft that occurred at the parent company of retailers T.J. Maxx and Marshall's a few years ago.

TJX Intruder Had Retailer's Encryption Key

Mar 30, 2007

Not that the culprit necessarily needed it. Data was apparently taken during the card-approval process before it was encrypted. These are among the latest details in what is almost certainly the worst retail data breach ever. ...

Recommended for you

US warns shops to watch for customer data hacking

3 hours ago

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

Fitbit to Schumer: We don't sell personal data

18 hours ago

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

22 hours ago

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

23 hours ago

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

23 hours ago

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

Google to help boost Greece's tourism industry

Aug 21, 2014

Internet giant Google will offer management courses to 3,000 tourism businesses on the island of Crete as part of an initiative to promote the sector in Greece, industry union Sete said on Thursday.

User comments : 0