RSSFormer Secret Service informant named in 'largest credit card data breach ever'
By Tim Conneally | Published August 17, 2009, 4:22 PM
Today, the US Department of Justice announced that a 28-year-old hacker and former Secret Service informant named Albert Gonzales is being indicted for the third and, by far, the largest crime of his short career: participation in the theft of more than 130 million credit and debit card mag-strip data dumps, in attacks between 2006 and 2008.
Gonzales was already in federal custody for several major data breaches. He faces trial in New York next month for the first, which involved hacking restaurant Dave and Busters' payment system. Then the second case will be heard in Boston in 2010 for Gonzales' involvement in the theft of data off of more than 40 million credit card mag-strips from OfficeMax, Barnes & Noble, BJ's Wholesale Club, and many more.
Just after his arrest, then-Attorney General Michael Mukasey said, "So far as we know, this is the single largest and most complex identity theft case ever charged in this country."
But a statement from the Department of Justice today one-ups that notorious achievement: "The indictment, which details the largest alleged credit and debit card data breach ever charged in the United States, alleges that beginning in October 2006, Gonzales and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine. The indictment also alleges Gonzales and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims."
Among the victims listed by the DOJ are Heartland Payment Systems, the sixth largest credit card processor in the United States; national convenience store chain 7-Eleven; and Hannaford Bros. Supermarkets.
Earlier this year, Heartland Payment Systems announced that it was the victim of a massive compromise, but President and CFO Robert Baldwin said, "Our discussions with the Secret Service and Department of Justice give us a pretty good indication that this is part of a group that appears to have done security breaches at other financial institutions."
The case is being overseen by the US Secret Service, and will be heard in US District Court in New Jersey. There, Gonzales will be indicted on charges of conspiracy and conspiracy to engage in wire fraud.
Gonzales allegedly used SQL injections to put "sniffers" on in-store computers which would then capture credit card numbers and account information. This information could then be put on blank cards to drain user accounts of all their cash, or sold on the black market. He already faces life in prison in the Boston case.
why to go visa and mastercard..
Score: -3
|"why to go visa and mastercard.."
Way to spell "way". ;)
Don't really think this is Visa/MC's problem. The numbers were taken from retailers and banks. The real judge of how Visa and MC play in this would be how they handle the protection (or at least forgiveness of) any fraud attempted with them stemming from this. (although as I understand it, this is generally handled by the issuing banks as well...)
Score: 1
|PC_"Tool" is accurate
Score: -2
|Yes I know what your saying..
Visa and Mastercard really needs to do a better job to protect there customers. IE: auditing the vendors security. There has been CC lists floating around before BBS days.. Nothing has really changed over the years.
To lose the DB via a SQL injection is pretty sad in this day an age..
Score: 0
|Actually, not really... there are more company DBAs/Developers that have never even heard of SQL injection attacks and even more that take the "it'll never happen to me" stance than there should be. It's quite sad, but I don't see how the credit card companies should or could try to police this.
For instance, I can create an application, get a merchant account and start processing orders via any number of merchant gateways. Visa/MC/AMEX/Discover (etc) would never even know my little company existed so how could or would they police me?
Next, you could say that the government should be on top of this... that one I might agree with only because there is precedence for it (HIPPA comes to mind) and also at the city, county and state levels for protecting student data. While these acts state that we MUST protect data, they do not mandate HOW we protect data and they have a hard time enforcing this (I went through a HIPPA audit on a project about a year ago and it was literally a joke. Nothing on the backend was even examined. It was purely looking at the application and saying "oh, you can't get into this area without a user name and password? Well, that's secure!"). What the auditor failed to even comprehend, much less examine, was how the application was interacting with the data and if there were any risks for comprimise by an outside source.
Until the people that write these systems get up to date on writing code with security in mind, we are going to continue to have to worry about identity theft and credit fraud.
Score: 0
|there is no penalty for hacking together some code and putting it out on the internet. "it'll never happen to me"! Too many System Admins say that also. Security is a HUGE part of being a good system admin.
I just don't care about my Credit cards anyways.. But I do protect my ATM (Cash) and will NEVER let it have the Visa logo on it...
Score: 1
|Too bad that Vista doesn't allow its partners to encrypt their links to it.
Score: 0
|Too bad that it's not letting me edit my own post.
Score: 0
|